invoking .NET class library from ASP2.0 (Classic)

Discussion in 'ASP General' started by Patrick, Nov 8, 2004.

  1. Patrick

    Patrick Guest

    Following earlier discussions about invoking a .NET class library via
    ..NET-COM Interop (using regasm /tlb) at
    http://groups.google.com/groups?hl=...elm=%23Van7eSrEHA.4004%40TK2MSFTNGP10.phx.gbl

    I have concluded that my .NET class library (following the suggestions.
    namely setting the marshall type, etc.) , I can
    1) Invoke public methods in the class library from VBScript
    2) Invoke public methods in the class library from ASP in IIS5.1 on Windows
    XP Profesional SP2 provided that
    2.1) The process level is set to LOW (to get the IIS process running as the
    high priviledge Local System Account).

    2.1 is probably not what I wanted. So I started investigating what
    permission I need by running FileMon from
    http://www.sysinternals.com/ntw2k/source/filemon.shtml .

    1) Initial attempts showed access denied on
    %SYSTEMROOT%\temp\Microsoft.NET\Framework\v1.1.4322\csc.exe
    2) When I relaxed ACL to allow IWAM_MachineName read access to csc.exe:
    3) FileMon start reporting Access is defined when trying to read on my
    %SYSTEMROOT%\temp
    4) when I relaxed ACL to allow IWAM_MachineName read access to this temp
    directory
    5) Access is denied is logged when the process tries to *Create*!! a
    C:\Documents and Settings\Default User\Application Data\Microsoft\CLR
    Security Config\v1.1.4322\security.config.cch.new !

    I thought hang on a minute...., where is this going to end? ASP.NET
    application runs also as IWAM_MachineName and I don't have to keep on
    relaxing security? What is the least I could do (i.e. least permision I
    need to give to IWAM_MachineName) to enable ASP to run a .NET Class library
    via interop?

    Note
    1) If I
    1.1) turn OFF anonymous access on the ASP directory (from IIS Manager)
    1.2) Turn on only integrated windows authentication
    1.3) Try to load the ASP, logging in as someone with Admin rights on the IIS
    Server
    1.4) The page loads up displaying error '80070002' , when it tries to
    instantiate using CreateObject a .NET Object

    2) If I
    2.1) turn ON anonymous access on ASP Directory (from IIS Manager)
    2.2) Turn off integrated windows authentication
    2.3) Try to load the ASP
    2.4) The page loads up displaying error '80070002' , when it tries to
    instantiate using CreateObject a .NET Object

    3) If I
    3.1) Add IUSR_MachineName and IWAM_MachineName to the Local admin group,
    reset IIS
    3.2) Turn on ONLY Anonymous access on IIS Manager
    3.3) Try to load the ASP
    3.4) The page loads up displaying error '80070002' , when it tries to
    instantiate using CreateObject a .NET Object
     
    Patrick, Nov 8, 2004
    #1
    1. Advertising

  2. Patrick

    [MSFT] Guest

    Hello Patrick,

    ASP.NET is different from class ASP, it will use the account "ASPNET" or
    "network service", not IUser or IWAN in ASP. To run a .NET component, we
    need permission on manya folder as you have found, such as windows foler,
    temp folder and .NET framework folder.

    When you perform the three tests, what is the protection level you set in
    IIS?

    (An adventruous idea is to upgrade your application to ASP.NET. For most of
    cases, we can just rename the .ASP file to .ASPX and then run it under
    ASP.NET. )


    Luke
     
    [MSFT], Nov 9, 2004
    #2
    1. Advertising

  3. Patrick

    Patrick Guest

    I don't seem to find the minimum set of requirements needed to run .NET
    interop class library (after putting it in GAC and regasm /tlb) from ASP
    anywhere on the microsoft or MSDN site? Luke could you shed some light as
    to
    - the minimum set of folder permissions needed for IWAM_MachineName
    - the minimum set of folder permissions needed for IUSR_MachineName
    - the minimum set of registry permissions needed for IWAM_MachineName
    - the minimum set of registry permissions needed for IUSR_MachineName
    - the minimum set of other permissions required

    Considering the large set of ASP files and include files present, and the
    amount of regression tests required, porting to ASPX is probably not a good
    option for now!

    "[MSFT]" <> wrote in message
    news:...
    > Hello Patrick,
    >
    > ASP.NET is different from class ASP, it will use the account "ASPNET" or
    > "network service", not IUser or IWAN in ASP. To run a .NET component, we
    > need permission on manya folder as you have found, such as windows foler,
    > temp folder and .NET framework folder.
    >
    > When you perform the three tests, what is the protection level you set in
    > IIS?
    >
    > (An adventruous idea is to upgrade your application to ASP.NET. For most

    of
    > cases, we can just rename the .ASP file to .ASPX and then run it under
    > ASP.NET. )
    >
    >
    > Luke
    >
     
    Patrick, Nov 9, 2004
    #3
  4. Patrick

    Patrick Guest

    Furthermore, if within my .NET Class library, I try to write to just the
    Application Log of EventViewer using an *Existing* Event Source (I know
    more permissions are required to get EventSource created), using the
    following very simple code snippet, I get permissions error as stated below.

