My web page needs to start a process on the server that runs as a
domain user so it can access the network. I'm using web services and
the new feature in .NET 2.0 that lets you start a process as a
different user. The following web service works fine until I uncomment
the lines setting UserName and Password. Then, Process.Start throws an
Access is Denied Exception. If I just comment out the
UserName/Password lines and reload the aspx, then it works fine.
My IIS runs as Local System, and I understand I cannot start a process
as a different user like this from a process owned by Local System.
So, I put this Web Service into an IIS Application Pool with the
Identity set to the local Administrator account. I also added local
Admin to the IIS_WPG group and granted access to "Adjust memory quotas
for a process" and "Replace a process level token" as required by MS
docs. Despite all this, it still tells me "Access is Denied" when I
try to start the process with ProcessStartInfo.UserName set. Even if,
as the code below shows, I try to start with with the name and password
of the local Adminstrator (the same account the pool is configured to
use anyway)!
But if I simply comment out UserName and Password and re-invoke the web
method, the process runs fine; whoami.exe tells me it is the local
Administrator as expected. What other access do I need to grant local
Administrator to allow it to create this process as a different user?
Details: this is with .NET 2.0, of course (1.1 does not support running
a process as a different user). I'm running everything on Windows
Server 2003. I have impersonation enabled in my web.config, and I'm
using Integrated authentication on the IIS virtual directory that this
aspx is in. When I invoke the service via the default aspx browser, I
connect as a domain user.
<%@ WebService Language="C#" Class="Kirk.ForkIt" %>
using System;
using System.IO;
using System.Collections;
using System.Security;
using System.Web.Services;
using System.Diagnostics;
namespace Kirk
{
public class ForkIt
{
[WebMethod]
public string Main()
{
Process p = new Process();
ProcessStartInfo pInfo = new
ProcessStartInfo(@"c:\windows\system32\whoami.exe" );
SecureString password = new SecureString();
// set value for password here.
password.AppendChar('s');
password.AppendChar('e');
password.AppendChar('c');
password.AppendChar('r');
password.AppendChar('e');
password.AppendChar('t');
//pInfo.UserName = "Administrator";
//pInfo.Password = password;
pInfo.CreateNoWindow = true;
pInfo.UseShellExecute = false;
pInfo.RedirectStandardOutput = true;
p.StartInfo = pInfo;
p.Start();
String output = p.StandardOutput.ReadToEnd();
p.WaitForExit();
return output;
}
}
}
2  1985 
the iis account is not involved.
the aspnet worker process is the process doing the create process as user.
if you are on win2003, then its the app pool identity that needs the
permissions, on win2000 its the asp.net account. be sure you don't have
identity impersonate set in web config. also sometimes asp.net trims its
tokens permission at request start. so you may need to do a win32 sdk revert
before calling create process. so save token, revert , create process,
restore token
-- bruce (sqlwork.com)
"Kirk" <ki***********@gmail.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com... My web page needs to start a process on the server that runs as a
domain user so it can access the network. I'm using web services and
the new feature in .NET 2.0 that lets you start a process as a
different user. The following web service works fine until I uncomment
the lines setting UserName and Password. Then, Process.Start throws an
Access is Denied Exception. If I just comment out the
UserName/Password lines and reload the aspx, then it works fine.
My IIS runs as Local System, and I understand I cannot start a process
as a different user like this from a process owned by Local System.
So, I put this Web Service into an IIS Application Pool with the
Identity set to the local Administrator account. I also added local
Admin to the IIS_WPG group and granted access to "Adjust memory quotas
for a process" and "Replace a process level token" as required by MS
docs. Despite all this, it still tells me "Access is Denied" when I
try to start the process with ProcessStartInfo.UserName set. Even if,
as the code below shows, I try to start with with the name and password
of the local Adminstrator (the same account the pool is configured to
use anyway)!
