By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,830 Members | 1,722 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,830 IT Pros & Developers. It's quick & easy.

Want to Reboot server from ASPX page

P: n/a
I am developing a asp.net web based service application for our product
I am trying to trigger a reboot of the server based on a user request
I believe I have all the appropriate code for AdjustingTokens etc an
all those calls seem to succeed, however, the final call to ExitWindowsE
is failing with 'Access Denied'

In my machine.config, I have already set the userName to 'System' as
seem to require this for some other functionality I implemented. I also trie
to impersonate a local user account with admin priviledges via my application
web.config file but that failed as well with the same 'Access Denied' (by th
way what exactly does 'impersonate' in the web.config do when the machine.config
file already lets me specify the user as 'SYSTEM'?

I expect there is some other security thing that I need to twiddle ... any ideas greatl
appreciated (with as much detail as possible, I am very new to this whole web securit
stuff)

Thanks

Terr

Nov 18 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Terry, first get the code to run in a normal Windows App, so you know that
it works.
After that, it should be a security issue, and impersonation should work,
but you also have to switch off anonymous access to the virtual directory
for impersonation to work.
To ensure that your impersonation is set up correctly, add a test call
somewhere in a form, returning the current user, and check that it is what
you expect (not the anonymous, or ASP.NET user, etc). To get the current
user, call
System.Security.Principal.WindowsIdentity.GetCurre nt().Name

"Terry" <an*******@discussions.microsoft.com> wrote in message
news:27**********************************@microsof t.com...
I am developing a asp.net web based service application for our product.
I am trying to trigger a reboot of the server based on a user request.
I believe I have all the appropriate code for AdjustingTokens etc and
all those calls seem to succeed, however, the final call to ExitWindowsEx
is failing with 'Access Denied'.

In my machine.config, I have already set the userName to 'System' as I
seem to require this for some other functionality I implemented. I also tried to impersonate a local user account with admin priviledges via my applications web.config file but that failed as well with the same 'Access Denied' (by the way what exactly does 'impersonate' in the web.config do when the machine.config file already lets me specify the user as 'SYSTEM'?)

I expect there is some other security thing that I need to twiddle ... any ideas greatly appreciated (with as much detail as possible, I am very new to this whole web security stuff).

Thanks,

Terry

Nov 18 '05 #2

P: n/a
OK, I have verified that the shutdown related code is working fine from
a regular app.

How do I switch off anonymous access to the virtual directory?
Are you talking about adding a statement like <deny user="?">
in my web.config file or are you talking about a setting in
the IIS Service Mgr.

I am using a simple application based 'Forms' authentication.
In this case if I use <identity impersonate="true" /> who would
it be impersonating ... or in this case because I am using Forms
authentication would I have to spell all that out like
<identity impersonate="true" userName="abc" password="def">

I am still a little puzzled by all this impersonate stuff ... if you do
impersonation what is the point of setting the user='SYSTEM' in
the machine.config file?

Thanks,

Terry

----- Chris Botha wrote: -----

Terry, first get the code to run in a normal Windows App, so you know that
it works.
After that, it should be a security issue, and impersonation should work,
but you also have to switch off anonymous access to the virtual directory
for impersonation to work.
To ensure that your impersonation is set up correctly, add a test call
somewhere in a form, returning the current user, and check that it is what
you expect (not the anonymous, or ASP.NET user, etc). To get the current
user, call
System.Security.Principal.WindowsIdentity.GetCurre nt().Name

"Terry" <an*******@discussions.microsoft.com> wrote in message
news:27**********************************@microsof t.com...
I am developing a asp.net web based service application for our product.
I am trying to trigger a reboot of the server based on a user request.
I believe I have all the appropriate code for AdjustingTokens etc and
all those calls seem to succeed, however, the final call to ExitWindowsEx
is failing with 'Access Denied'.
In my machine.config, I have already set the userName to 'System' as I seem to require this for some other functionality I implemented. I also

tried to impersonate a local user account with admin priviledges via my applications web.config file but that failed as well with the same 'Access Denied' (by the way what exactly does 'impersonate' in the web.config do when the machine.config file already lets me specify the user as 'SYSTEM'?)
I expect there is some other security thing that I need to twiddle ... any
ideas greatly appreciated (with as much detail as possible, I am very new to this whole web security stuff).
Thanks,
Terry

