"Requested registry access is not allowed" and Web Service call

Clint,

I am not 100% sure but from the error message that you have posted it seems
that the problem could be with the way you are calling the Impersonate()
method. The web service that you created is not hitting the registry so that
makes the Impersonate() method stick out to me. I can think of two ways to
diagnose this to make sure…. access the page from an asp.net page located on
another server and/or post your complete code here for the group to look at.
If you cannot (or don’t have the luxury of) hit the web service from an
external source you may find some help searching for different methods of
impersonation that would fit into what you are trying to do.

I hope that this helps!

Hi Brian -

Thanks for your reply. I'm not sure what I would be doing wrong w/the
Impersonate() call, but its very possible I missed something there, so
here's the complete code (watch the wrap ... sorry)

btw - There are two projects in this solution, the Forms project called
HashTest, the Web Service called HashTestWebService ...
Project HashTest (Windows Forms Project)
-> under Form1.cs

using System;
using System.Drawing;
using System.Collections;
using System.ComponentModel;
using System.Windows.Forms;
using System.Data;
using System.Web.Security;
using System.DirectoryServices;
using System.Text;
using System.Security.Principal;

namespace HashTest
{
/// <summary>
/// Summary description for Form1.
/// </summary>
public class Form1 : System.Windows.Forms.Form
{
private System.Windows.Forms.TextBox textBox1;
private System.Windows.Forms.Label label1;
private System.Windows.Forms.Label label2;
private System.Windows.Forms.Label label3;
private System.Windows.Forms.Label label4;
private HashTest.abmiisvm03.Service1 ws;
private System.Windows.Forms.Button button2;
private System.Windows.Forms.Button button3;
private System.Security.Principal.WindowsImpersonationCont ext _wic;
private System.Windows.Forms.Label label5;

/// <summary>
/// Required designer variable.
/// </summary>
private System.ComponentModel.Container components = null;

public Form1()
{
//
// Required for Windows Form Designer support
//
InitializeComponent();

//
// TODO: Add any constructor code after InitializeComponent call
//
//
ws = new HashTest.abmiisvm03.Service1();
ws.CookieContainer = new System.Net.CookieContainer();
ws.Credentials = System.Net.CredentialCache.DefaultCredentials;
}

/// <summary>
/// Clean up any resources being used.
/// </summary>
protected override void Dispose( bool disposing )
{
if( disposing )
{
if (components != null)
{
components.Dispose();
}
}
base.Dispose( disposing );
}

#region Windows Form Designer generated code
/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
this.textBox1 = new System.Windows.Forms.TextBox();
this.label1 = new System.Windows.Forms.Label();
this.label2 = new System.Windows.Forms.Label();
this.label3 = new System.Windows.Forms.Label();
this.label4 = new System.Windows.Forms.Label();
this.button2 = new System.Windows.Forms.Button();
this.button3 = new System.Windows.Forms.Button();
this.label5 = new System.Windows.Forms.Label();
this.SuspendLayout();
//
// textBox1
//
this.textBox1.Location = new System.Drawing.Point(24, 8);
this.textBox1.Name = "textBox1";
this.textBox1.Size = new System.Drawing.Size(312, 20);
this.textBox1.TabIndex = 0;
this.textBox1.Text = "";
this.textBox1.KeyUp += new
System.Windows.Forms.KeyEventHandler(this.textBox1 _KeyUp);
//
// label1
//
this.label1.Location = new System.Drawing.Point(24, 120);
this.label1.Name = "label1";
this.label1.Size = new System.Drawing.Size(312, 40);
this.label1.TabIndex = 1;
//
// label2
//
this.label2.Location = new System.Drawing.Point(24, 184);
this.label2.Name = "label2";
this.label2.Size = new System.Drawing.Size(312, 32);
this.label2.TabIndex = 2;
//
// label3
//
this.label3.Location = new System.Drawing.Point(24, 104);
this.label3.Name = "label3";
this.label3.Size = new System.Drawing.Size(100, 16);
this.label3.TabIndex = 3;
this.label3.Text = "SHA1 Hash";
//
// label4
//
this.label4.Location = new System.Drawing.Point(24, 168);
this.label4.Name = "label4";
this.label4.Size = new System.Drawing.Size(128, 16);
this.label4.TabIndex = 4;
this.label4.Text = "IsAuthenticatedSession";
//
// button2
//
this.button2.Location = new System.Drawing.Point(24, 64);
this.button2.Name = "button2";
this.button2.TabIndex = 6;
this.button2.Text = "Impersonate";
this.button2.Click += new System.EventHandler(this.button2_Click);
//
// button3
//
this.button3.Location = new System.Drawing.Point(112, 64);
this.button3.Name = "button3";
this.button3.TabIndex = 7;
this.button3.Text = "Stop";
this.button3.Click += new System.EventHandler(this.button3_Click);
//
// label5
//
this.label5.Location = new System.Drawing.Point(24, 40);
this.label5.Name = "label5";
this.label5.Size = new System.Drawing.Size(312, 16);
this.label5.TabIndex = 8;
//
// Form1
//
this.AutoScaleBaseSize = new System.Drawing.Size(5, 13);
this.ClientSize = new System.Drawing.Size(360, 222);
this.Controls.Add(this.label5);
this.Controls.Add(this.button3);
this.Controls.Add(this.button2);
this.Controls.Add(this.label4);
this.Controls.Add(this.label3);
this.Controls.Add(this.label2);
this.Controls.Add(this.label1);
this.Controls.Add(this.textBox1);
this.Name = "Form1";
this.Text = "Form1";
this.ResumeLayout(false);

