We have a web server (IIS with ASP.NET) that has a web application deployed to it. Users of the web application can use it to upload files. The web application needs to save the files to another server using a Windows share. A virus scanning engine then accesses the Windows share to scan the uploaded file for viruses. The Windows share is on the virus scanning machine.

The problem: neither the web server nor the virus scanning machine are on the same domain. In fact, they are not part of any domain at all. Therefore it is difficult setting up the share so that the web server can write to it.

What is the best way to establish a trust relationship between the web server and the share on the virus scanning machine so that the web server can write to the share on the virus scanning machine?

(PS The web application is running as NETWORK SERVICE - it is possible that this can be changed too.)

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328

2 Answers2


Here's one way you could it:

  • Create an account on the web server for the web service to run as.
  • Create an account with the same username and password on the virus scanning machine.
  • In the NTFS permissions for the shared folder grant the account you created rights to write to the folder.
  • In the share permissions on the shared folder set "Everyone / Full Control".
  • Be sure you have good name resolution between the web server and the machine hosting the shared folder.


I've never used the "impersonate" functionality that sparks refers to in his answer. I don't think this is going to do what you want anyway, seeing as how there isn't a way for a standalone machine to impersonate an account from another standalone machine (or from a domain that the impersonating machine is not a member of).

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks. One question though: what do you mean by good name resolution? Do you mean DNS, or is it something else? – Sir Rippov the Maple Jun 25 '09 at 19:45
  • Good name resolution would be the ability to consistently resolve the netbios or dns name properly. DNS is typically the most reliable if that is an option you have. Otherwise on a small LAN you should almost always successfully resolve netbios names. – sclarson Jun 25 '09 at 19:50
  • You just want to be sure that the web server can access the File and Print Sharing service on the remote machine via whatever name or IP address your app is using. If you can logon to the web server w/ the account you create and put \\server\sharename in the Start / Run dialog and access the remote server you'll be good to go. – Evan Anderson Jun 25 '09 at 19:50
  • Ahh yes, ghetto domain. – MathewC Jun 25 '09 at 19:52
  • @MatthewC: I prefer to call it the "poor man's trust relationship", but yeah, it's "ghetto domain"... *smile* – Evan Anderson Jun 25 '09 at 19:54

If you want authenticated access for the web server machine to the virus scanning machine, you need an account on the virus scanning machine with the proper rights to the share and the filesystem where the share is located.

The application would need to connect to the share using the correct credentials when it is doing the write operation.

Given that the web server isn't going to be able to run the IIS process using the credentials from the virus scanning machine, you likely will need modifications to the application to support authenticated access as you describe. I would recommend using something other than plain old SMB though for a .NET application as the API support for specifying credentials explicitly is somewhat lacking. FTP or SSH might be a good fit.

Alternatively, depending on your security requirements, you may be able to get away with just allowing anonymous WRITE-only access to the virus scanning share and have the web server talk to it unauthenticated. You could use firewall rules or other mechanisms to limit the exposure here from allowing anonymous access.

David Archer
  • 599
  • 1
  • 6
  • 16
  • Looks like I forgot about the "use the same username and password on both standalone machines" trick. (or as others are calling it the "ghetto domain") :) – David Archer Jun 25 '09 at 19:57
  • Never underestimate the power of the poor man's trust relationship! *smile* If I had a dollar for every time it got me out of an ugly authentication situation... – Evan Anderson Jun 25 '09 at 20:01