DPAPI Enterprise Services Example

B

Bill Heckle

I am trying to work through the sample from msdn, "How To Use DPAPI (User
Store) from ASP.NET with Enterprise Services". I thought I had everything
configured correctly. I tried to test the service and get the following
error.(Sorry for encluding every line). I am confused as to what setting is
incorrectly set. Additionally, the paragraph on giving asp.net access doesn't
help me at all. Thanks for help, as I don't want to keep thrashing about. Any
advice on where to read more about security in general is appreciated.

Exception Details: System.UnauthorizedAccessException: Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the boxes
for the desired access.

Source Error:
Line 59: private void btnEncrypt_Click(object sender, System.EventArgs e)
Line 60: {
Line 61: DataProtectorComp dp = new DataProtectorComp();
Line 62: try
Line 63: {

Source File: c:\documents and
settings\bill\vswebcache\billfun\dpapiweb\webform1.aspx.cs Line: 61

Stack Trace:

[UnauthorizedAccessException: Access is denied.]
System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32
errorCode, IntPtr errorInfo) +0
System.EnterpriseServices.Thunk.Proxy.CoCreateObject(Type serverType,
Boolean bQuerySCInfo, Boolean& bIsAnotherProcess, String& uri) +581

System.EnterpriseServices.ServicedComponentProxyAttribute.CreateInstance(Type
serverType) +181

System.Runtime.Remoting.Activation.ActivationServices.IsCurrentContextOK(Type
serverType, Object[] props, Boolean bNewObj) +74
DPAPIWeb.WebForm1.btnEncrypt_Click(Object sender, EventArgs e) in
c:\documents and settings\bill
heckle\vswebcache\billfun\dpapiweb\webform1.aspx.cs:61
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain() +1277
 
P

Paul Glavich [MVP - ASP.NET]

Looks like you are using a ServicedComponent in COM+? That may complicate
things a little but you may need to give read/write access to whichever user
you are running under (might be ASPNET, NETWORK SERVICE, or the defined
identity in COM+) to your "\Document And
Settings\{user}\ApplicationData\Crypto" directory.

--
- Paul Glavich
Microsoft MVP - ASP.NET


Bill Heckle said:
I am trying to work through the sample from msdn, "How To Use DPAPI (User
Store) from ASP.NET with Enterprise Services". I thought I had everything
configured correctly. I tried to test the service and get the following
error.(Sorry for encluding every line). I am confused as to what setting is
incorrectly set. Additionally, the paragraph on giving asp.net access doesn't
help me at all. Thanks for help, as I don't want to keep thrashing about. Any
advice on where to read more about security in general is appreciated.

Exception Details: System.UnauthorizedAccessException: Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the boxes
for the desired access.

Source Error:
Line 59: private void btnEncrypt_Click(object sender, System.EventArgs e)
Line 60: {
Line 61: DataProtectorComp dp = new DataProtectorComp();
Line 62: try
Line 63: {

Source File: c:\documents and
settings\bill\vswebcache\billfun\dpapiweb\webform1.aspx.cs Line: 61

Stack Trace:

[UnauthorizedAccessException: Access is denied.]
System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32
errorCode, IntPtr errorInfo) +0
System.EnterpriseServices.Thunk.Proxy.CoCreateObject(Type serverType,
Boolean bQuerySCInfo, Boolean& bIsAnotherProcess, String& uri) +581

System.EnterpriseServices.ServicedComponentProxyAttribute.CreateInstance(Typ
e
serverType) +181

System.Runtime.Remoting.Activation.ActivationServices.IsCurrentContextOK(Typ
e
serverType, Object[] props, Boolean bNewObj) +74
DPAPIWeb.WebForm1.btnEncrypt_Click(Object sender, EventArgs e) in
c:\documents and settings\bill
heckle\vswebcache\billfun\dpapiweb\webform1.aspx.cs:61
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
stBackEvent(String eventArgument) +57
 
P

Paul Glavich [MVP - ASP.NET]

Sorry, correction to my last post, the path to the directory is :-
\Documents and Settings\All Users\Application Data\Microsoft\Crypto

or even just

\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys

I think may do the trick.

--
- Paul Glavich
Microsoft MVP - ASP.NET


Paul Glavich said:
Looks like you are using a ServicedComponent in COM+? That may complicate
things a little but you may need to give read/write access to whichever user
you are running under (might be ASPNET, NETWORK SERVICE, or the defined
identity in COM+) to your "\Document And
Settings\{user}\ApplicationData\Crypto" directory.

--
- Paul Glavich
Microsoft MVP - ASP.NET


Bill Heckle said:
I am trying to work through the sample from msdn, "How To Use DPAPI (User
Store) from ASP.NET with Enterprise Services". I thought I had everything
configured correctly. I tried to test the service and get the following
error.(Sorry for encluding every line). I am confused as to what setting is
incorrectly set. Additionally, the paragraph on giving asp.net access doesn't
help me at all. Thanks for help, as I don't want to keep thrashing
about.
Any
advice on where to read more about security in general is appreciated.

