Process.Start with Username hangs

hmmm

maybe try putting the domain/computer name in front of the username:

pInfo.UserName = "MyComputer\Administrator";

not sure, i havent used this feature in 2.0 yet

Thanks, but your suggestion doesn't help. There is a Domain member for
the ProcessStartInfo class, but setting that to the computer name
doesn't help. Anyway, the authentication is not an issue _in itself_
as I can see that the hung process is running as the specified user
(Administrator in this case). I can get any domain account to run the
process, it's just that the process hangs -- any process.

What OS are you running this on and Who's the callers identity, that is the
identity of the asp.net process or the impersonating identity if
impersonation is active?

Willy.

"Kirk" <ki***********@gmail.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com...
| The following C# web service works fine until you uncomment the lines
| setting UserName and Password. Then the process starts as the
| specified user, but hangs in a suspended state. In fact, any
| executable will exhibit this problem; it is not specific to whoami.exe.
| This is with .NET 2.0, of course (1.1 does not support running a
| process as a different user). This appears to be a bug. Can anyone
| comment?
|
| <%@ WebService Language="C#" Class="Kirk.ForkIt" %>
|
| using System;
| using System.IO;
| using System.Collections;
| using System.Security;
| using System.Web.Services;
| using System.Diagnostics;
|
| namespace Kirk
| {
| public class ForkIt
| {
|
| [WebMethod]
| public string Main()
| {
| Process p = new Process();
| ProcessStartInfo pInfo = new
| ProcessStartInfo(@"c:\windows\system32\whoami.exe" );
|
| SecureString password = new SecureString();
| // set value for password here.
| password.AppendChar('s');
| password.AppendChar('e');
| password.AppendChar('c');
| password.AppendChar('r');
| password.AppendChar('e');
| password.AppendChar('t');
|
| pInfo.UserName = "Administrator";
| pInfo.Password = password;
| pInfo.CreateNoWindow = true;
| pInfo.UseShellExecute = false;
| pInfo.RedirectStandardOutput = true;
|
| p.StartInfo = pInfo;
| p.Start();
|
| String output = p.StandardOutput.ReadToEnd();
| p.WaitForExit();
|
| return output;
| }
| }
| }
|

OS is Windows 2003 Server. I run IE6 and invoke the Web Service via
the Invoke button from the default generator for .asmx files. The asmx
file is also local to the web server; everything is on the same
machine.

I have impersonate set to true in my
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONF IG\web.config file,
and I am logged in as a domain user (DOMAIN/SOFTINFO, same DOMAIN that
the server is in) with Administrative priviledges. When I invoke the
service, Environment.DomainName="SW-WEB"
Environment.UserName="IUSR_SWDEVL2" (SW-WEB is the name of the machine,
SWDEVL2 was the previous name of the machine).

If I remove impersonation from my web.config, the service throws an
exception...Access is Denied. Environment.DomainName="DOMAIN"
Environment.UserName="SYSTEM". Not sure what SYSTEM really means, but
I suppose it doesn't have permission to create processes. Anyway,
that's why I enabled impersonation in the first place (plus it's how my
old ASP stuff works and I like it for our intranet).

I'm no expert, but my understanding is that impersonation will run my
Web Service thread as the client user, however, when my process forks,
it will run as the IIS user. I'm a bit confused, though, becuase I
would expect UserName to be "SOFTINFO" for the case where I have
impersonation turned on. Perhaps you can clarify this.

The Web Service is inline, and running from an Application Pool with
Identity set to Local System. I also set it to Network Service and
witness the same behavior. If I set it to Local Service I get the
following error when I Invoke the Web Service (this is not a problem
for me, but it might be a clue, I don't know):

System.InvalidOperationException: Unable to generate a temporary class
(result=1).
error CS2001: Source file 'C:\WINDOWS\TEMP\qa0vmnpy.0.cs' could not be
found
error CS2008: No inputs specified

