invoking .NET class library from ASP2.0 (Classic)

[Patrick]

Following earlier discussions about invoking a .NET class library via
..NET-COM Interop (using regasm /tlb) at
http://groups.google.com/groups?hl=...elm=%23Van7eSrEHA.4004%40TK2MSFTNGP10.phx.gbl

I have concluded that my .NET class library (following the suggestions.
namely setting the marshall type, etc.) , I can
1) Invoke public methods in the class library from VBScript
2) Invoke public methods in the class library from ASP in IIS5.1 on Windows
XP Profesional SP2 provided that
2.1) The process level is set to LOW (to get the IIS process running as the
high priviledge Local System Account).

2.1 is probably not what I wanted. So I started investigating what
permission I need by running FileMon from
http://www.sysinternals.com/ntw2k/source/filemon.shtml .

1) Initial attempts showed access denied on
%SYSTEMROOT%\temp\Microsoft.NET\Framework\v1.1.4322\csc.exe
2) When I relaxed ACL to allow IWAM_MachineName read access to csc.exe:
3) FileMon start reporting Access is defined when trying to read on my
%SYSTEMROOT%\temp
4) when I relaxed ACL to allow IWAM_MachineName read access to this temp
directory
5) Access is denied is logged when the process tries to *Create*!! a
C:\Documents and Settings\Default User\Application Data\Microsoft\CLR
Security Config\v1.1.4322\security.config.cch.new !

I thought hang on a minute...., where is this going to end? ASP.NET
application runs also as IWAM_MachineName and I don't have to keep on
relaxing security? What is the least I could do (i.e. least permision I
need to give to IWAM_MachineName) to enable ASP to run a .NET Class library
via interop?

Note
1) If I
1.1) turn OFF anonymous access on the ASP directory (from IIS Manager)
1.2) Turn on only integrated windows authentication
1.3) Try to load the ASP, logging in as someone with Admin rights on the IIS
Server
1.4) The page loads up displaying error '80070002' , when it tries to
instantiate using CreateObject a .NET Object

2) If I
2.1) turn ON anonymous access on ASP Directory (from IIS Manager)
2.2) Turn off integrated windows authentication
2.3) Try to load the ASP
2.4) The page loads up displaying error '80070002' , when it tries to
instantiate using CreateObject a .NET Object

3) If I
3.1) Add IUSR_MachineName and IWAM_MachineName to the Local admin group,
reset IIS
3.2) Turn on ONLY Anonymous access on IIS Manager
3.3) Try to load the ASP
3.4) The page loads up displaying error '80070002' , when it tries to
instantiate using CreateObject a .NET Object

 

[[MSFT]]

Hello Patrick,

ASP.NET is different from class ASP, it will use the account "ASPNET" or
"network service", not IUser or IWAN in ASP. To run a .NET component, we
need permission on manya folder as you have found, such as windows foler,
temp folder and .NET framework folder.

When you perform the three tests, what is the protection level you set in
IIS?

(An adventruous idea is to upgrade your application to ASP.NET. For most of
cases, we can just rename the .ASP file to .ASPX and then run it under
ASP.NET. )


Luke

 

[Patrick]

I don't seem to find the minimum set of requirements needed to run .NET
interop class library (after putting it in GAC and regasm /tlb) from ASP
anywhere on the microsoft or MSDN site? Luke could you shed some light as
to
- the minimum set of folder permissions needed for IWAM_MachineName
- the minimum set of folder permissions needed for IUSR_MachineName
- the minimum set of registry permissions needed for IWAM_MachineName
- the minimum set of registry permissions needed for IUSR_MachineName
- the minimum set of other permissions required

Considering the large set of ASP files and include files present, and the
amount of regression tests required, porting to ASPX is probably not a good
option for now!

 

[Patrick]

Furthermore, if within my .NET Class library, I try to write to just the
Application Log of EventViewer using an *Existing* Event Source (I know
more permissions are required to get EventSource created), using the
following very simple code snippet, I get permissions error as stated below.

Note, I have made IUSR_MachineName and IWAM_MachineName a member of local
administrators group on IIS5.1 on Windows XP Professional SP1 with .NET
Framework 1.1

--------------------------Start of code snippet--------------------------
EventLog objEventLog;
objEventLog = new EventLog();
objEventLog.Log = "Application";
objEventLog.Source = "ASP.NET 1.1.4322.0";
objEventLog.WriteEntry("i am here");
--------------------------End of code snippet--------------------------

--------------------------Start of Error--------------------------
System.InvalidOperationException: Cannot open log for source {0}. You may
not have write access. ---> System.ComponentModel.Win32Exception: Access is
denied
--- End of inner exception stack trace ---
at System.Diagnostics.EventLog.OpenForWrite()
at System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
EventLogEntryType type, String[] strings, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type)
at System.Diagnostics.EventLog.WriteEntry(String message)
at MyOrg.web.publications.Order.UpdateOrderObject(SimpleOrderData order)
at MyOrg.web.publications.Order.PlaceOrder(SimpleOrderData order)
--------------------------End of Error--------------------------