Exception Details: System.UnauthorizedAccessException: Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the boxes
for the desired access.

Source Error:
Line 59: private void btnEncrypt_Click(object sender, System.EventArgs e)
Line 60: {
Line 61: DataProtectorComp dp = new DataProtectorComp();
Line 62: try
Line 63: {

Source File: c:\documents and
settings\bill\vswebcache\billfun\dpapiweb\webform1.aspx.cs Line: 61

Stack Trace:

[UnauthorizedAccessException: Access is denied.]
System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32
errorCode, IntPtr errorInfo) +0
System.EnterpriseServices.Thunk.Proxy.CoCreateObject(Type serverType,
Boolean bQuerySCInfo, Boolean& bIsAnotherProcess, String& uri) +581
System.EnterpriseServices.ServicedComponentProxyAttribute.CreateInstance(Typ
e
serverType) +181
System.Runtime.Remoting.Activation.ActivationServices.IsCurrentContextOK(Typ
e
serverType, Object[] props, Boolean bNewObj) +74
DPAPIWeb.WebForm1.btnEncrypt_Click(Object sender, EventArgs e) in
c:\documents and settings\bill
heckle\vswebcache\billfun\dpapiweb\webform1.aspx.cs:61
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
stBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain() +1277
 
B

Bill Heckle

Paul,

Thank you very much for responding. I tried changing the account that Com+
used to activate the component. I switched it to my development account. I
got a new error saying that the registry
key,HKEY_CLASSES_ROOT\DPAPIComp.DataProtectorComp, could not be accessed. I
looked at the permissions for the key and believe every account that matters
has access. Obviously, I am wrong. Any thoughts would be helpful. Currently
the following account and roles have access.
Administrators,Application Test Center,aspnet_wp account(ASPNET),my
development account,OWNER,DPAPIAccount(my original com+ activation account),
local service,service,network,power users,system and users

Thanks.

Paul Glavich said:
Sorry, correction to my last post, the path to the directory is :-
\Documents and Settings\All Users\Application Data\Microsoft\Crypto

or even just

\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys

I think may do the trick.

--
- Paul Glavich
Microsoft MVP - ASP.NET


Paul Glavich said:
Looks like you are using a ServicedComponent in COM+? That may complicate
things a little but you may need to give read/write access to whichever user
you are running under (might be ASPNET, NETWORK SERVICE, or the defined
identity in COM+) to your "\Document And
Settings\{user}\ApplicationData\Crypto" directory.

--
- Paul Glavich
Microsoft MVP - ASP.NET


Bill Heckle said:
I am trying to work through the sample from msdn, "How To Use DPAPI (User
Store) from ASP.NET with Enterprise Services". I thought I had everything
configured correctly. I tried to test the service and get the following
error.(Sorry for encluding every line). I am confused as to what setting is
incorrectly set. Additionally, the paragraph on giving asp.net access doesn't
help me at all. Thanks for help, as I don't want to keep thrashing
about.
Any
advice on where to read more about security in general is appreciated.

Exception Details: System.UnauthorizedAccessException: Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the boxes
for the desired access.

Source Error:
Line 59: private void btnEncrypt_Click(object sender, System.EventArgs e)
Line 60: {
Line 61: DataProtectorComp dp = new DataProtectorComp();
Line 62: try
Line 63: {

Source File: c:\documents and
settings\bill\vswebcache\billfun\dpapiweb\webform1.aspx.cs Line: 61

Stack Trace:

[UnauthorizedAccessException: Access is denied.]
System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32
errorCode, IntPtr errorInfo) +0
System.EnterpriseServices.Thunk.Proxy.CoCreateObject(Type serverType,
Boolean bQuerySCInfo, Boolean& bIsAnotherProcess, String& uri) +581
System.EnterpriseServices.ServicedComponentProxyAttribute.CreateInstance(Typ
e
serverType) +181
System.Runtime.Remoting.Activation.ActivationServices.IsCurrentContextOK(Typ
e
serverType, Object[] props, Boolean bNewObj) +74
DPAPIWeb.WebForm1.btnEncrypt_Click(Object sender, EventArgs e) in
c:\documents and settings\bill
heckle\vswebcache\billfun\dpapiweb\webform1.aspx.cs:61
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
stBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain() +1277
 
P

Paul Glavich [MVP - ASP.NET]

Just as a test, try giving Internet applications "Full Trust" via the
machine policy in .Net framework configuration. (Start --> Control Panel -->
Administrative Tools --> .Net framework config then Expand 'Runtime
Security Policy' --> Machine --> Code Groups -> All Code --> Internet
Zone --> Right click --> Properties --> Go to permissions set tab, select
Full trust). By default, ASP.NET web apps only have limited access via this
policy and certainly dont have "interop" permissions. It looks as though you
might be getting denied access when trying to do interop.