at System.Xml.Serialization.Compiler.Compile(Assembly parent, String
ns, CompilerParameters parameters, Evidence evidence)
at
System.Xml.Serialization.TempAssembly.GenerateAsse mbly(XmlMapping[]
xmlMappings, Type[] types, String defaultNamespace, Evidence evidence,
CompilerParameters parameters, Assembly assembly, Hashtable assemblies)
at System.Xml.Serialization.TempAssembly..ctor(XmlMap ping[]
xmlMappings, Type[] types, String defaultNamespace, String location,
Evidence evidence)
at System.Xml.Serialization.XmlSerializer.FromMapping s(XmlMapping[]
mappings, Evidence evidence)
at
System.Web.Services.Protocols.XmlReturn.GetInitial izers(LogicalMethodInfo[]
methodInfos)
at
System.Web.Services.Protocols.XmlReturnWriter.GetI nitializers(LogicalMethodInfo[]
methodInfos)
at System.Web.Services.Protocols.MimeFormatter.GetIni tializers(Type
type, LogicalMethodInfo[] methodInfos)
at System.Web.Services.Protocols.HttpServerType..ctor (Type type)
at System.Web.Services.Protocols.HttpServerProtocol.I nitialize()
at System.Web.Services.Protocols.ServerProtocolFactor y.Create(Type
type, HttpContext context, HttpRequest request, HttpResponse response,
Boolean& abortProcessing)

Thanks,
Kirk

"Kirk" <ki***********@gmail.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
| OS is Windows 2003 Server. I run IE6 and invoke the Web Service via
| the Invoke button from the default generator for .asmx files. The asmx
| file is also local to the web server; everything is on the same
| machine.
|
| I have impersonate set to true in my
| C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONF IG\web.config file,
| and I am logged in as a domain user (DOMAIN/SOFTINFO, same DOMAIN that
| the server is in) with Administrative priviledges. When I invoke the
| service, Environment.DomainName="SW-WEB"
| Environment.UserName="IUSR_SWDEVL2" (SW-WEB is the name of the machine,
| SWDEVL2 was the previous name of the machine).
|
Environment.UserName="IUSR_SWDEVL2"
That's an indication that you are impersonating 'the' "anonymous" user.

| If I remove impersonation from my web.config, the service throws an
| exception...Access is Denied. Environment.DomainName="DOMAIN"
| Environment.UserName="SYSTEM". Not sure what SYSTEM really means, but
| I suppose it doesn't have permission to create processes. Anyway,
| that's why I enabled impersonation in the first place (plus it's how my
| old ASP stuff works and I like it for our intranet).
|

That's an indication that you run your asp.net process as localsystem. Note
that you can't create another process using different user credentials (as
you do in your code) from a process that runs as localsystem (W2K3 and XP
SP2).

| I'm no expert, but my understanding is that impersonation will run my
| Web Service thread as the client user, however, when my process forks,
| it will run as the IIS user. I'm a bit confused, though, becuase I
| would expect UserName to be "SOFTINFO" for the case where I have
| impersonation turned on. Perhaps you can clarify this.
|

Yes, taht's because you haven enabled Windows authentication while
impersonating (see you web.config file), so you are impersonating the
default "anonymous" user which has the form IUSR_XXXXX, where XXXXX is the
machine name.

| The Web Service is inline, and running from an Application Pool with
| Identity set to Local System. I also set it to Network Service and
| witness the same behavior. If I set it to Local Service I get the
| following error when I Invoke the Web Service (this is not a problem
| for me, but it might be a clue, I don't know):
|

"Local Service" or (better) "local network" must be granted access rights to
the TEMP folder and a couple of other folder too.
Note that all of these question can better be answered when you post to the
asp or aspnet NG's, this NG is for C# only.
Willy.

Thanks. Your reply, some sleep, and a fresh pot of coffe have alerted
me to the fact that my virtual directory under IIS was set to allow
anonymous access -- not what I intended. So...I set it to integrated
Windows auth and now I see the DOMAIN user in Environment.UserName when
I invoke the service (as expected). However, I get an Access is Denied
exception when I try to start the process when I set the
ProcesStartInfo UserName and Password to the local Administrator
account. If I don't set UserName and Password in ProcessStartInfo,
then the service runs fine. In that case, I see UserName is the domain
user I logged in as when challenged from the browser, and whoami.exe
returns "nt authority / system".

I suspect the issue is what you said: "Note that you can't create
another process using different user credentials (as you do in your
code) from a process that runs as localsystem (W2K3 and XP SP2)." I
assume the solution is to use an Application Pool to run the Web
Service in a process owned by a different user. So I set the
Configurable Identity section of the App Pool properties to use Local
Administrator (and added Administrator to the IIS_WPG group, and
granted user rights as specified here:
http://www.microsoft.com/technet/pro.../appisoa.mspx).
Now when I invoke without UserName set, whoami tells me it is the
local Administrator as expected. But if I set UserName, I still get
Access is Denied. What other access do I need to grant local
Administrator to allow it to create this process as a different user?

I will cross-post this to the aspnet NG.

Thanks, again.
Kirk

Willy, I hope you haven't given up on me. I'm getting no responses
from the other newsgroups. Do you have any further suggestions for me?