Nov 18 '05 #3

P: n/a
I don't think impersonation works with forms authentication, but I may be
wrong, always some surprise somewhere (it works with Integrated Widows auth,
as well as Basic Auth).
To switch anonymous access off, run IIS Service Manager, find your Web App
under the Default Web Site, right click on it, properties, then Directory
Security, then hit the top edit button and uncheck the anonymous access.
After doing this, hitting the page with IE, if you are not an authenticated
user, you will be prompted to sign in (if you are authenticated, it won't
prompt you), and that will be the user impersonated (unless you specified a
username/password on the impersonate line in the web.config file).

Second solution, I'm not sure if it will work, but it may, write an ActiveX
dll, install it in COM+ specifying the credentials it should run under, and
call it from your aspx page. Beware that if it works, anyone hitting the
page can re-boot the computer.

I don't know what setting the "user='SYSTEM'" in the machine.config does.

"Terry" <an*******@discussions.microsoft.com> wrote in message
news:7C**********************************@microsof t.com...
OK, I have verified that the shutdown related code is working fine from
a regular app.

How do I switch off anonymous access to the virtual directory?
Are you talking about adding a statement like <deny user="?">
in my web.config file or are you talking about a setting in
the IIS Service Mgr.

I am using a simple application based 'Forms' authentication.
In this case if I use <identity impersonate="true" /> who would
it be impersonating ... or in this case because I am using Forms
authentication would I have to spell all that out like
<identity impersonate="true" userName="abc" password="def">

I am still a little puzzled by all this impersonate stuff ... if you do
impersonation what is the point of setting the user='SYSTEM' in
the machine.config file?

Thanks,

Terry

----- Chris Botha wrote: -----

Terry, first get the code to run in a normal Windows App, so you know that it works.
After that, it should be a security issue, and impersonation should work, but you also have to switch off anonymous access to the virtual directory for impersonation to work.
To ensure that your impersonation is set up correctly, add a test call somewhere in a form, returning the current user, and check that it is what you expect (not the anonymous, or ASP.NET user, etc). To get the current user, call
System.Security.Principal.WindowsIdentity.GetCurre nt().Name

"Terry" <an*******@discussions.microsoft.com> wrote in message
news:27**********************************@microsof t.com...
> I am developing a asp.net web based service application for our product. > I am trying to trigger a reboot of the server based on a user request. > I believe I have all the appropriate code for AdjustingTokens etc and > all those calls seem to succeed, however, the final call to ExitWindowsEx > is failing with 'Access Denied'.
>> In my machine.config, I have already set the userName to 'System'
as I > seem to require this for some other functionality I implemented. I
also tried
> to impersonate a local user account with admin priviledges via my applications
> web.config file but that failed as well with the same 'Access

Denied' (by the
> way what exactly does 'impersonate' in the web.config do when the machine.config
> file already lets me specify the user as 'SYSTEM'?)
>> I expect there is some other security thing that I need to twiddle

.... any ideas greatly
> appreciated (with as much detail as possible, I am very new to this
whole web security
> stuff).
>> Thanks,
>> Terry

>

Nov 18 '05 #4

P: n/a
maybe this way will work:

aspx page
=========
<%@ Page Language="cs" %>
<%@ import namespace="System.Threading" %>
<%@ import namespace="test" %>

<%
string[] passArr = new string[2]{"arr val 1", "arr val 2"};

ThreadProc tp = new ThreadProc(passArr);
Thread t = new Thread(new ThreadStart(tp.ThreadProcStart));
t.Start();
%>
<html>
<head>
</head>
<body>
</body>
</html>

thread class
==========
using System.Threading;
using System.IO;

namespace test
{
public class ThreadProc
{
private string[] m_dispStrArr;

public ThreadProc(string[] inStrArr) {
m_dispStrArr = inStrArr;
}

public void ThreadProcStart() {
for (int i = 0; i < 20; i++)
{
StreamWriter fsw =
File.AppendText(System.AppDomain.CurrentDomain.Bas eDirectory + "\\log.txt");
fsw.WriteLine("m_dispStr: " + m_dispStrArr[0] + " " + m_dispStrArr[1]
+ " i: " + i);
fsw.Close();
fsw = null;

Thread.Sleep(1000);
}
}
}
}

it works but, maybe you can find a flaw?

