IExtractImage, Impersonation, GDI and "access denied" for non-local admins

Discussion in 'ASP .Net Security' started by Jonathan Trevor, Jul 1, 2004.

  1. Hi,

    We're using the IExtractImage interface from behind a .NET web service to
    generate thumbnails for various files in our network (windows domain).
    Impersonating etc. is all ok - if a user logs into the web service we can
    open the file, delete the file, etc. Everything behaves as expected.

    However, we cannot generate thumbnails for Powerpoint (etc) using
    IExtractImage if the user is not a local admin on that server machine,
    receiving a win32 error code which corresponds to "Access denied". If the
    user logging into the web service is given *local* admin rights on the
    server, then the IExtractImage succeeds for any file (local or networked).
    However thats not something we want to do!

    I'm really unsure what the problem is. No matter whether the user is local
    admin or not, they can do everything with the domain accessible files (UNC
    identified) they would normally be able to do. In the thumbnail code
    everything seems on track - we get the PIDLs ok, getlocation returns fine
    but the final extract image call (in the impersonated process) on the
    IExtractImage interface returns "Access denied" - and the error goes away
    when local admin rights are granted on the server for that user (so nothing
    to do with network permissions).

    I have several thoughts on the issue but no real idea which is correct or
    how to go about addressing the hypotheses:
    (a) some temporary file is being created on the server machine by the
    Extract call
    (b) that the GDI is being (presumably) used to create the bitmap (handle
    returned by the Extract call) and somehow the Extract thread can't create it
    (c) there is some side-effect of being in the local admin group which is
    necessary

    I thought that some threading issue may be to blame (Extract running under a
    different COM thread) but that doesn't really correlate with the problem
    going away when the user is made local admin.

    Thoughts?
    Jonathan
    Jonathan Trevor, Jul 1, 2004
    #1
    1. Advertising

  2. Sorry, this is a little bit off topic. Have you been able to extract an
    image of an HTML file?

    Chad


    "Jonathan Trevor" <> wrote in message
    news:...
    > Hi,
    >
    > We're using the IExtractImage interface from behind a .NET web service to
    > generate thumbnails for various files in our network (windows domain).
    > Impersonating etc. is all ok - if a user logs into the web service we can
    > open the file, delete the file, etc. Everything behaves as expected.
    >
    > However, we cannot generate thumbnails for Powerpoint (etc) using
    > IExtractImage if the user is not a local admin on that server machine,
    > receiving a win32 error code which corresponds to "Access denied". If the
    > user logging into the web service is given *local* admin rights on the
    > server, then the IExtractImage succeeds for any file (local or networked).
    > However thats not something we want to do!
    >
    > I'm really unsure what the problem is. No matter whether the user is local
    > admin or not, they can do everything with the domain accessible files (UNC
    > identified) they would normally be able to do. In the thumbnail code
    > everything seems on track - we get the PIDLs ok, getlocation returns fine
    > but the final extract image call (in the impersonated process) on the
    > IExtractImage interface returns "Access denied" - and the error goes away
    > when local admin rights are granted on the server for that user (so

    nothing
    > to do with network permissions).
    >
    > I have several thoughts on the issue but no real idea which is correct or
    > how to go about addressing the hypotheses:
    > (a) some temporary file is being created on the server machine by the
    > Extract call
    > (b) that the GDI is being (presumably) used to create the bitmap (handle
    > returned by the Extract call) and somehow the Extract thread can't create

    it
    > (c) there is some side-effect of being in the local admin group which is
    > necessary
    >
    > I thought that some threading issue may be to blame (Extract running under

    a
    > different COM thread) but that doesn't really correlate with the problem
    > going away when the user is made local admin.
    >
    > Thoughts?
    > Jonathan
    >
    >
    Chad A. Beckner, Jul 2, 2004
    #2
    1. Advertising

  3. As an update I had a minor brainwave after posting this w.r.t. option (a)
    and started monitoring the entire filesystem during the Extract call to the
    IExtractImage interface using a great utility from sysinternals. It looks
    like microsoft office (or whatever implements that interface) uses
    windows/temp to write a temporary file during the extraction. Giving the
    user permission to write to that directory solves the problem. It seems like
    a bug in the way office implements the thumbnailing code.

    Oh, and we do have problems getting HTMLs to thumbnail too. I suspect its
    another equivalent problem under impersonation where the IExtractImage
    implementation is assuming some permissions which have not been set.

    Jonathan

    "Jonathan Trevor" <> wrote in message
    news:...
    > Hi,
    >
    > We're using the IExtractImage interface from behind a .NET web service to
    > generate thumbnails for various files in our network (windows domain).
    > Impersonating etc. is all ok - if a user logs into the web service we can
    > open the file, delete the file, etc. Everything behaves as expected.
    >
    > However, we cannot generate thumbnails for Powerpoint (etc) using
    > IExtractImage if the user is not a local admin on that server machine,
    > receiving a win32 error code which corresponds to "Access denied". If the
    > user logging into the web service is given *local* admin rights on the
    > server, then the IExtractImage succeeds for any file (local or networked).
    > However thats not something we want to do!
    >
    > I'm really unsure what the problem is. No matter whether the user is local
    > admin or not, they can do everything with the domain accessible files (UNC
    > identified) they would normally be able to do. In the thumbnail code
    > everything seems on track - we get the PIDLs ok, getlocation returns fine
    > but the final extract image call (in the impersonated process) on the
    > IExtractImage interface returns "Access denied" - and the error goes away
    > when local admin rights are granted on the server for that user (so

    nothing
    > to do with network permissions).
    >
    > I have several thoughts on the issue but no real idea which is correct or
    > how to go about addressing the hypotheses:
    > (a) some temporary file is being created on the server machine by the
    > Extract call
    > (b) that the GDI is being (presumably) used to create the bitmap (handle
    > returned by the Extract call) and somehow the Extract thread can't create

    it
    > (c) there is some side-effect of being in the local admin group which is
    > necessary
    >
    > I thought that some threading issue may be to blame (Extract running under

    a
    > different COM thread) but that doesn't really correlate with the problem
    > going away when the user is made local admin.
    >
    > Thoughts?
    > Jonathan
    >
    >
    Jonathan Trevor, Jul 8, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guadala Harry
    Replies:
    4
    Views:
    407
    =?Utf-8?B?QnJhZCBSb2JlcnRz?=
    Aug 24, 2004
  2. Steffen M. Boelaars

    Looking for SilverStream java developers/admins

    Steffen M. Boelaars, Oct 10, 2003, in forum: Java
    Replies:
    0
    Views:
    367
    Steffen M. Boelaars
    Oct 10, 2003
  3. Robin van de Water [synthesiSFactory]

    GDI+ is not properly initialized (internal GDI+ error).

    Robin van de Water [synthesiSFactory], Jan 10, 2007, in forum: ASP .Net
    Replies:
    0
    Views:
    1,316
    Robin van de Water [synthesiSFactory]
    Jan 10, 2007
  4. Danger_Duck
    Replies:
    6
    Views:
    215
    Arne Vajhøj
    Aug 22, 2008
  5. Jonathan Trevor
    Replies:
    2
    Views:
    170
    Jonathan Trevor
    Jul 8, 2004
Loading...

Share This Page