HTTP Commander and Windows 2008 R2 Server File Shares

Evaluating HTTP Commander

HTTP Commander and Windows 2008 R2 Server File SharesThis week we have evaluated the HTTP Commander (HTTP Commander) product by Element-IT product as a solution to a web-based file manager project. Our evaluation found many things to like about this product including the ability to use Active Directory authentication. Via impersonation, the application also honors NTFS permissions on remote file shares. This item was what really sells HTTP Commander as the right solution in our case.

During our testing, we ran across an interesting problem. When using HTTP Commander as a less privileged user, we could navigate to folders that we should not be able to on remote folders. Now, we were denied access to download files, but being able to navigate folders you don’t have rights to seemed wrong. A quick email to Element-IT support and we began troubleshooting the issue with them.

After a few remote sessions of troubleshooting, we arrived at a point where the application was indeed doing what it was supposed. The problem was that Windows was granting access when it should not. Thanks be to God for a good nights sleep and some time to dig. The solution was found.

The Solution – Access-Based Enumeration

HTTP Commander and Windows 2008 R2 Server File SharesWhen creating file shares on a Windows 2008 R2 Server, you will most likely be doing so via the File Server role. In this file server role, there is a file share management console used for creating and managing file shares. In this tool, there is a setting that is off by default that is labeled “Enable access-based enumeration“.

According to Microsoft

Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system.

Reading this description makes perfect sense. The funny thing is that this setting is not turned on by default. Is there a reason why administrators would not want to default to this setting so that users don’t see things they do not have access too?

Thankfully, for us this allows us to move forward with final evaluation of HTTP Commander and the potential purchase and implementation. As an aside, I was extremely pleased with the remote support offered by Element-IT and Sergey. Twice I ended a remote support session suggesting it was probably something on our end and I would let them know if we found the problem. On both occasions, I arrived at the office with an email in my inbox from Sergey with another idea and offer to do another support session. Keep in mind that this level of support was all offered prior to our purchase of the product. Kudos to Sergey and the team!

About Tom

Tom genuinely loves tech. Not just gadgets but game changing stuff. Oh yeah, he hates to talk about himself in the 3rd person. So, I really enjoy involvement in sharing big tech in the #nptech (nonprofit technology) arena. The need to be entrepreneurial drives me to learn and dive into projects, but without the financial acumen to go it alone. Visit me in the afternoon and you'll see Google Chrome packed with my tab hoarding tendencies and you might even catch me practicing my fake british, over the top, accent. Christ follower, husband, father and technology enthusiast. Attempting to live life out as a light in this world and stumbling at times in this fallen world.

9 thoughts on “HTTP Commander and Windows 2008 R2 Server File Shares

  • Riyaz Patanwala

    Hi Tom
    I am also evaluating http commander control to be used as a control in our in house developed document management system. I am facing a strange issue, once i use the http commander in my aspx page having master page , it works fine in firefox but in IE and chrome the button to upload files and search files do not work at all. I am trying to contact this company(Element IT) but unfortunately no one replies. Can you help me in this regard.

  • Raoul Teeuwen

    Hi Tom. Thanks for the review & post. At the end of the post you state “this allows us to move forward with final evaluation of HTTP Commander and the potential purchase and implementation”. Have you already been able to do that or when do you expect to be able? What, if any, other solutions besides HTTP Commander did you consider?

  • Tom Post author

    Hi Sergey, Yes indeed it was strange. However, as I said in the article, I was extremely pleased with how you all worked to try to understand the problem and resolve it. My dealings with you and your staff were great. Keep up the great work.

  • Sergey Prunsky

    2Jason Davis,
    It is great to see you inside our customers. I don’t see if you asked us about these problems so I hope you fixed the problem. Related to logout: Yes, this problem was in old release of HTTP Commander becouse some of browser’s like Firefox and Chrome don’t provide solution to clear(terminate) Windows authentication and users should close their browser to terminate authentication. Later we found solution to clear authentication then user go to logout page: we send wrong user name and password via JavaScript to another page that sends reply 200 OK. After that browser remember wrong autentication info but application don’t works becouse wrong user not exists at server OS.

  • Sergey Prunsky

    Hello Tom, thank you for your review. It was really strange problem on your server. Our developer, Sergey, said that the same thing with NTFS rights then Windows explorer used. Yes, “enable ABE” checkbox helped to hide files. We have many clients, some of them don’t use ABE or don’t enabled it but they don’t have the situation then users can download files if NTFS rights prohibits that. It is really strange situation.

  • Jason

    I’m getting the following message, have you had any experience with this, I feel that it is some permission error or something to deal with UAC. I get this error when I try to log on to my IIS application with a non-administrator user account. However, if I log on with an administrative account, I don’t get the message, and for about 15 minutes afterwards, a regular user can log on without getting the error. Then after about 15 minutes, a regular user will start back getting the error.


    Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

    – at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

    at Microsoft.Win32.Fusion.ReadCache(ArrayList alAssems, String name, UInt32 nFlag)

    at System.Reflection.Assembly.EnumerateCache(AssemblyName partialName)

    at System.Reflection.Assembly.LoadWithPartialNameInternal(String partialName, Evidence securityEvidence, StackCrawlMark& stackMark)

    at System.Reflection.Assembly.LoadWithPartialName(String partialName, Evidence securityEvidence)

    at System.Xml.Serialization.TempAssembly.LoadGeneratedAssembly(Type type, String defaultNamespace, XmlSerializerImplementation& contract)

    at System.Xml.Serialization.XmlSerializer..ctor(Type type, String defaultNamespace)

    at HttpCommander.PropertyManager..ctor(String dataFilePath)

    at HttpCommander.Utils.get_PropertiesManager()

    at HttpCommander.Config.ProcessRequest(HttpContext context)

  • Jason

    I’ve noticed when using the windows authentication, especially with Safari, when you select log out, you can hit the back button and regain access without entering a password. Are you experiencing this?

  • Jason Davis

    I’m curious to know how you have your instance of HTTP Commander setup. Are you using windows authentication or forms with windows authentication?

Comments are closed.