}
#endregion

/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main()
{
Application.Run(new Form1());
}

private void textBox1_KeyUp(object sender,
System.Windows.Forms.KeyEventArgs e)
{
if (e.KeyCode == Keys.Enter)
{
this.label1.Text = HashValue(this.textBox1.Text.Trim(), "sha1");

try
{
this.label2.Text =
ws.PerformHandshake(this.label1.Text.Trim()).ToStr ing();
}
catch (System.Exception ex)
{
MessageBox.Show(ex.Message);
}
}
}

private string HashValue(string valueToHash, string hashAlgorithm)
{
string hashedString = "";

if(valueToHash.Length > 0)
{
hashedString =
FormsAuthentication.HashPasswordForStoringInConfig File(valueToHash,
hashAlgorithm);
}

return hashedString;
}

private void button2_Click(object sender, System.EventArgs e)
{
this.Logon("somedomainaccount", "password", "ourdomain");
this.label5.Text = string.Format("Now impersonating {0}",
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString());
}

private void button3_Click(object sender, System.EventArgs e)
{
try
{
this._wic.Undo();
}
catch (Exception)
{
MessageBox.Show(ExternalClasses.GetLastError().ToS tring());
}

this.label5.Text = string.Format("Running as {0}",
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString().ToLower());
}

private void Logon(string username, string password, string domain)
{
int userToken;
bool loggedOn = ExternalClasses.LogonUser(username, domain,
password, 2, 0, out userToken);
if (loggedOn)
{
this._wic =
System.Security.Principal.WindowsIdentity.Imperson ate(new
IntPtr(userToken));
}
}
}
}

-> under ExternalClasses.cs

using System;
using System.Security;
using System.Security.Permissions;
using System.Runtime.InteropServices;

namespace HashTest
{
/// <summary>
/// Contains a list of external DLL imports
/// </summary>
public struct ExternalClasses
{
/// <summary>
/// Uses the LogonUser API
/// </summary>
/// <param name="lpszUsername">The user name to logon</param>
/// <param name="lpszDomain">The AD domain to log into</param>
/// <param name="lpszPassword">The user's password</param>
/// <param name="dwLogonType">The Logon Type</param>
/// <param name="dwLogonProvider">The Logon Provider</param>
/// <param name="phToken">The logon token for impersonation</param>
/// <returns>Returns true if logged in, else false</returns>
[DllImport(@"c:\windows\system32\ADVAPI32.DLL", SetLastError=true)]
public static extern bool LogonUser(string lpszUsername,
string lpszDomain,
string lpszPassword,
[MarshalAs(UnmanagedType.U4)] int dwLogonType,
[MarshalAs(UnmanagedType.U4)] int dwLogonProvider,
out int phToken);

[DllImport("C:\\WINNT\\System32\\Kernel32.dll")]
public static extern int GetLastError();

}
}
---- This part is in the web service solution ----
-> In Service1.asmx

using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.Web;
using System.Web.Services;

namespace HashTestWebService
{
/// <summary>
/// Summary description for Service1.
/// </summary>
public class Service1 : System.Web.Services.WebService
{
public Service1()
{
//CODEGEN: This call is required by the ASP.NET Web Services
Designer
InitializeComponent();
}

#region Component Designer generated code

//Required by the Web Services Designer
private IContainer components = null;

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
}

/// <summary>
/// Clean up any resources being used.
/// </summary>
protected override void Dispose( bool disposing )
{
if(disposing && components != null)
{
components.Dispose();
}
base.Dispose(disposing);
}

#endregion

// WEB SERVICE EXAMPLE
// The HelloWorld() example service returns the string Hello World
// To build, uncomment the following lines then save and build the
project
// To test this web service, press F5

[WebMethod (EnableSession=true)]
public string PerformHandshake(string hashedValue)
{
return hashedValue + "\r\n" +
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString();
}
}
}

***************************

That's it - nothing overly special. I can reproduce the error if I
click "Impersonate", then type in any value in the textbox and hit
Enter. If I type a value and hit Enter, and then Impersonate and try
again, everything seems to work ok.