Thanks,
Kirk

"Kirk" <ki***********@gmail.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com...
| Thanks. Your reply, some sleep, and a fresh pot of coffe have alerted
| me to the fact that my virtual directory under IIS was set to allow
| anonymous access -- not what I intended. So...I set it to integrated
| Windows auth and now I see the DOMAIN user in Environment.UserName when
| I invoke the service (as expected). However, I get an Access is Denied
| exception when I try to start the process when I set the
| ProcesStartInfo UserName and Password to the local Administrator
| account. If I don't set UserName and Password in ProcessStartInfo,
| then the service runs fine. In that case, I see UserName is the domain
| user I logged in as when challenged from the browser, and whoami.exe
| returns "nt authority / system".
|
| I suspect the issue is what you said: "Note that you can't create
| another process using different user credentials (as you do in your
| code) from a process that runs as localsystem (W2K3 and XP SP2)." I
| assume the solution is to use an Application Pool to run the Web
| Service in a process owned by a different user. So I set the
| Configurable Identity section of the App Pool properties to use Local
| Administrator (and added Administrator to the IIS_WPG group, and
| granted user rights as specified here:
|
http://www.microsoft.com/technet/pro.../appisoa.mspx).
| Now when I invoke without UserName set, whoami tells me it is the
| local Administrator as expected. But if I set UserName, I still get
| Access is Denied. What other access do I need to grant local
| Administrator to allow it to create this process as a different user?
|
| I will cross-post this to the aspnet NG.
And who's the user you set, is it a local user?
If it's a local user, can he launch the command from the command line (using
runas)
Willy.

I tried domain users as well as the local (server) administrator
account, which I thought for sure should work since that's what the
pool is running as, but still no luck. I can run "runas
/user:Administrator "c:\windows\system32\whoami.exe" no problem. (I
can see that it is in fact running if I runas a batch file that calls
whoami.exe over and over so the cmd box doesn't disappear right away.)
I can also run it as domain users (I tried using a domain account
instead of Administrator to manage the pool, but that didn't help).

A quick recap of my config and stuff just to check sanity:

* Windows Server 2003 with .NET 2.0 SDK installed
* IIS virtual directory for web_services set to integrated Windows
authentication
* web_services use app pool WebServices
* WebServices app pool sets Identity Configurable: local server
Administrator account
* (I also ran aspnet_regiis.exe -ga on Administrator just in case)
* Impersonate set to true in web.config; authentication Windows
* Browser connects to aspx page as a separate domain user with access
to aspx file

My basic web service to invoke whoami.exe works fine with this config
unless you set UserName and Password on ProcessStartInfo. All
UserNames will fail, but most striking is the local server
Administrator also fails (even though that's what the pool uses). The
result is an Access is Denied exception from Process.Start.

Thanks,
Kirk

"Kirk" <ki***********@gmail.com> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...
|I tried domain users as well as the local (server) administrator
| account, which I thought for sure should work since that's what the
| pool is running as, but still no luck. I can run "runas
| /user:Administrator "c:\windows\system32\whoami.exe" no problem. (I
| can see that it is in fact running if I runas a batch file that calls
| whoami.exe over and over so the cmd box doesn't disappear right away.)
| I can also run it as domain users (I tried using a domain account
| instead of Administrator to manage the pool, but that didn't help).
|
| A quick recap of my config and stuff just to check sanity:
|
| * Windows Server 2003 with .NET 2.0 SDK installed
| * IIS virtual directory for web_services set to integrated Windows
| authentication
| * web_services use app pool WebServices
| * WebServices app pool sets Identity Configurable: local server
| Administrator account
| * (I also ran aspnet_regiis.exe -ga on Administrator just in case)
| * Impersonate set to true in web.config; authentication Windows
| * Browser connects to aspx page as a separate domain user with access
| to aspx file
|
| My basic web service to invoke whoami.exe works fine with this config
| unless you set UserName and Password on ProcessStartInfo. All
| UserNames will fail, but most striking is the local server
| Administrator also fails (even though that's what the pool uses). The
| result is an Access is Denied exception from Process.Start.
|
| Thanks,
| Kirk
|

Ok, may I suggest you to:
1. turn-on logon auditing using the "local security policy" editor (local
polcies/audit policy account and event logon)
2. try several scenario's, and ...
3. watch the security log in eventviewer.
Willy.

All audits pass. With impersonation off, the process starts as the
C#-specified user, but hangs. I can see it running as the C#-specified
user in Task Manager. There is another poster in framework.aspnet, so
hopefully he has some other ideas. Thanks, Willy, for your help.