|
.net
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Not your usual bonehead ASP.NET permissions issue...domain user so it can access the network. I'm using web services and the new feature in .NET 2.0 that lets you start a process as a different user. The following web service works fine until I uncomment the lines setting UserName and Password. Then, Process.Start throws an Access is Denied Exception. If I just comment out the UserName/Password lines and reload the aspx, then it works fine. My IIS runs as Local System, and I understand I cannot start a process as a different user like this from a process owned by Local System. So, I put this Web Service into an IIS Application Pool with the Identity set to the local Administrator account. I also added local Admin to the IIS_WPG group and granted access to "Adjust memory quotas for a process" and "Replace a process level token" as required by MS docs. Despite all this, it still tells me "Access is Denied" when I try to start the process with ProcessStartInfo.UserName set. Even if, as the code below shows, I try to start with with the name and password of the local Adminstrator (the same account the pool is configured to use anyway)! But if I simply comment out UserName and Password and re-invoke the web method, the process runs fine; whoami.exe tells me it is the local Administrator as expected. What other access do I need to grant local Administrator to allow it to create this process as a different user? Details: this is with .NET 2.0, of course (1.1 does not support running a process as a different user). I'm running everything on Windows Server 2003. I have impersonation enabled in my web.config, and I'm using Integrated authentication on the IIS virtual directory that this aspx is in. When I invoke the service via the default aspx browser, I connect as a domain user. <%@ WebService Language="C#" Class="Kirk.ForkIt" %> using System; using System.IO; using System.Collections; using System.Security; using System.Web.Services; using System.Diagnostics; namespace Kirk { public class ForkIt { [WebMethod] public string Main() { Process p = new Process(); ProcessStartInfo pInfo = new ProcessStartInfo(@"c:\windows\system32\whoami.exe"); SecureString password = new SecureString(); // set value for password here. password.AppendChar('s'); password.AppendChar('e'); password.AppendChar('c'); password.AppendChar('r'); password.AppendChar('e'); password.AppendChar('t'); //pInfo.UserName = "Administrator"; //pInfo.Password = password; pInfo.CreateNoWindow = true; pInfo.UseShellExecute = false; pInfo.RedirectStandardOutput = true; p.StartInfo = pInfo; p.Start(); String output = p.StandardOutput.ReadToEnd(); p.WaitForExit(); return output; } } } the iis account is not involved.
the aspnet worker process is the process doing the create process as user. if you are on win2003, then its the app pool identity that needs the permissions, on win2000 its the asp.net account. be sure you don't have identity impersonate set in web config. also sometimes asp.net trims its tokens permission at request start. so you may need to do a win32 sdk revert before calling create process. so save token, revert , create process, restore token -- bruce (sqlwork.com) Show quoteHide quote "Kirk" <kirk.marti***@gmail.com> wrote in message news:1139591920.708172.187960@g14g2000cwa.googlegroups.com... > My web page needs to start a process on the server that runs as a > domain user so it can access the network. I'm using web services and > the new feature in .NET 2.0 that lets you start a process as a > different user. The following web service works fine until I uncomment > the lines setting UserName and Password. Then, Process.Start throws an > Access is Denied Exception. If I just comment out the > UserName/Password lines and reload the aspx, then it works fine. > > My IIS runs as Local System, and I understand I cannot start a process > as a different user like this from a process owned by Local System. > So, I put this Web Service into an IIS Application Pool with the > Identity set to the local Administrator account. I also added local > Admin to the IIS_WPG group and granted access to "Adjust memory quotas > for a process" and "Replace a process level token" as required by MS > docs. Despite all this, it still tells me "Access is Denied" when I > try to start the process with ProcessStartInfo.UserName set. Even if, > as the code below shows, I try to start with with the name and password > of the local Adminstrator (the same account the pool is configured to > use anyway)! > > But if I simply comment out UserName and Password and re-invoke the web > method, the process runs fine; whoami.exe tells me it is the local > Administrator as expected. What other access do I need to grant local > Administrator to allow it to create this process as a different user? > > Details: this is with .NET 2.0, of course (1.1 does not support running > a process as a different user). I'm running everything on Windows > Server 2003. I have impersonation enabled in my web.config, and I'm > using Integrated authentication on the IIS virtual directory that this > aspx is in. When I invoke the service via the default aspx browser, I > connect as a domain user. > > <%@ WebService Language="C#" Class="Kirk.ForkIt" %> > > using System; > using System.IO; > using System.Collections; > using System.Security; > using System.Web.Services; > using System.Diagnostics; > > > namespace Kirk > { > public class ForkIt > { > > > [WebMethod] > public string Main() > { > Process p = new Process(); > ProcessStartInfo pInfo = new > ProcessStartInfo(@"c:\windows\system32\whoami.exe"); > > > SecureString password = new SecureString(); > // set value for password here. > password.AppendChar('s'); > password.AppendChar('e'); > password.AppendChar('c'); > password.AppendChar('r'); > password.AppendChar('e'); > password.AppendChar('t'); > > > //pInfo.UserName = "Administrator"; > //pInfo.Password = password; > pInfo.CreateNoWindow = true; > pInfo.UseShellExecute = false; > pInfo.RedirectStandardOutput = true; > > > p.StartInfo = pInfo; > p.Start(); > > > String output = p.StandardOutput.ReadToEnd(); > p.WaitForExit(); > > > return output; > } > } > } > Okay, I turned off impersonation, and I'm using the local Adminstrator
account as the pool identity. If I invoke the service, the browser hangs waiting for a response from whoami.exe. I can see whoami.exe running in the Task Manager as the user I specified in the C# code, but it never terminates. Keeping everything the same, if I comment out the UserName and Password bit, then it runs fine. I also just tried setting the pool identity to the default: NETWORK SERVICE. Same deal: runs fine until I specify UserName and Password, then it runs whoami.exe but it hangs. I didn't follow what you said about asp.net trimming token permissions. Do you have any code to do the save/revert/restore bit? I'm no coding guru, just learning C# and .NET, actually... Thanks, Kirk  
Other interesting topics
AJAX + ASP.NET
Using american dates by default Duplicate custom controls List files in a directory, modify name. change from "//localhost:numbers/" to just "//localhost/"? Timeout uploading large files PostBackURL to new window 'Timeout period elapsed prior to obtaining a connection from the pool.' - Please help. Custom HTML Control Tags - Lets Try Again :) crystal report viewer in landscape |
|||||||||||||||||||||||