    Note, I have made IUSR_MachineName and IWAM_MachineName a member of local
    administrators group on IIS5.1 on Windows XP Professional SP1 with .NET
    Framework 1.1

    --------------------------Start of code snippet--------------------------
    EventLog objEventLog;
    objEventLog = new EventLog();
    objEventLog.Log = "Application";
    objEventLog.Source = "ASP.NET 1.1.4322.0";
    objEventLog.WriteEntry("i am here");
    --------------------------End of code snippet--------------------------

    --------------------------Start of Error--------------------------
    System.InvalidOperationException: Cannot open log for source {0}. You may
    not have write access. ---> System.ComponentModel.Win32Exception: Access is
    denied
    --- End of inner exception stack trace ---
    at System.Diagnostics.EventLog.OpenForWrite()
    at System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
    EventLogEntryType type, String[] strings, Byte[] rawData)
    at System.Diagnostics.EventLog.WriteEntry(String message,
    EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
    at System.Diagnostics.EventLog.WriteEntry(String message,
    EventLogEntryType type, Int32 eventID, Int16 category)
    at System.Diagnostics.EventLog.WriteEntry(String message,
    EventLogEntryType type, Int32 eventID)
    at System.Diagnostics.EventLog.WriteEntry(String message,
    EventLogEntryType type)
    at System.Diagnostics.EventLog.WriteEntry(String message)
    at MyOrg.web.publications.Order.UpdateOrderObject(SimpleOrderData order)
    at MyOrg.web.publications.Order.PlaceOrder(SimpleOrderData order)
    --------------------------End of Error--------------------------

    "Patrick" <> wrote in message
    news:...
    > I don't seem to find the minimum set of requirements needed to run .NET
    > interop class library (after putting it in GAC and regasm /tlb) from ASP
    > anywhere on the microsoft or MSDN site? Luke could you shed some light as
    > to
    > - the minimum set of folder permissions needed for IWAM_MachineName
    > - the minimum set of folder permissions needed for IUSR_MachineName
    > - the minimum set of registry permissions needed for IWAM_MachineName
    > - the minimum set of registry permissions needed for IUSR_MachineName
    > - the minimum set of other permissions required
    >
    > Considering the large set of ASP files and include files present, and the
    > amount of regression tests required, porting to ASPX is probably not a

    good
    > option for now!
    >
    > "[MSFT]" <> wrote in message
    > news:...
    > > Hello Patrick,
    > >
    > > ASP.NET is different from class ASP, it will use the account "ASPNET" or
    > > "network service", not IUser or IWAN in ASP. To run a .NET component, we
    > > need permission on manya folder as you have found, such as windows

    foler,
    > > temp folder and .NET framework folder.
    > >
    > > When you perform the three tests, what is the protection level you set

    in
    > > IIS?
    > >
    > > (An adventruous idea is to upgrade your application to ASP.NET. For most

    > of
    > > cases, we can just rename the .ASP file to .ASPX and then run it under
    > > ASP.NET. )
    > >
    > >
    > > Luke
    > >

    >
    >
     
    Patrick, Nov 9, 2004
    #4
  5. Patrick

    [MSFT] Guest

    I didn't found a public document which list this exactly. Following article
    may help some:

    How to set required NTFS permissions and user rights for an IIS 5.0 Web
    server
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q271071

    If you don't want run the ASP application under Low protection level: I
    think you may consider creating a COM+ component calling the .NET assembly,
    and then call the COM+ Component in ASP. A COM+ application can run within
    different process and under different user account. Or you can create a
    COM+ application in .NET directly:

    HOW TO: Create a Serviced .NET Component in Visual C# .NET
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306296

    Luke
     
    [MSFT], Nov 10, 2004
    #5
  6. Patrick

    Patrick Guest

    The Microsoft Article
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q271071 does not
    state *Specific Minimum* permissions required to run .NET Interop from ASP
    or that required to write to the Event Log (using an existing Event Source)

    I think I have the following options (please correct me if I am wrong)
    1) Run the ASP App Process Protection Level to "Low" + Make IWAM_MachineName
    and/or IUSR_MachineName users Administrators
    2) Instead of invoking a .NET class library via interop (regasm /tlb), make
    the .NET Class library a COM+ (ActivationOption.Server)
    3) Instead of invoking a .NET class library via interop (regasm /tlb), make
    a VB6 COM+ which invoke the .NET Class library via interop
    (ActivationOption.Server)

    Note the following issues!!!
    i) 2 and 3 is not going to work out in my particular scenario because the
    class library is actually a .NET Web Service proxy client class library that
    inherits from Microsoft.Web.Services2.WebServicesClientProtocol

    ii) ASPNET, IUSR_MachineName and IWAM_MachineName are already made
    administrators on the IIS server

    iii) With IIS Process Protection set to Low, I can get the .NET class
    library invoked from ASP, but when I set it to Medium, it doesn't. Using
    FileMon and RegMon from http://www.sysinternals.com/ntw2k/utilities.shtml, I
    figure out that there are loads of file/folder access is denied errors by
    IWAM_MachineName (I can't find any MSDN articles which state what
    folder/file permissions are required to invoke a .NET class library via .NET
    Interop from ASP 2.0 [classic])

    iv) With the relaxed permissions (ASPNET, IUSR_MachineName and
    IWAM_MachineName made administrators, low IIS process protection), I still
    cannot write to the event viewer from the .NET class library using an
    *Existing* Event Source)
    e.g.
    objEventLog = new EventLog();
    objEventLog.Log = "Application";
    objEventLog.Source = "ASP.NET 1.1.4322.0";
    objEventLog.WriteEntry("Test",EventLogEntryType.Information);

