473,322 Members | 1,493 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Network access from c# code (called from ASP.Net)

Hello
We have a web application written in ASP.Net that calls an external C# program (.exe). This C# program needs to access data from a different server and is not able to do so. We use impersonate in the web config for the ASP code to be able to access the network and it is working fine. But since the C# exe is being called from the ASP code, it is apparently not running with the privileges of the userID specified in the web.config for the ASP code
We tried trusting this assembly using the .Net Framework wizard to the highest level possible, but that didn't help. If we change the machine.config and hardcode the userid and password in the "process model" (change the system/autogenerate), the C# program is able to access the network, but I am not sure that is the right way to do this..
We call the exe by using System.Diagnostics.Process .Start (we specify the startinfo.filename as the filename of the C# exe to execute

We don't have the C# code (just the exe), so putting the functionality of the C# program into the ASP page code is not an option

Could someone please help figure out the ideal way to do this?
Thanks
Nov 22 '05 #1
9 2870
"Joseph" <jo**********@nospam.com> wrote in message
news:B0**********************************@microsof t.com...
Hello,
We have a web application written in ASP.Net that calls an external C# program (.exe). This C# program needs to access data from a different
server and is not able to do so. We use impersonate in the web config for
the ASP code to be able to access the network and it is working fine. But
since the C# exe is being called from the ASP code, it is apparently not
running with the privileges of the userID specified in the web.config for
the ASP code. We tried trusting this assembly using the .Net Framework wizard to the highest level possible, but that didn't help. If we change the
machine.config and hardcode the userid and password in the "process model"
(change the system/autogenerate), the C# program is able to access the
network, but I am not sure that is the right way to do this... We call the exe by using System.Diagnostics.Process .Start (we specify the startinfo.filename as the filename of the C# exe to execute)
We don't have the C# code (just the exe), so putting the functionality of the C# program into the ASP page code is not an option.
Could someone please help figure out the ideal way to do this?
Thanks


I'd recommend this article that a friend had sent to me.
http://www.15seconds.com/Issue/020312.htm

Nov 22 '05 #2
Thank you for your quick response... I am able to get the application to work by modifying the proceess model user ID/password in the machine.config. The only concern I have with this approach is that any other .Net web application that I install on this server will automatically get the rights that this user ID has and that is not something desirable. Is there a way that I can give these rights only the C# program that I am calling in my code (and not to any other application that might be installed at a later point in time)

Thanks
Nov 22 '05 #3
"Joseph" <jo**********@nospam.com> wrote in message
news:6E**********************************@microsof t.com...
Thank you for your quick response... I am able to get the application to work by modifying the proceess model user ID/password in the machine.config.
The only concern I have with this approach is that any other .Net web
application that I install on this server will automatically get the rights
that this user ID has and that is not something desirable. Is there a way
that I can give these rights only the C# program that I am calling in my
code (and not to any other application that might be installed at a later
point in time)?
Thanks


This might be what you're looking for, search VS.NET docs for "Impersonating
and Reverting". It appears to work similarly (in function) to the su command
on UNIX.

Nov 22 '05 #4
Hello Jose,

For this question, please refer to this KB artile:
"INFO: Implementing Impersonation in an ASP.NET Application"
http://support.microsoft.com/?id=306158

You can refer to the "Impersonate a Specific User for All the Requests of
an ASP.NET Application" part in this article.
1) Grant the "Act as part of the operating system" privilege to the ASPNET
account (the least privileged account). In this way, you can grant right in
a special location and then undoimpersonate it when finished.
2) Change the account that the Aspnet_wp.exe process runs under. However,
this may not what you want.

Specially, you can Impersonate a user in code according to the other two
methods in that KB article. Please try them and let us know whether it
works for you.

Does that answer your question?

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Nov 22 '05 #5
Hello Joseph,

When you change machine.config to a network logon ID, the asp.net worker
process are spawn under that network logon ID identity. Also, the spawn C#
program process is under that network logon ID identity. You can prove it
by watching task manager in the system.

When you change to that network logon ID in web.config, the asp.net worker
process are still spawn under aspnet account. However, the execution
context of asp.net worker process is that network logon ID. So you can
access network resource in asp.net code successfully. However, when you
spawn a C# program, that C# program are still under aspnet account (not
that network logon ID). The aspnet account are a local account and may not
have access to that network resource. Even after you add it to admin group,
it is still a local admin account. That should be the reason of the
program. I think you can also watch task manager in the system this time to
see the user name of this C# program.