--
- Paul Glavich
Microsoft MVP - ASP.NET


Bill Heckle said:
Paul,

Thank you very much for responding. I tried changing the account that Com+
used to activate the component. I switched it to my development account. I
got a new error saying that the registry
key,HKEY_CLASSES_ROOT\DPAPIComp.DataProtectorComp, could not be accessed. I
looked at the permissions for the key and believe every account that matters
has access. Obviously, I am wrong. Any thoughts would be helpful. Currently
the following account and roles have access.
Administrators,Application Test Center,aspnet_wp account(ASPNET),my
development account,OWNER,DPAPIAccount(my original com+ activation account),
local service,service,network,power users,system and users

Thanks.

Paul Glavich said:
Sorry, correction to my last post, the path to the directory is :-
\Documents and Settings\All Users\Application Data\Microsoft\Crypto

or even just

\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys

I think may do the trick.

--
- Paul Glavich
Microsoft MVP - ASP.NET


Paul Glavich said:
Looks like you are using a ServicedComponent in COM+? That may complicate
things a little but you may need to give read/write access to
whichever
user
you are running under (might be ASPNET, NETWORK SERVICE, or the defined
identity in COM+) to your "\Document And
Settings\{user}\ApplicationData\Crypto" directory.

--
- Paul Glavich
Microsoft MVP - ASP.NET


I am trying to work through the sample from msdn, "How To Use DPAPI (User
Store) from ASP.NET with Enterprise Services". I thought I had everything
configured correctly. I tried to test the service and get the following
error.(Sorry for encluding every line). I am confused as to what setting
is
incorrectly set. Additionally, the paragraph on giving asp.net access
doesn't
help me at all. Thanks for help, as I don't want to keep thrashing about.
Any
advice on where to read more about security in general is appreciated.

Exception Details: System.UnauthorizedAccessException: Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the
boxes
for the desired access.

Source Error:
Line 59: private void btnEncrypt_Click(object sender,
System.EventArgs
e)
Line 60: {
Line 61: DataProtectorComp dp = new DataProtectorComp();
Line 62: try
Line 63: {

Source File: c:\documents and
settings\bill\vswebcache\billfun\dpapiweb\webform1.aspx.cs Line: 61

Stack Trace:

[UnauthorizedAccessException: Access is denied.]
System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32
errorCode, IntPtr errorInfo) +0
System.EnterpriseServices.Thunk.Proxy.CoCreateObject(Type serverType,
Boolean bQuerySCInfo, Boolean& bIsAnotherProcess, String& uri) +581
System.EnterpriseServices.ServicedComponentProxyAttribute.CreateInstance(Typ
e
serverType) +181
System.Runtime.Remoting.Activation.ActivationServices.IsCurrentContextOK(Typ
e
serverType, Object[] props, Boolean bNewObj) +74
DPAPIWeb.WebForm1.btnEncrypt_Click(Object sender, EventArgs e) in
c:\documents and settings\bill
heckle\vswebcache\billfun\dpapiweb\webform1.aspx.cs:61
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
stBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection
postData)
+33
System.Web.UI.Page.ProcessRequestMain() +1277
 
M

Martin

Hi Bill,

I'm going through the same process, but am stuck at trying to start the
service - I get error 5: access is denied.

The local account I configured for this has Log on as batch job and log on
locally rights.

The service starts ok if I make the account a member of adminstrators, so
that rules out code errors.

Do you have any tips for me on this?

Thanks in advance
Martin

Bill Heckle said:
I am trying to work through the sample from msdn, "How To Use DPAPI (User
Store) from ASP.NET with Enterprise Services". I thought I had everything
configured correctly. I tried to test the service and get the following
error.(Sorry for encluding every line). I am confused as to what setting is
incorrectly set. Additionally, the paragraph on giving asp.net access doesn't
help me at all. Thanks for help, as I don't want to keep thrashing about. Any
advice on where to read more about security in general is appreciated.

Exception Details: System.UnauthorizedAccessException: Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or
Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET write access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the boxes
for the desired access.

Source Error:
Line 59: private void btnEncrypt_Click(object sender, System.EventArgs e)
Line 60: {
Line 61: DataProtectorComp dp = new DataProtectorComp();
Line 62: try
Line 63: {

Source File: c:\documents and
settings\bill\vswebcache\billfun\dpapiweb\webform1.aspx.cs Line: 61

Stack Trace:

[UnauthorizedAccessException: Access is denied.]
System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32
errorCode, IntPtr errorInfo) +0
System.EnterpriseServices.Thunk.Proxy.CoCreateObject(Type serverType,
Boolean bQuerySCInfo, Boolean& bIsAnotherProcess, String& uri) +581

System.EnterpriseServices.ServicedComponentProxyAttribute.CreateInstance(Typ
e
serverType) +181

System.Runtime.Remoting.Activation.ActivationServices.IsCurrentContextOK(Typ
e
serverType, Object[] props, Boolean bNewObj) +74
DPAPIWeb.WebForm1.btnEncrypt_Click(Object sender, EventArgs e) in
c:\documents and settings\bill
heckle\vswebcache\billfun\dpapiweb\webform1.aspx.cs:61
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
stBackEvent(String eventArgument) +57
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top