    I get the following exceptions
    --------------------------Start of Error--------------------------
    System.InvalidOperationException: Cannot open log for source {0}. You may
    not have write access. ---> System.ComponentModel.Win32Exception: Access is
    denied
    --- End of inner exception stack trace ---
    at System.Diagnostics.EventLog.OpenForWrite()
    at System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
    EventLogEntryType type, String[] strings, Byte[] rawData)
    at System.Diagnostics.EventLog.WriteEntry(String message,
    EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
    at System.Diagnostics.EventLog.WriteEntry(String message,
    EventLogEntryType type, Int32 eventID, Int16 category)
    at System.Diagnostics.EventLog.WriteEntry(String message,
    EventLogEntryType type, Int32 eventID)
    at System.Diagnostics.EventLog.WriteEntry(String message,
    EventLogEntryType type)
    at System.Diagnostics.EventLog.WriteEntry(String message)
    at MyOrg.web.publications.Order.UpdateOrderObject(SimpleOrderData order)
    at MyOrg.web.publications.Order.PlaceOrder(SimpleOrderData order)
    --------------------------End of Error--------------------------

    v) I can confirm that with a simple ASPX page as follows without
    impersonation:
    ------------------------------Start of
    eventLogTest.aspx------------------------------
    <%@Import Namespace="System.Diagnostics" %>
    <%@Import Namespace="System.Web" %>
    <%@ Page language="c#" AutoEventWireup="true" EnableSessionState="False" %>
    <HTML>
    <HEAD>
    <title>event log test</title>

    </HEAD>
    <body>
    <%
    try
    {
    EventLog objEventLog;

    objEventLog = new EventLog();
    objEventLog.Source = "Application";

    objEventLog.WriteEntry("Test message",EventLogEntryType.Information);

    }
    catch (Exception e)
    {
    %>
    <%= e.ToString()%>
    <%
    } //end try%>
    </body>
    </html>
    ------------------------------end of
    eventLogTest.aspx------------------------------

    SO, the ultimate questions are
    1) How could I get a .NET class library to write to the event log using an e
    xisting event source when the class library is invoked from ASP 2.0
    (classic)
    2) What is the simplest and most secure way of allow a .NET class library to
    be invoked from ASP 2.0 (Classic)?


    "[MSFT]" <> wrote in message
    news:...
    > I didn't found a public document which list this exactly. Following

    article
    > may help some:
    >
    > How to set required NTFS permissions and user rights for an IIS 5.0 Web
    > server
    > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q271071
    >
    > If you don't want run the ASP application under Low protection level: I
    > think you may consider creating a COM+ component calling the .NET

    assembly,
    > and then call the COM+ Component in ASP. A COM+ application can run within
    > different process and under different user account. Or you can create a
    > COM+ application in .NET directly:
    >
    > HOW TO: Create a Serviced .NET Component in Visual C# .NET
    > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306296
    >
    > Luke
    >
     
    Patrick, Nov 10, 2004
    #6
  7. Patrick

    [MSFT] Guest

    Hi Patrick,

    AS I know, to write system event log, the account should have full control
    with following:

    /Windows/System32
    System temp folder

    And, you must change the registry value
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Re
    strictGuestAccess from a 1 to a 0. You must reboot for the change to take
    effect.

    However, if you use .NET component to access the eventlog, the account aslo
    should have permissioen on .NET and framework's folder.

    Can you let me know why you don't want leave the application protection
    level as "low"? If "low" is impossible, you may set it to "high". And then,
    open Administrative tools/component services/Computers/My Computer/COm+
    applications, you will notice a COM+ application has been create for the
    virtual folder. Right click it, select Properties/Identity, you can specify
    a powerful account here. When the application protection level is set to
    high, it will use this account. You may add this account to adminitrators
    group to test again.

    Luke
     
    [MSFT], Nov 11, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patrick Olurotimi Ige
    Replies:
    4
    Views:
    1,048
    Juan T. Llibre
    Mar 1, 2005
  2. EricGuan

    change asp1.0 to asp2.0

    EricGuan, Mar 18, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    1,068
    Steven Cheng[MSFT]
    Mar 18, 2005
  3. aa
    Replies:
    0
    Views:
    410
  4. Charlie@CBFC
    Replies:
    1
    Views:
    1,663
    bruce barker \(sqlwork.com\)
    Apr 13, 2006
  5. shanmani
    Replies:
    2
    Views:
    2,739
    Walter Wang [MSFT]
    Jun 12, 2006
Loading...

Share This Page