Calling a batch file from IE using asp and vbscript

[Mark C.]

I'm trying to call a batch file that I've built using the FileSystemObject
and CreateObject("Wscript.Shell"), oShell.Run... in an asp script.
Naturally, I can get the script to work from a command line but not from a
browser. The page does not throw an error but the oShell.Run... portion of
the script doesn't run. Any help would be appreciated. Thanks.

 

[Aaron [SQL Server MVP]]

The problem is that IIS runs ASP pages by default in the context of
IUSR_machineName, a very low-level user with few privileges and virtually no
system access.

You need to either set the IIS application to run in the context of a
privileged user, change the application to run as windows authenticated and
not anonymous (and then authenticate as a privileged user), or add
IUSR_machineName to a group with enough privileges to execute the batch
file.

Of course, each of these options can potentially become a security hole
without proper precautions.

So, what I tend to recommend in cases like this is to add the requested task
to a queue (e.g. in a database), and have a scheduled task wake up and pick
up new tasks from the queue. Then you don't have to worry about the
privileges you're exposing directly to your web page, and you can easily set
the job to run in the context of any user you like and on any schedule you
like...

 

[Mark C.]

Aaron,

Thanks very much for your response. Unfortunately, I had already tried
using Windows Integrated Authentication while using a privileged account and
I tried changing the account from IUSR_MachineName to a privileged network
account and neither option worked. The app seems to run, the batch file is
created, but it fails to run. As a workaround I have been using a scheduled
task to run the file at the top of every hour but now a different sort of
security concern having to do w/ our portal software renders my scheduled
task obsolete. Could you be kind enough to elaborate on your solution w/ the
database/queue and the scheduled task. I'm not quite sure that I understand
what you're getting at. Thanks again.

 

[Aaron [SQL Server MVP]]

Does your batch file call any code that raises a prompt or other kind of
visible GUI? Have you looked at http://www.aspfaq.com/2059 ?

I don't know if I can explain the scheduled task process better without
actually building it. That's on my to do list...

--
http://www.aspfaq.com/
(Reverse address to reply.)

 

[Mark C.]

The batch file maps a drive and uses cacls to apply permissions to a folder.
It does not raise a prompt or any other GUI. And thanks for the reference to
www.aspfaq.com/2059, which I read. I've also tried simply maping a drive
w/out the attempt to apply permissions and the same thing happens, or, more
accurately, doesn't happen. Thanks again for your help.

 

[Ray Costanzo [MVP]]

Try using basic authentication for testing purposes. If that works, check
out:

http://support.microsoft.com/?kbid=287537
http://support.microsoft.com/?kbid=264921

With integrated authentication, you cannot "daisy-chain" that authentication
from the IIS server to another server, afaIk. So, if you're trying to run a
script on the server that's accessing another server, i.e. mapping a drive
(why?), I ~believe~ you cannot use integrated authentication then.

Ray at home

 

[Mark C.]

Thanks for your response. Unfortunately, I've tried Basic Authentication,
logging in w/ a privileged account, and the behavior is the same. That is,
nothing happens. Why I would want to map a drive is a good question. The
drive mapping is superfluous. I was just trying to get the script to do
something -- anything. The main purpose of the script is to apply
permissions through cacls, which won't work either, though the script works
fine from a command prompt. Thanks again.

 

[Ray Costanzo [MVP]]

How do you know that it isn't mapping the drive? How about net
sending? Try a batch file like this:

net send theNameOfYourComputer "Hi, I'm your Web server."

I'm kinda jumping in after missing the beginning of this thread, so
I'm not sure what you've tried so far or what else is going on.
Sorry about that.

Ray at work

 

[Aaron [SQL Server MVP]]

I agree with Ray... start with calling a batch file that does something
incredibly simple and trivial, locally. THEN graduate to more complex
activities...

--
http://www.aspfaq.com/
(Reverse address to reply.)

 

[Mark C.]

After I run the script, which includes "net use T: \\<server name>\<share
name>" and go to a DOS prompt and try to access the T: drive, there is no T:
drive. If I manually run the script from a DOS prompt, no problem -- the
drive is mapped and the permissions are applied. If I alter the script and
omit the drive mapping and apply the permissions (w/ cacls) to a local folder
(that is, the web server) the thing works like a charm. It's only when I try
to do anything on another server that it refuses to work. Seems like it has
to be a permissions issue, but I've tried various authentication methods,
including running the app in IIS under a domain admin account, but nothing
works. Thanks for your help

 

[Ray Costanzo [MVP]]

How are you trying to access the T drive? Are you sitting at the
server? Have you tried taking things back a few steps as suggested?
When you get to the step of modifying ACLs, I suggest using UNC
paths. But for now, can you verify that your batch is running?

net send yourcomputer I ran
echo I
ran>C:\Path\Which\Has\FullControl\For\Everyone\Permissions\test.txt

Ray at work

 

[Mark C.]

I have a terminal server session to the web server, so that's how I know that
no drive is being mapped. As I mentioned in a previous thread, the drive
mapping is superfluous, and I am using a UNC path to attempt to apply
permissions (cacls \\<server name>\<share name>\<folder to which to apply
permissions> /T /E /G <domain>\<user name>:C. Also, as I mentioned earlier,
the script runs fine from a browser if the script that is called to apply
the permissions does so on a folder on the web server. The script is indeed
being called but it works only on the web server. The line above that
attempts to apply the permissions on another server, if called from a
browser, does not work. Thanks again for your help. I apologize for not
being specific enough.

 

[io]

After I run the script, which includes "net use T: \\<server
name>\<sharename>"


G'day Mark,

You may be able overcome the problem by extending the NET command with
explicit name and password of the user who does have permissions to map a
drive to remote server (when you run your script from DOS prompt it uses
credentials of a currently logged user, most likely with administrative
privileges).

Your modified NET command will look like this:

NET USE X: \\<server name>\<share name> /USER:<user name> <password>
/PERSISTENT:[YES | NO]

It is, of course, not an ideal solution, but you can create a dedicated
local user account and refine its privileges as you like.

Cheers

 

[mike_vames]

hi
i'm also facing a similar issue in my project.
were you able to get any solution for the above issue
thanxs in advance,
Mike

**********************************************************************
Sent via Fuzzy Software @ http://www.fuzzysoftware.com/
Comprehensive, categorised, searchable collection of links to ASP & ASP.NET resources...

 

[Evertjan.]

(e-mail address removed) wrote on 25 jan 2005 in
microsoft.public.inetserver.asp.general:

hi
i'm also facing a similar issue in my project.
were you able to get any solution for the above issue
thanxs in advance,

This is not mail, but usenet.

I see nothing "above".

according to netiquette, don'd expect us to look back to previous posts
that may or may not be kept on a local news server, but sparingly topquote
or interquote relevant text you are replying on.