Dear all,
I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)
Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)
Any idea ?
Thank you
Best Regards
5  2673 
Hi pberna:
It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation? http://msdn.microsoft.com/library/de...ersonation.asp
As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.
In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.
--
Scott http://www.OdeToCode.com/blogs/scott/
On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote: Dear all,
I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)
Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)
Any idea ?
Thank you
Best Regards
Dear Scott,
Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?
1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
be equal to a Windows User name ?
2) Are there any relationship between Windows password of a Windows User and
the password of the same User indicated in the web.config file ?
3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for that
user ?
Thank you
Paolo
"Scott Allen" wrote: Hi pberna:
It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp
As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.
In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.
--
Scott
http://www.OdeToCode.com/blogs/scott/
On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
Dear all,
I built a Web Form application to start and stop a Windows Service remotely.
I successful tested the application on Windows 2000 server + IIS. I must
include the ASPNET user
to the Administration group (on server side) to have the necessary
authorization to start a Windows Service (I don't understand why "Power
User" rights are not enough to do the same thing)
Although I'm able to start a service using windows 2000 server platform, I'm
not able to do the same things in the Windows 2003 server edition where the
same Web Form application has been installed (.NET framework has been
installed by default during Windows server installation process). I know
that in Windows 2003 server the default account for a ASPNET applications is
NETWORK SERVICE, but I don't find any user with this name in the user
list/group. If I try to create this user and error message tell me that the
NETWORK SERVICE user is already defined. The problem is that it doesn't
appear in the user list (My computer-> Manage > user)
Any idea ?
Thank you
Best Regards
Hi pberna:
Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.
Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?
--
Scott http://www.OdeToCode.com/blogs/scott/
On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<pb****@discussions.microsoft.com> wrote: Dear Scott,
Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?
1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
be equal to a Windows User name ?
2) Are there any relationship between Windows password of a Windows User and
the password of the same User indicated in the web.config file ?
3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for that
user ?
Thank you
Paolo
"Scott Allen" wrote:
Hi pberna:
It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp
As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.
In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.
--
Scott
http://www.OdeToCode.com/blogs/scott/
On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
>Dear all,
>
>I built a Web Form application to start and stop a Windows Service remotely.
>I successful tested the application on Windows 2000 server + IIS. I must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorization to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server platform, I'm
>not able to do the same things in the Windows 2003 server edition where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I know
>that in Windows 2003 server the default account for a ASPNET applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>
Dear Scott,
Thank again. I'm trying to use your indication now
The application is used only to start/stop a service remotely and to
launch/terminate an application remotely. Yes, the application is exposed to
the internet.
I think that I could also use Windows Authentication instead of Web Form
authentication, but I have a company firewall between the client and the
server (under my full control), so I want to be sure that all messages are
based on http protocol. Sorry but I'm moving the first step on this
technology
Regards,
Paolo
"Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
news:pb********************************@4ax.com... Hi pberna:
Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.
Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?
--
Scott
http://www.OdeToCode.com/blogs/scott/
On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<pb****@discussions.microsoft.com> wrote:
Dear Scott,
Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?
1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
be equal to a Windows User name ?
2) Are there any relationship between Windows password of a Windows User
and
the password of the same User indicated in the web.config file ?
3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for
that
user ?
Thank you
Paolo
"Scott Allen" wrote:
Hi pberna:
It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp
As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.
In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.
--
Scott
http://www.OdeToCode.com/blogs/scott/
On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
>Dear all,
>
>I built a Web Form application to start and stop a Windows Service
>remotely.
>I successful tested the application on Windows 2000 server + IIS. I
>must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorization to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server
>platform, I'm
>not able to do the same things in the Windows 2003 server edition
>where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I
>know
>that in Windows 2003 server the default account for a ASPNET
>applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that
>the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>
Hi Paolo:
I understand, this is a tricky area to be in especially if it is your
first step.
--
Scott http://www.OdeToCode.com/blogs/scott/
On Mon, 15 Nov 2004 19:06:12 GMT, "pberna" <xx*@iol.it> wrote: Dear Scott,
Thank again. I'm trying to use your indication now
The application is used only to start/stop a service remotely and to
launch/terminate an application remotely. Yes, the application is exposed to
the internet.
I think that I could also use Windows Authentication instead of Web Form
authentication, but I have a company firewall between the client and the
server (under my full control), so I want to be sure that all messages are
based on http protocol. Sorry but I'm moving the first step on this
technology
Regards,
Paolo
"Scott Allen" <bitmask@[nospam].fred.net> ha scritto nel messaggio
news:pb********************************@4ax.com.. . Hi pberna:
Impersonation is more difficult in forms authentication. If you use
the username and password attributes of the <identity> tag then yes,
you are passing the username and password for a windows account. Every
local resource ASP.NET touches will be done with the credentials
specified in the <identity> tag, for example, file access, service
control, connecting to a database with a trusted connection.