Thanks again!
Clint

Clint,

No problem. Sorry about the late reply.

I believe that the problem is with the use of the Impersonate() method and
the user that you are impersonating not with the web service. Offhand I do
not see any problems with your code (with the web service or the windows
form), which leads me to think that the problem lies with the permission set
of the user that you are attempting to impersonate. I would suggest that you
examine this permission set to determine if this is the case or not.

I do have one question. Is this a method that you have developed to test
the web service and not an integral portion of the application? If so for
the quick solution can you create another user on your machine and test the
access to the web server this way?

Good Luck!

Don't mention it - there's always other things to work on here :)

As it stands, that user is a base AD user (only a member of "Domain
Users" and a few groups dedicated to this program alone). Seems odd
that you'd be restricted to a certain permission set in order to access
a web service, unless I'm misunderstanding that I need to apply the
permission set in code and not the actual user. Either way - it's not
my specialty, so I'll take a closer look and see what crops up.

To answer your question - the code above is simply a test, a proof of
concept. The process it needs to complete is integral, the means of
doing so lean very heavily towards a central, remote server doing the
processing (I'll explain a little below).

The concept is rather straight forward - I need a central means of
performing transactions (if they were performed from the desktop, we'd
have to purchase a slew of licenses at a rather high cost, as opposed
to using a server that already has the product we'd need on it). The
web service is called from a desktop application that requires a user
to login using their domain login and account, and then impersonates
that user whenever it makes a call to the SQL server (for example, if
TestUser happens to run the program while I'm logged into the
workstation, they have less rights than me, and the program as well as
sql server would take on the rights of that user, not who's actually
logged into the workstation).

I wanted the same means of accessing sql through the web service as
using the desktop app, only certain users can access certain stored
procesudes - no generic accounts that allow access to all stored procs.
The idea was solid ... but it seems executing it isn't as simple as I
had figured it would be.

I have a few generic domain accounts at my disposal, two with only
"User" rights, and my own which is considered a local administrator.

If you have any suggestions, I'm certainly open to them. Thanks again
for taking your time to look over this!
Clint

Clint,

Take a look at the following key in your machine.config file:
configuration\system.net\defaultProxy\proxy. It is most likely set to use
the system default proxy. If this is the case, the proxy settings will be
read out of the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings\Connections.

When you impersonate, the HKCU hive will not be populated with the data for
the impersonated user. Instead, the hive remains as previously populated
for the logged on user. In your case, the impersonated user would appear
not to have permissions to read the necessary subkey from HKCU.

You should not need to modify your machine.config file in order to work
around the problem. Instead, you should be able to override the
defaultProxy setting via your application's config file.

HTH,
Nicole

"Clint" <cj*******@gmail.com> wrote in message
news:11**********************@c13g2000cwb.googlegr oups.com...

Hey all -

I'm having a really confusing problem concerning a web service. Right
now, I have an application that needs to call a web service that does
nothing but return "true" (this will obviously change once the
program's fully built to actually do something, but for testing, it
works).

The only code I added to the service is below:
[WebMethod (EnableSession=true)]
public bool PerformHandshake(string hashedValue)
{
return true;
}

Whenever this method is called from my desktop app (running as me, a
local admin), it works fine. When I call the web service as a
restricted account (by impersonating using
System.Security.Principal.WindowsIdentity.Imperson ate()), I get the
following large exception:

General Information
*****
Additional Info:
ExceptionManager.MachineName: <<My machine name>>
ExceptionManager.TimeStamp: 12/13/2004 9:44:23 AM
ExceptionManager.FullName:
Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.1760.29811, Culture=neutral, PublicKeyToken=null
ExceptionManager.AppDomainName: Journals.exe
ExceptionManager.ThreadIdentity:
ExceptionManager.WindowsIdentity: <<correct domain\correct user
account>>