But if I simply comment out UserName and Password and re-invoke the web
method, the process runs fine; whoami.exe tells me it is the local
Administrator as expected. What other access do I need to grant local
Administrator to allow it to create this process as a different user?
Details: this is with .NET 2.0, of course (1.1 does not support running
a process as a different user). I'm running everything on Windows
Server 2003. I have impersonation enabled in my web.config, and I'm
using Integrated authentication on the IIS virtual directory that this
aspx is in. When I invoke the service via the default aspx browser, I
connect as a domain user.
<%@ WebService Language="C#" Class="Kirk.ForkIt" %>
using System;
using System.IO;
using System.Collections;
using System.Security;
using System.Web.Services;
using System.Diagnostics;
namespace Kirk
{
public class ForkIt
{
[WebMethod]
public string Main()
{
Process p = new Process();
ProcessStartInfo pInfo = new
ProcessStartInfo(@"c:\windows\system32\whoami.exe" );
SecureString password = new SecureString();
// set value for password here.
password.AppendChar('s');
password.AppendChar('e');
password.AppendChar('c');
password.AppendChar('r');
password.AppendChar('e');
password.AppendChar('t');
//pInfo.UserName = "Administrator";
//pInfo.Password = password;
pInfo.CreateNoWindow = true;
pInfo.UseShellExecute = false;
pInfo.RedirectStandardOutput = true;
p.StartInfo = pInfo;
p.Start();
String output = p.StandardOutput.ReadToEnd();
p.WaitForExit();
return output;
}
}
}
Okay, I turned off impersonation, and I'm using the local Adminstrator
account as the pool identity. If I invoke the service, the browser
hangs waiting for a response from whoami.exe. I can see whoami.exe
running in the Task Manager as the user I specified in the C# code, but
it never terminates. Keeping everything the same, if I comment out the
UserName and Password bit, then it runs fine.
I also just tried setting the pool identity to the default: NETWORK
SERVICE. Same deal: runs fine until I specify UserName and Password,
then it runs whoami.exe but it hangs.
I didn't follow what you said about asp.net trimming token permissions.
Do you have any code to do the save/revert/restore bit? I'm no coding
guru, just learning C# and .NET, actually...
Thanks,
Kirk
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: gudia |
last post by:
How would I, using a sql script, copy permissions assigned to a user
or a role in one or more databases to another user or a role in their
respective databases?
Help appreciated
|
by: Lyle Fairfield |
last post by:
There is an MS-SQL table named Bugs_Comments_and_Suggestions.
There is a form named Bugs_Comments_and_Suggestions.
To allow John Doe to use this form, we GRANT him LOGIN and ACCESS permissions...
|
by: Mike MacSween |
last post by:
Mmmm. Doing some work with Access security.
Let's say I don't want the users to be able to edit the back end tables
directly. Not because it's a 'high security' application but because they
can...
|
by: none |
last post by:
Hello:
I had a nice php application running on my server here at home, and I
uploaded it to a shared public type server and it started to break all
over the place. It turns out that some...
|
by: James Beilby |
last post by:
Hello people,
It's been a long time since I've asked any techie questions on Usenet but I
am under pressure to finish a project and the following issue has me
stumped. I appreciate that it's a...
| | |
by: jporter188 |
last post by:
Hello,
I am working on a project to manipulate XML files. All of the files,
the code, and the output are on network drives. When I run my program
I get an exception (see below). I tried giving...
|
by: palepimp |
last post by:
Hello all,
I have searched far and wide for a solution to my issue. In short, here is the problem:
1. 3 PC's enter data into an Access 2003 database (PC's are running Vista w/ Office 2007...
|
by: sprash |
last post by:
Newbie question:
I'm trying to determine if a file physically exists regardless of the
permissions on it
Using File.Exists() returns false if it physically exists but the
process does not...
|
by: Tim Payne |
last post by:
I have an odd permissions issue with uploading files to a windows 2003
server.
I have a reasonably unusual setup. We have a php website, running through
IIS that was written to use mod_rewrite....
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
| | |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