Is the web application soley for the purpose of controlling the
service? Is it exposed to the Internet?
--
Scott
http://www.OdeToCode.com/blogs/scott/
On Mon, 15 Nov 2004 07:10:03 -0800, pberna
<pb****@discussions.microsoft.com> wrote:
Dear Scott,
Thanks for your indications
I red the article, but I'm not sure if impersonation is applicable to the
Forms
authentication mode. What do you think ? Am I wrong ?
1) If impersonation is also active using the Forms authentication mode,
should the user name related to the token "userName"
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
be equal to a Windows User name ?
2) Are there any relationship between Windows password of a Windows User
and
the password of the same User indicated in the web.config file ?
3) If the ASPNET impersonate a user using the Forms authentication mode,it
means that the .NET application can access to all resource available for
that
user ?
Thank you
Paolo
"Scott Allen" wrote:
Hi pberna:
It's generally a bad idea to run ASP.NET under an administrator
account, as it makes it easier for a malicious user to have admin
rights on a machine. Have you investigated impersonation?
http://msdn.microsoft.com/library/de...ersonation.asp
As for the NETWORK SERVICE account, there are two types of accounts on
the machine: user accounts and built in security principals. The built
in security principals do not appear in the list of users. You can
still add them to a group if you go to My computer -> Manage ->
Groups. You can right click a group and select Properties, then click
Add. You can type in the name you need, or click Advanced and Find Now
to select the principal from a list - you'll notice at the top of the
dialog under Object Types the dialog will search for both user objects
and built in security principal objects.
In any case, a best practice is to avoid elevating the privileges of
any of these built in accounts. Impersonation is a safer approach.
--
Scott
http://www.OdeToCode.com/blogs/scott/
On Sat, 13 Nov 2004 19:36:21 GMT, "pberna" <xx*@iol.it> wrote:
>Dear all,
>
>I built a Web Form application to start and stop a Windows Service
>remotely.
>I successful tested the application on Windows 2000 server + IIS. I
>must
>include the ASPNET user
>to the Administration group (on server side) to have the necessary
>authorization to start a Windows Service (I don't understand why "Power
>User" rights are not enough to do the same thing)
>
>Although I'm able to start a service using windows 2000 server
>platform, I'm
>not able to do the same things in the Windows 2003 server edition
>where the
>same Web Form application has been installed (.NET framework has been
>installed by default during Windows server installation process). I
>know
>that in Windows 2003 server the default account for a ASPNET
>applications is
>NETWORK SERVICE, but I don't find any user with this name in the user
>list/group. If I try to create this user and error message tell me that
>the
>NETWORK SERVICE user is already defined. The problem is that it doesn't
>appear in the user list (My computer-> Manage > user)
>
>Any idea ?
>
>Thank you
>Best Regards
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Tom wilson |
last post by:
I've been through everything with this error and cannot get the
debugger to work remotely. The only thing I can trace it down to is
that RPC is not communicating between servers.
So after many,...
|
by: Dan V. |
last post by:
Is there a way to query a remote xml file periodically by not using web
services? For Windows and Unix platforms. Is there a cheap software product
that I can install on each client and my Windows...
|
by: Craig |
last post by:
Hope this is the right group, first timer -
Just got back from holiday to find our Dev Server (Standard 2003, All
hotfixes up to date) has been patched with KB 867460 (.NET Framework
1.1 Service...
|
by: WhiskRomeo |
last post by:
I have a WIN .NET application that calls a web service to retrieve data.
I deployed the application to a server and configured the webservice. The
webservice and SQL Server 2000 database are on...
|
by: Daniel P. |
last post by:
I'm using C#:
Stream s = File.Open( @"\remotemachine\share\MyFile.txt"
, FileMode.Open
, FileAccess.Read
, FileShare.Read );
I'm getting the following exception:
"The referenced account...
| | |
by: Ken Allen |
last post by:
The MSDN documentation on remote debugging is a bit sparse, to say the
least, and there is almost no information available on the 'best' way to
configure this. I should note that my development...
|
by: JLuis Estrada |
last post by:
Hi there.
Id tried to find information about how to set up the remote debugging on
win2003.
I have a PC with winxpsp2 with VS2003 installed. And I developed an
winservice app that runs on the...
|
by: jpegny |
last post by:
Hello all,
I'm in the middle of setting up a windows 2003 server for asp.net
(with vb.net 2003) remote development/deployment.
The problem is that as soon as I install service pack 1 on...
|
by: =?Utf-8?B?TVNU?= |
last post by:
To demonstrate my problem, I have a very simple VB Windows application. It
has a text box that is used to display a counter, a button to reset the
counter, and a timer that increments the counter...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