1) Exception Information
*****
Exception Type: System.Configuration.ConfigurationException
Message: Exception in configuration section handler
(c:\windows\microsoft.net\framework\v1.1.4322\Conf ig\machine.config
line 74)
BareMessage: Exception in configuration section handler
Filename:
c:\windows\microsoft.net\framework\v1.1.4322\Confi g\machine.config
Line: 74
TargetSite: System.Object
EvaluateRecursive(System.Configuration.IConfigurat ionSectionHandler,
System.Object, System.String[], Int32, System.Xml.XmlTextReader)
HelpLink: NULL
Source: System

StackTrace Information
*****
at
System.Configuration.ConfigurationRecord.EvaluateR ecursive(IConfigurationSectionHandler
factory, Object config, String[] keys, Int32 iKey, XmlTextReader
reader)
at
System.Configuration.ConfigurationRecord.EvaluateR ecursive(IConfigurationSectionHandler
factory, Object config, String[] keys, Int32 iKey, XmlTextReader
reader)
at System.Configuration.ConfigurationRecord.Evaluate( String
configKey)
at System.Configuration.ConfigurationRecord.ResolveCo nfig(String
configKey)
at System.Configuration.ConfigurationRecord.GetConfig (String
configKey)
at System.Configuration.ConfigurationRecord.ResolveCo nfig(String
configKey)
at System.Configuration.ConfigurationRecord.GetConfig (String
configKey)
at
System.Configuration.DefaultConfigurationSystem.Sy stem.Configuration.IConfigurationSystem.GetConfig( String
configKey)
at System.Configuration.ConfigurationSettings.GetConf ig(String
sectionName)
at System.Net.GlobalProxySelection.get_SelectInternal ()
at System.Net.HttpWebRequest..ctor(Uri uri)
at System.Net.HttpRequestCreator.Create(Uri Uri)
at System.Net.WebRequest.Create(Uri requestUri, Boolean useUriBase)
at System.Net.WebRequest.Create(Uri requestUri)
at System.Web.Services.Protocols.WebClientProtocol.Ge tWebRequest(Uri
uri)
at
System.Web.Services.Protocols.HttpWebClientProtoco l.GetWebRequest(Uri
uri)
at
System.Web.Services.Protocols.SoapHttpClientProtoc ol.GetWebRequest(Uri
uri)
at
System.Web.Services.Protocols.SoapHttpClientProtoc ol.Invoke(String
methodName, Object[] parameters)
at Journals.BAL.<svr>.FSConnect.PerformHandshake(Stri ng hashedValue)
in C:\Visual Studio Projects\C# Projects\Journal Automation
System\Journals.BAL\Web References\<svr>\Reference.cs:line 38
at Journals.BAL.Posting.PostJournalSet(Int32 JournalSet_ID, String
NewOwnerUserName, String Comment) in c:\visual studio projects\c#
projects\journal automation system\journals.bal2\posting.cs:line 298
at Journals.Common.Posting.transfer_TransferOk(Object sender,
TransferOkEventArgs e) in c:\visual studio projects\c# projects\journal
automation system\journals\common\posting.cs:line 174
at Journals.frmTransferOwnership.OnTransferOk(Transfe rOkEventArgs e)
in c:\visual studio projects\c# projects\journal automation
system\journals\forms\frmtransferownership.cs:line 46
at Journals.frmTransferOwnership.btnSend_Click(Object sender,
EventArgs e) in c:\visual studio projects\c# projects\journal
automation system\journals\forms\frmtransferownership.cs:line 276
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventAr gs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons
button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.ControlNativeWindow.OnMessage (Message& m)
at System.Windows.Forms.ControlNativeWindow.WndProc(M essage& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32
msg, IntPtr wparam, IntPtr lparam)

2) Exception Information
*****
Exception Type: System.Security.SecurityException
PermissionType: NULL
PermissionState: NULL
GrantedSet: NULL
RefusedSet: NULL
Message: Requested registry access is not allowed.
TargetSite: Microsoft.Win32.RegistryKey OpenSubKey(System.String,
Boolean)
HelpLink: NULL
Source: mscorlib

StackTrace Information
*****
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean
writable)
at Microsoft.Win32.RegistryKey.OpenSubKey(String name)
at System.Net.ProxyRegBlob.ReadRegSettings()
at System.Net.ProxyRegBlob.ReadRegSettings()
at System.Net.ProxyRegBlob.GetIEProxy()
at System.Net.Configuration.DefaultProxyHandler.Creat e(Object
parent, Object configContext, XmlNode section)
at
System.Configuration.ConfigurationRecord.EvaluateR ecursive(IConfigurationSectionHandler
factory, Object config, String[] keys, Int32 iKey, XmlTextReader
reader)

************************************************** ************

Now, the exception that stands out is the Registry exception ... but
nowhere in my application am I accessing the registry.