"Chris Botha" <chris_s_botha@AT_h.o.t.m.a.i.l.com> wrote in message
news:On**************@TK2MSFTNGP10.phx.gbl...
I don't think impersonation works with forms authentication, but I may be
wrong, always some surprise somewhere (it works with Integrated Widows auth, as well as Basic Auth).
To switch anonymous access off, run IIS Service Manager, find your Web App
under the Default Web Site, right click on it, properties, then Directory
Security, then hit the top edit button and uncheck the anonymous access.
After doing this, hitting the page with IE, if you are not an authenticated user, you will be prompted to sign in (if you are authenticated, it won't
prompt you), and that will be the user impersonated (unless you specified a username/password on the impersonate line in the web.config file).

Second solution, I'm not sure if it will work, but it may, write an ActiveX dll, install it in COM+ specifying the credentials it should run under, and call it from your aspx page. Beware that if it works, anyone hitting the
page can re-boot the computer.

I don't know what setting the "user='SYSTEM'" in the machine.config does.

"Terry" <an*******@discussions.microsoft.com> wrote in message
news:7C**********************************@microsof t.com...
OK, I have verified that the shutdown related code is working fine from
a regular app.

How do I switch off anonymous access to the virtual directory?
Are you talking about adding a statement like <deny user="?">
in my web.config file or are you talking about a setting in
the IIS Service Mgr.

I am using a simple application based 'Forms' authentication.
In this case if I use <identity impersonate="true" /> who would
it be impersonating ... or in this case because I am using Forms
authentication would I have to spell all that out like
<identity impersonate="true" userName="abc" password="def">

I am still a little puzzled by all this impersonate stuff ... if you do
impersonation what is the point of setting the user='SYSTEM' in
the machine.config file?

Thanks,

Terry

----- Chris Botha wrote: -----

Terry, first get the code to run in a normal Windows App, so you know
that
it works.
After that, it should be a security issue, and impersonation should work,
but you also have to switch off anonymous access to the virtual

directory
for impersonation to work.
To ensure that your impersonation is set up correctly, add a test

call
somewhere in a form, returning the current user, and check that it

is what
you expect (not the anonymous, or ASP.NET user, etc). To get the current
user, call
System.Security.Principal.WindowsIdentity.GetCurre nt().Name

"Terry" <an*******@discussions.microsoft.com> wrote in message
news:27**********************************@microsof t.com...
> I am developing a asp.net web based service application for our

product. > I am trying to trigger a reboot of the server based on a user request. > I believe I have all the appropriate code for AdjustingTokens etc and > all those calls seem to succeed, however, the final call to ExitWindowsEx > is failing with 'Access Denied'.
>> In my machine.config, I have already set the userName to
'System' as I > seem to require this for some other functionality I implemented.
I also
tried
> to impersonate a local user account with admin priviledges via my applications
> web.config file but that failed as well with the same 'Access

Denied' (by
the
> way what exactly does 'impersonate' in the web.config do when the

machine.config
> file already lets me specify the user as 'SYSTEM'?)
>> I expect there is some other security thing that I need to

twiddle ... any
ideas greatly
> appreciated (with as much detail as possible, I am very new to
this whole
web security
> stuff).
>> Thanks,
>> Terry
>


Nov 18 '05 #5

P: n/a
sorry, wrong thread.