 

[[MSFT]]

I didn't found a public document which list this exactly. Following article
may help some:

How to set required NTFS permissions and user rights for an IIS 5.0 Web
server
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q271071

If you don't want run the ASP application under Low protection level: I
think you may consider creating a COM+ component calling the .NET assembly,
and then call the COM+ Component in ASP. A COM+ application can run within
different process and under different user account. Or you can create a
COM+ application in .NET directly:

HOW TO: Create a Serviced .NET Component in Visual C# .NET
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306296

Luke

 

[Patrick]

The Microsoft Article
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q271071 does not
state *Specific Minimum* permissions required to run .NET Interop from ASP
or that required to write to the Event Log (using an existing Event Source)

I think I have the following options (please correct me if I am wrong)
1) Run the ASP App Process Protection Level to "Low" + Make IWAM_MachineName
and/or IUSR_MachineName users Administrators
2) Instead of invoking a .NET class library via interop (regasm /tlb), make
the .NET Class library a COM+ (ActivationOption.Server)
3) Instead of invoking a .NET class library via interop (regasm /tlb), make
a VB6 COM+ which invoke the .NET Class library via interop
(ActivationOption.Server)

Note the following issues!!!
i) 2 and 3 is not going to work out in my particular scenario because the
class library is actually a .NET Web Service proxy client class library that
inherits from Microsoft.Web.Services2.WebServicesClientProtocol

ii) ASPNET, IUSR_MachineName and IWAM_MachineName are already made
administrators on the IIS server

iii) With IIS Process Protection set to Low, I can get the .NET class
library invoked from ASP, but when I set it to Medium, it doesn't. Using
FileMon and RegMon from http://www.sysinternals.com/ntw2k/utilities.shtml, I
figure out that there are loads of file/folder access is denied errors by
IWAM_MachineName (I can't find any MSDN articles which state what
folder/file permissions are required to invoke a .NET class library via .NET
Interop from ASP 2.0 [classic])

iv) With the relaxed permissions (ASPNET, IUSR_MachineName and
IWAM_MachineName made administrators, low IIS process protection), I still
cannot write to the event viewer from the .NET class library using an
*Existing* Event Source)
e.g.
objEventLog = new EventLog();
objEventLog.Log = "Application";
objEventLog.Source = "ASP.NET 1.1.4322.0";
objEventLog.WriteEntry("Test",EventLogEntryType.Information);

I get the following exceptions
--------------------------Start of Error--------------------------
System.InvalidOperationException: Cannot open log for source {0}. You may
not have write access. ---> System.ComponentModel.Win32Exception: Access is
denied
--- End of inner exception stack trace ---
at System.Diagnostics.EventLog.OpenForWrite()
at System.Diagnostics.EventLog.WriteEvent(Int32 eventID, Int16 category,
EventLogEntryType type, String[] strings, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID, Int16 category)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type, Int32 eventID)
at System.Diagnostics.EventLog.WriteEntry(String message,
EventLogEntryType type)
at System.Diagnostics.EventLog.WriteEntry(String message)
at MyOrg.web.publications.Order.UpdateOrderObject(SimpleOrderData order)
at MyOrg.web.publications.Order.PlaceOrder(SimpleOrderData order)
--------------------------End of Error--------------------------

v) I can confirm that with a simple ASPX page as follows without
impersonation:
------------------------------Start of
eventLogTest.aspx------------------------------
<%@Import Namespace="System.Diagnostics" %>
<%@Import Namespace="System.Web" %>
<%@ Page language="c#" AutoEventWireup="true" EnableSessionState="False" %>
<HTML>
<HEAD>
<title>event log test</title>

</HEAD>
<body>
<%
try
{
EventLog objEventLog;

objEventLog = new EventLog();
objEventLog.Source = "Application";

objEventLog.WriteEntry("Test message",EventLogEntryType.Information);

}
catch (Exception e)
{
%>
<%= e.ToString()%>
<%
} //end try%>
</body>
</html>
------------------------------end of
eventLogTest.aspx------------------------------

SO, the ultimate questions are
1) How could I get a .NET class library to write to the event log using an e
xisting event source when the class library is invoked from ASP 2.0
(classic)
2) What is the simplest and most secure way of allow a .NET class library to
be invoked from ASP 2.0 (Classic)?

 

[[MSFT]]

Hi Patrick,

AS I know, to write system event log, the account should have full control
with following:

/Windows/System32
System temp folder

And, you must change the registry value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Re
strictGuestAccess from a 1 to a 0. You must reboot for the change to take
effect.

However, if you use .NET component to access the eventlog, the account aslo
should have permissioen on .NET and framework's folder.

Can you let me know why you don't want leave the application protection
level as "low"? If "low" is impossible, you may set it to "high". And then,
open Administrative tools/component services/Computers/My Computer/COm+
applications, you will notice a COM+ application has been create for the
virtual folder. Right click it, select Properties/Identity, you can specify
a powerful account here. When the application protection level is set to
high, it will use this account. You may add this account to adminitrators
group to test again.

Luke