Does anyone have any ideas as to what might be happening, and how to
resolve it?

Thanks!
Clint

Hi Nicole -

That sounds exactly like whats going on. I added the following to my
App.config file:

<configuration>
<system.net>
<defaultProxy>
<proxy
usesystemdefault="false"
proxyaddress="http://proxyserver:80"
bypassonlocal="true"
/>
</defaultProxy>
</system.net>
</configuration>

And still managed to get the same error. Now, I know
http://proxyserver:80 won't work as it doesn't exist, but I figured a
separate message would've appeared. It almost seems as if the new
settings aren't overriding those in Machine.config.
Any ideas?
Thanks!
Clint

Hi Nicole -

That sounds exactly like whats going on. I added the following to my
App.config file:

<configuration>
<system.net>
<defaultProxy>
<proxy
usesystemdefault="false"
proxyaddress="http://proxyserver:80"
bypassonlocal="true"
/>
</defaultProxy>
</system.net>
</configuration>

And still managed to get the same error. Now, I know
http://proxyserver:80 won't work as it doesn't exist, but I figured a
separate message would've appeared. It almost seems as if the new
settings aren't overriding those in Machine.config.
Any ideas?
Thanks!
Clint

If overriding via app.config isn't working, you might want to try "manually"
setting the Proxy property of the HttpWebRequest that is used to call the
web service. According to the docs, reading of the proxy settings from the
config file will only occur for an HttpWebRequest that has not yet had its
Proxy property set when submission of the request is first attempted.

HTH,
Nicole
"Clint" <cj*******@gmail.com> wrote in message
news:11**********************@c13g2000cwb.googlegr oups.com...

Hi Nicole -

That sounds exactly like whats going on. I added the following to my
App.config file:

<configuration>
<system.net>
<defaultProxy>
<proxy
usesystemdefault="false"
proxyaddress="http://proxyserver:80"
bypassonlocal="true"
/>
</defaultProxy>
</system.net>
</configuration>

And still managed to get the same error. Now, I know
http://proxyserver:80 won't work as it doesn't exist, but I figured a
separate message would've appeared. It almost seems as if the new
settings aren't overriding those in Machine.config.
Any ideas?
Thanks!
Clint

I think I'm doing something wrong in that I tried setting the Proxy
right after creating a new instance of my service:

ws = new HashTest.iisvm03.Service1();
ws.Proxy = new System.Net.WebProxy("http://foo:80", true);
ws.CookieContainer = new System.Net.CookieContainer();
ws.Credentials = System.Net.CredentialCache.DefaultCredentials;

With no success - still trying to read from the registry. I did find a
work-around, though, in that I'm not always impersonating a user in the
application, only on remote calls. So, when my calling class fires up,
it isn't impersonating, and I can set a private proxy field in the
constructor and use it as needed when I do my calls. That, oddly
enough, seems to work.

I have no problem going that route, I'm more curious now as to what I
was doing wrong for future reference. Either way - thanks again for
helping me out - this has been bugging me for a while!

Clint

That's the wrong Proxy property. The web service wrapper class generated
for use in the client application inherits from
System.Web.Services.Protocols.WebClientProtocol, even if not directly. You
would need to override its virtual GetWebRequest method to set the value of
the Proxy property for the HttpWebRequest used by the wrapper.
Unfortunately, this change would be undone every time the auto-generated
wrapper class is regenerated. If you have an acceptable workaround that
doesn't compromise the security of your system, it would probably be best to
use it.

HTH,
Nicole
"Clint" <cj*******@gmail.com> wrote in message
news:11**********************@c13g2000cwb.googlegr oups.com...

I think I'm doing something wrong in that I tried setting the Proxy
right after creating a new instance of my service:

ws = new HashTest.iisvm03.Service1();
ws.Proxy = new System.Net.WebProxy("http://foo:80", true);
ws.CookieContainer = new System.Net.CookieContainer();
ws.Credentials = System.Net.CredentialCache.DefaultCredentials;

With no success - still trying to read from the registry. I did find a
work-around, though, in that I'm not always impersonating a user in the
application, only on remote calls. So, when my calling class fires up,
it isn't impersonating, and I can set a private proxy field in the
constructor and use it as needed when I do my calls. That, oddly
enough, seems to work.

I have no problem going that route, I'm more curious now as to what I
was doing wrong for future reference. Either way - thanks again for
helping me out - this has been bugging me for a while!

Clint