"Sharon" <ta*******@hotmail.com> wrote in message
news:uC*************@tk2msftngp13.phx.gbl...
maybe this way will work:

aspx page
=========
<%@ Page Language="cs" %>
<%@ import namespace="System.Threading" %>
<%@ import namespace="test" %>

<%
string[] passArr = new string[2]{"arr val 1", "arr val 2"};

ThreadProc tp = new ThreadProc(passArr);
Thread t = new Thread(new ThreadStart(tp.ThreadProcStart));
t.Start();
%>
<html>
<head>
</head>
<body>
</body>
</html>

thread class
==========
using System.Threading;
using System.IO;

namespace test
{
public class ThreadProc
{
private string[] m_dispStrArr;

public ThreadProc(string[] inStrArr) {
m_dispStrArr = inStrArr;
}

public void ThreadProcStart() {
for (int i = 0; i < 20; i++)
{
StreamWriter fsw =
File.AppendText(System.AppDomain.CurrentDomain.Bas eDirectory + "\\log.txt"); fsw.WriteLine("m_dispStr: " + m_dispStrArr[0] + " " + m_dispStrArr[1]
+ " i: " + i);
fsw.Close();
fsw = null;

Thread.Sleep(1000);
}
}
}
}

it works but, maybe you can find a flaw?

"Chris Botha" <chris_s_botha@AT_h.o.t.m.a.i.l.com> wrote in message
news:On**************@TK2MSFTNGP10.phx.gbl...
I don't think impersonation works with forms authentication, but I may be wrong, always some surprise somewhere (it works with Integrated Widows auth,
as well as Basic Auth).
To switch anonymous access off, run IIS Service Manager, find your Web App under the Default Web Site, right click on it, properties, then Directory Security, then hit the top edit button and uncheck the anonymous access.
After doing this, hitting the page with IE, if you are not an

authenticated
user, you will be prompted to sign in (if you are authenticated, it won't prompt you), and that will be the user impersonated (unless you specified a
username/password on the impersonate line in the web.config file).

Second solution, I'm not sure if it will work, but it may, write an ActiveX
dll, install it in COM+ specifying the credentials it should run under,

and
call it from your aspx page. Beware that if it works, anyone hitting the
page can re-boot the computer.

I don't know what setting the "user='SYSTEM'" in the machine.config

does.
"Terry" <an*******@discussions.microsoft.com> wrote in message
news:7C**********************************@microsof t.com...
OK, I have verified that the shutdown related code is working fine from a regular app.

How do I switch off anonymous access to the virtual directory?
Are you talking about adding a statement like <deny user="?">
in my web.config file or are you talking about a setting in
the IIS Service Mgr.

I am using a simple application based 'Forms' authentication.
In this case if I use <identity impersonate="true" /> who would
it be impersonating ... or in this case because I am using Forms
authentication would I have to spell all that out like
<identity impersonate="true" userName="abc" password="def">

I am still a little puzzled by all this impersonate stuff ... if you do impersonation what is the point of setting the user='SYSTEM' in
the machine.config file?

Thanks,

Terry

----- Chris Botha wrote: -----

Terry, first get the code to run in a normal Windows App, so you know
that
it works.
After that, it should be a security issue, and impersonation should work,
but you also have to switch off anonymous access to the virtual

directory
for impersonation to work.
To ensure that your impersonation is set up correctly, add a test

call
somewhere in a form, returning the current user, and check that
it is
what
you expect (not the anonymous, or ASP.NET user, etc). To get the current
user, call
System.Security.Principal.WindowsIdentity.GetCurre nt().Name

"Terry" <an*******@discussions.microsoft.com> wrote in message
news:27**********************************@microsof t.com...
> I am developing a asp.net web based service application for our

product.
> I am trying to trigger a reboot of the server based on a user

request.
> I believe I have all the appropriate code for AdjustingTokens

etc and
> all those calls seem to succeed, however, the final call to

ExitWindowsEx
> is failing with 'Access Denied'.
>> In my machine.config, I have already set the userName to

'System'
as I
> seem to require this for some other functionality I

implemented. I
also
tried
> to impersonate a local user account with admin priviledges via

my applications
> web.config file but that failed as well with the same 'Access

Denied' (by
the
> way what exactly does 'impersonate' in the web.config do when the machine.config
> file already lets me specify the user as 'SYSTEM'?)
>> I expect there is some other security thing that I need to

twiddle
... any
ideas greatly
> appreciated (with as much detail as possible, I am very new to

this
whole
web security
> stuff).
>> Thanks,
>> Terry
>



Nov 18 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.