To resolve it, we need to:

1) Change processmodel to the network logon ID in machine.config, as what
you did now.
2) You may also change the source code of that C# application, make network
logon ID and password as its parameters, and call LogonUser in that C#
program. So when you use CreateProcess to run C# program, the C# program
will impersonate by itself. This may resolve the problem for you. And it
won't affect other web applications on your machine.

If there is any unclear, please feel free to post here. Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Nov 22 '05 #6
Hello Yanhong
Thank you for your suggestions... the only concern I have about changing the id/pwd in the processmodel is that every other asp application that is installed on this server will also have this same access and that is a risk that I am concerned about. Is there any way to ensure that only this C# program gets to use this network ID/pwd for access
Unfortunately, we don't have the access to the C# program (it is third party program) - else the best way would have been to implement that C# program code (or at least the network access part of it) in the web application itself where it could use the ID/pwd specified in the "impersonate" of the web.confi

Could you suggest some way of ensuring that only this program gets to use this ID
Thanks again for your help
- Joseph
Nov 22 '05 #7
Hello Joseph,

If we change username/password in the machine.config file, all the web
applications using that version of asp.net will use that identity. This
can't be changed in asp.net application.

I totally understand your concern. That is also why I suggest you change
the code of that C# program. However, it seems that you can't do that
either due to not having source code.

There is no way to change the behavior if you use CreateProcess. I have
some other suggestions for you:

1) Call CreateProcessWithLogonW to launch that C# program. This API has
usename and passwrod parameters. It may have the C# application run under a
network logon ID.

2) Or change the authentication level of that network resouce so that it
can trust the aspnet account of your local machine.

Thanks.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Nov 22 '05 #8
Thank you for your response Yanhong. I haven't used the CreateProcessWithLogonW yet - but it sounds promising! I will read up about that and hopefully that will help. I will update you on what I find

Thanks once again
Regard
- Joseph
Nov 22 '05 #9
Hi Joseph,

It is my pleasure to be of assistance. The keypoint here is to watch task
manager to see the owner of the C# process. If it changes to that domain
user account, then it should be OK. If it is still aspnet, then we have to
change machine.config to do that.

Thanks for working with us so closely. :)

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Nov 22 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: klkuenzel | last post by:
Can you run a VB.NET executable from a network share on a server. My company does this with VB 6.0. Example ..Net executable on network file server called Toky client computer has a shortcut on...
12
by: Joseph | last post by:
Hello We have a web application written in ASP.Net that calls an external C# program (.exe). This C# program needs to access data from a different server and is not able to do so. We use impersonate...
5
by: JohnFol | last post by:
I am using the Win23 API WNetCancelConnection2 and can sucessfully make a connection to a share within my class. The class is called from a Windows Form based test harness. When I instantiate...
3
by: Sue | last post by:
What is the difference between an intranet and a network? Can a split database be put on an intranet? Thanks! Sue
2
by: Leonardo D'Ippolito | last post by:
Hi! I have two .NET win apps that need to communicate on a TCP/IP network. 'App A' must ask 'app B' if it's allowed to do some task, and 'app B' must authorize or prohibit it. How can I do...
5
by: Mike McIntyre [MVP] | last post by:
I am working on an issue where and ASP.NET web application on one computer (A) needs to access files on a network mapped drive (B). This application uses as DSN on (A) that maps a proprietory...
8
by: Lam | last post by:
HI anyone knows how can I open a mapped network file in C#? I try string file = @"T:\file.txt"; it shows me the error: "Could not find a part of the path" but if I copy the file to my C dirve,...
4
by: Alex Maghen | last post by:
This is weird On my WinXP development box, database calls made from within my GLOBAL.ASAX go to SQLServer as user "ASPNET" even though I have impersonation turned on in my web.config. That's fine...
3
by: Tomdhu | last post by:
As a Newbie I've picked up a heap of tips and tricks from this NG but I have been battling to get the current user's Netwok Login ID recorded on a form at the time a new record is created or...
1
by: 33223 | last post by:
Local Area Network (LAN) Both an EtherNet (wire) network and a wireless network are referred to as a Local Area Network (LAN). A wireless network does not require hubs, switchers, or routers to...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.