Want to Reboot server from ASPX page

[Terry]

I am developing a asp.net web based service application for our product
I am trying to trigger a reboot of the server based on a user request
I believe I have all the appropriate code for AdjustingTokens etc an
all those calls seem to succeed, however, the final call to ExitWindowsE
is failing with 'Access Denied'

In my machine.config, I have already set the userName to 'System' as
seem to require this for some other functionality I implemented. I also trie
to impersonate a local user account with admin priviledges via my application
web.config file but that failed as well with the same 'Access Denied' (by th
way what exactly does 'impersonate' in the web.config do when the machine.config
file already lets me specify the user as 'SYSTEM'?

I expect there is some other security thing that I need to twiddle ... any ideas greatl
appreciated (with as much detail as possible, I am very new to this whole web securit
stuff)

Thanks

Terr

 

[Chris Botha]

Terry, first get the code to run in a normal Windows App, so you know that
it works.
After that, it should be a security issue, and impersonation should work,
but you also have to switch off anonymous access to the virtual directory
for impersonation to work.
To ensure that your impersonation is set up correctly, add a test call
somewhere in a form, returning the current user, and check that it is what
you expect (not the anonymous, or ASP.NET user, etc). To get the current
user, call
System.Security.Principal.WindowsIdentity.GetCurrent().Name

 

[Terry]

OK, I have verified that the shutdown related code is working fine fro
a regular app

How do I switch off anonymous access to the virtual directory
Are you talking about adding a statement like <deny user="?"
in my web.config file or are you talking about a setting i
the IIS Service Mgr

I am using a simple application based 'Forms' authentication
In this case if I use <identity impersonate="true" /> who woul
it be impersonating ... or in this case because I am using Form
authentication would I have to spell all that out like
<identity impersonate="true" userName="abc" password="def"

I am still a little puzzled by all this impersonate stuff ... if you d
impersonation what is the point of setting the user='SYSTEM' i
the machine.config file

Thanks

Terr

----- Chris Botha wrote: ----

Terry, first get the code to run in a normal Windows App, so you know tha
it works
After that, it should be a security issue, and impersonation should work
but you also have to switch off anonymous access to the virtual director
for impersonation to work
To ensure that your impersonation is set up correctly, add a test cal
somewhere in a form, returning the current user, and check that it is wha
you expect (not the anonymous, or ASP.NET user, etc). To get the curren
user, cal
System.Security.Principal.WindowsIdentity.GetCurrent().Nam

 

[Joe Kaplan \(MVP - ADSI\)]

If you are using Forms authentication and have impersonation enabled, you
are impersonating the anonymous user configured in IIS to be used for
anonymous requests (IUSER_MACHINENAME by default).

If you need SYSTEM privileges to do what you need to do, you must not
impersonate the anonymous user. You could set the processModel to SYSTEM
(like you said you did before) and that should work, as the processModel
account is the account the request runs under when you are not
impersonating.

However, running under SYSTEM is generally not a good idea for other
security reasons. It is probably a better idea to create a COM+ component
that does the required functionality and run that with an identity with the
correct permissions. Then, you would call that COM+ component from your
application.

It is hard for me to imagine why you would want to allow a remote web
request to reboot the server, but I guess we'll help you do that if that's
what you want...

Joe K.