Not your usual bonehead ASP.NET permissions issue...

K

Kirk

My web page needs to start a process on the server that runs as a
domain user so it can access the network. I'm using web services and
the new feature in .NET 2.0 that lets you start a process as a
different user. The following web service works fine until I uncomment
the lines setting UserName and Password. Then, Process.Start throws an
Access is Denied Exception. If I just comment out the
UserName/Password lines and reload the aspx, then it works fine.

My IIS runs as Local System, and I understand I cannot start a process
as a different user like this from a process owned by Local System.
So, I put this Web Service into an IIS Application Pool with the
Identity set to the local Administrator account. I also added local
Admin to the IIS_WPG group and granted access to "Adjust memory quotas
for a process" and "Replace a process level token" as required by MS
docs. Despite all this, it still tells me "Access is Denied" when I
try to start the process with ProcessStartInfo.UserName set. Even if,
as the code below shows, I try to start with with the name and password
of the local Adminstrator (the same account the pool is configured to
use anyway)!

But if I simply comment out UserName and Password and re-invoke the web
method, the process runs fine; whoami.exe tells me it is the local
Administrator as expected. What other access do I need to grant local
Administrator to allow it to create this process as a different user?

Details: this is with .NET 2.0, of course (1.1 does not support running
a process as a different user). I'm running everything on Windows
Server 2003. I have impersonation enabled in my web.config, and I'm
using Integrated authentication on the IIS virtual directory that this
aspx is in. When I invoke the service via the default aspx browser, I
connect as a domain user.

<%@ WebService Language="C#" Class="Kirk.ForkIt" %>

using System;
using System.IO;
using System.Collections;
using System.Security;
using System.Web.Services;
using System.Diagnostics;


namespace Kirk
{
public class ForkIt
{


[WebMethod]
public string Main()
{
Process p = new Process();
ProcessStartInfo pInfo = new
ProcessStartInfo(@"c:\windows\system32\whoami.exe");


SecureString password = new SecureString();
// set value for password here.
password.AppendChar('s');
password.AppendChar('e');
password.AppendChar('c');
password.AppendChar('r');
password.AppendChar('e');
password.AppendChar('t');


//pInfo.UserName = "Administrator";
//pInfo.Password = password;
pInfo.CreateNoWindow = true;
pInfo.UseShellExecute = false;
pInfo.RedirectStandardOutput = true;


p.StartInfo = pInfo;
p.Start();


String output = p.StandardOutput.ReadToEnd();
p.WaitForExit();


return output;
}
}
}
 
B

Bruce Barker

the iis account is not involved.

the aspnet worker process is the process doing the create process as user.
if you are on win2003, then its the app pool identity that needs the
permissions, on win2000 its the asp.net account. be sure you don't have
identity impersonate set in web config. also sometimes asp.net trims its
tokens permission at request start. so you may need to do a win32 sdk revert
before calling create process. so save token, revert , create process,
restore token


-- bruce (sqlwork.com)




Kirk said:
My web page needs to start a process on the server that runs as a
domain user so it can access the network. I'm using web services and
the new feature in .NET 2.0 that lets you start a process as a
different user. The following web service works fine until I uncomment
the lines setting UserName and Password. Then, Process.Start throws an
Access is Denied Exception. If I just comment out the
UserName/Password lines and reload the aspx, then it works fine.

My IIS runs as Local System, and I understand I cannot start a process
as a different user like this from a process owned by Local System.
So, I put this Web Service into an IIS Application Pool with the
Identity set to the local Administrator account. I also added local
Admin to the IIS_WPG group and granted access to "Adjust memory quotas
for a process" and "Replace a process level token" as required by MS
docs. Despite all this, it still tells me "Access is Denied" when I
try to start the process with ProcessStartInfo.UserName set. Even if,
as the code below shows, I try to start with with the name and password
of the local Adminstrator (the same account the pool is configured to
use anyway)!

But if I simply comment out UserName and Password and re-invoke the web
method, the process runs fine; whoami.exe tells me it is the local
Administrator as expected. What other access do I need to grant local
Administrator to allow it to create this process as a different user?

Details: this is with .NET 2.0, of course (1.1 does not support running
a process as a different user). I'm running everything on Windows
Server 2003. I have impersonation enabled in my web.config, and I'm
using Integrated authentication on the IIS virtual directory that this
aspx is in. When I invoke the service via the default aspx browser, I
connect as a domain user.

<%@ WebService Language="C#" Class="Kirk.ForkIt" %>

using System;
using System.IO;
using System.Collections;
using System.Security;
using System.Web.Services;
using System.Diagnostics;


namespace Kirk
{
public class ForkIt
{


[WebMethod]
public string Main()
{
Process p = new Process();
ProcessStartInfo pInfo = new
ProcessStartInfo(@"c:\windows\system32\whoami.exe");


SecureString password = new SecureString();
// set value for password here.
password.AppendChar('s');
password.AppendChar('e');
password.AppendChar('c');
password.AppendChar('r');
password.AppendChar('e');
password.AppendChar('t');


//pInfo.UserName = "Administrator";
//pInfo.Password = password;
pInfo.CreateNoWindow = true;
pInfo.UseShellExecute = false;
pInfo.RedirectStandardOutput = true;


p.StartInfo = pInfo;
p.Start();


String output = p.StandardOutput.ReadToEnd();
p.WaitForExit();


return output;
}
}
}
 
K

Kirk

Okay, I turned off impersonation, and I'm using the local Adminstrator
account as the pool identity. If I invoke the service, the browser
hangs waiting for a response from whoami.exe. I can see whoami.exe
running in the Task Manager as the user I specified in the C# code, but
it never terminates. Keeping everything the same, if I comment out the
UserName and Password bit, then it runs fine.

I also just tried setting the pool identity to the default: NETWORK
SERVICE. Same deal: runs fine until I specify UserName and Password,
then it runs whoami.exe but it hangs.

I didn't follow what you said about asp.net trimming token permissions.
Do you have any code to do the save/revert/restore bit? I'm no coding
guru, just learning C# and .NET, actually...

Thanks,
Kirk
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top