D
Dominick Baier [DevelopMentor]
Have you enabled delegation on the web server??
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
security issue with wmi call from asp.net 2.0 web service
S
Scott Walters
Hi,
I'm having a strange security problem with an asp.net 2.0 web service
I've written to automate our build and deployment process. I get an
access denied from a wmi call that attempts to stop a service on a
remote machine, but I only get it running in a particular configuration.
Otherwise, it works.
The web service is accessed from a win forms client and the webapp that
hosts the service is configured to use integrated security through IIS
manager. The web.config for the service is also set to use user
impersonation. I've verified that this works by pulling the current user
from the web service code and checking it against the user I'm logged in
as. I also spawn several cvs & nant processes via CreateProcessAsUser
that require admin access on the web service host machine and these all
work in all the configurations.
Here's the configuration where the stop service works...
The forms client & web service are both running on my laptop.
The web service runs under a real IIS webapp, not the ASP.NET
development server.
I'm logged into a domain user that'a a local admin on the laptop and the
remote machine with the service I'm trying to stop.
Here's the configuration where it fails with the access denied.
The forms client is on the laptop, the web service is on a different
test server.
The web service runs under a real IIS webapp, not the ASP.NET
development server.
I'm logged into a domain user that'a a local admin on the laptop, the
test server with the web service, and the remote machine with the
service I'm trying to stop.
The really strange thing about this is if I remote desktop into the test
server where it fails in the web service code, login with the same user,
and run the wmi code, it works fine. It even works this way if I do it
with nant using the servicecontroller task. The web service code
originally did the stop/start service using nant but when I ran into
this error I rewrote it to use wmi directly from c#. Unfortunately, it
didn't help.
I've put quite a bit of time into this project and really need a
solution. This won't be worth much unless it can stop/start remote
services so please let me know if you have any ideas.
Thanks,
Scott
I'm having a strange security problem with an asp.net 2.0 web service
I've written to automate our build and deployment process. I get an
access denied from a wmi call that attempts to stop a service on a
remote machine, but I only get it running in a particular configuration.
Otherwise, it works.
The web service is accessed from a win forms client and the webapp that
hosts the service is configured to use integrated security through IIS
manager. The web.config for the service is also set to use user
impersonation. I've verified that this works by pulling the current user
from the web service code and checking it against the user I'm logged in
as. I also spawn several cvs & nant processes via CreateProcessAsUser
that require admin access on the web service host machine and these all
work in all the configurations.
Here's the configuration where the stop service works...
The forms client & web service are both running on my laptop.
The web service runs under a real IIS webapp, not the ASP.NET
development server.
I'm logged into a domain user that'a a local admin on the laptop and the
remote machine with the service I'm trying to stop.
Here's the configuration where it fails with the access denied.
The forms client is on the laptop, the web service is on a different
test server.
The web service runs under a real IIS webapp, not the ASP.NET
development server.
I'm logged into a domain user that'a a local admin on the laptop, the
test server with the web service, and the remote machine with the
service I'm trying to stop.
The really strange thing about this is if I remote desktop into the test
server where it fails in the web service code, login with the same user,
and run the wmi code, it works fine. It even works this way if I do it
with nant using the servicecontroller task. The web service code
originally did the stop/start service using nant but when I ran into
this error I rewrote it to use wmi directly from c#. Unfortunately, it
didn't help.
I've put quite a bit of time into this project and really need a
solution. This won't be worth much unless it can stop/start remote
services so please let me know if you have any ideas.
Thanks,
Scott
D
Dominick Baier [DevelopMentor]
Hi,
yep - this has to be configured in AD - also check out this article.
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
yep - this has to be configured in AD - also check out this article.
http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx
S
Scott Walters
I don't think I've ever seen that option. I found an article at
http://support.microsoft.com/?id=810572. Is this what you mean?
I haven't done anything with the kerboros or active directory stuff, but
I followed the article's instructions and changed the "Default Web Site"
settings to integrated windows auth only. The webapp for the asp.net
service was already set this way. This didn't seem to help.
I already had the web.config settings setup the way the article says.
I bet you're right about why it's failing, and the solution looks really
ugly. I'm not a domain admin here so I'm not sure I can get to the
active directory config. I may end up hacking something to get around
it. The web service code already has a connected socket to the winforms
client so he can stream the cvs & nant output back. I may end up
generating vbscript text from the service to do the wmi stuff and
sending it down the socket so the client can use the msscript com object
to execute it. Ugh!
http://support.microsoft.com/?id=810572. Is this what you mean?
I haven't done anything with the kerboros or active directory stuff, but
I followed the article's instructions and changed the "Default Web Site"
settings to integrated windows auth only. The webapp for the asp.net
service was already set this way. This didn't seem to help.
I already had the web.config settings setup the way the article says.
I bet you're right about why it's failing, and the solution looks really
ugly. I'm not a domain admin here so I'm not sure I can get to the
active directory config. I may end up hacking something to get around
it. The web service code already has a connected socket to the winforms
client so he can stream the cvs & nant output back. I may end up
generating vbscript text from the service to do the wmi stuff and
sending it down the socket so the client can use the msscript com object
to execute it. Ugh!
S
Scott Walters
Thanks. This looks really good. I'll pass this along to the domain
admins and see what they can do with it.
admins and see what they can do with it.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.
Similar Threads
Forum statistics
Latest Threads
-
What steps are the key steps involved in designing a product?
- Started by remotedevelopers
-
How to fetch and console.log all items from an associative array
- Started by John Keets
-
The *Best Python Cheat Sheet
- Started by kmh
-
Programming Blog
- Started by WhiteCube
-
Why getting 404 errors?
- Started by IBMJunkman
-
Wonky image crisis
- Started by OBXKH
-
JS exercise ''find the mistake'' not understood well
- Started by Chris
-
How does Mobile App Development company approach user experience (UX)?
- Started by remotedevelopers
-
Media query issue
- Started by OBXKH