Access Is Denied

[will eichert]

New to .NET, and trying to get a web application using one of my older
COM components to work.

It works from VB.NET or VB.C# desktop app, but when instantiating an
object from my COM component in an ASP.NET app, I get the Access
Denied error.

I have disabled the Indexing service, and granted full privileges to
the {MACHINE}\ASPNET account for this file, and it still doesn't work.

I wasn't certain which files need privileges for the {MACHINE}\ASPNET
account, so I granted the privileges from the files mycomponent.exe
(this is the actual COM component), and all of the files in the BIN
directory of my app (interop.mycomponent.dll, interop.vba.dll,
mycomponent.dll, mycomponent.pdb).

I am not impersonating, and would like to save myself the trouble of
impersonating, unless it's really necessary.

Can anyone tell me why I'm getting this message, and how to resolve
the problem?

The full text of the message is below.

Thanks,

Will Eichert

Server Error in '/sensors' Application.
--------------------------------------------------------------------------------

Access is denied.
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.

Exception Details: System.UnauthorizedAccessException: Access is
denied.

ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if
the application is not impersonating. If the application is
impersonating via <identity impersonate="true"/>, the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.

To grant ASP.NET write access to a file, right-click the file in
Explorer, choose "Properties" and select the Security tab. Click "Add"
to add the appropriate user or group. Highlight the ASP.NET account,
and check the boxes for the desired access.

Source Error:


Line 28: Dim i As Int16, tstr As String
Line 29: 'gInitializer =
Server.CreateObject("SensorServices.SensorInitializer")
Line 30: gInitializer = New SensorServices.SensorInitializer
Line 31: tags = gInitializer.tags
Line 32: For i = 1 To tags.tagcount


Source File: c:\inetpub\wwwroot\sensors\WebForm1.aspx.vb Line: 30

Stack Trace:


[UnauthorizedAccessException: Access is denied.]
sensors.WebForm1.Page_Load(Object sender, EventArgs e) in
c:\inetpub\wwwroot\sensors\WebForm1.aspx.vb:30
System.Web.UI.Control.OnLoad(EventArgs e)
System.Web.UI.Control.LoadRecursive()
System.Web.UI.Page.ProcessRequestMain()

 

[Jacob Yang [MSFT]]

Hi Will,

Based on my research and experience, this issue is all about the user
account permission.

When you run a desktop application, the process is running under the login
user account. When you run an ASP.NET application, the process is running
under the ASP.NET account. That is the reason of this problem.

I am not sure about what your com object is trying to do. I think that the
following Knowledge Base article is useful to this issue although it is
talking about office automation.

257757 INFO: Considerations for Server-Side Automation of Office
http://support.microsoft.com/?id=257757

A simple possible solution for this issue is impersonating the ASP.NET
application or adding the ASP.NET account to the same user group of your
login account.

If you do not want the above solution, another possible workaround is using
the Filemon tool to find which files are "Access is denied".

http://www.sysinternals.com/ntw2k/source/filemon.shtml

Does it answer your question? If I have misunderstood your concern, please
feel free to let me know.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[will eichert]

Thanks for the response.

I tried giving the ASP.NET user administrative privileges on the
server (which is also the development machine), and modified the COM
object class that I'm instantiating to be nothing but an empty shell,
so it's not trying to do anything. Also tried changing the COM class's
instancing from single-use to multi-use. In every case I get the same
error, Access Denied, when the VB.NET web app tries to create the COM
object. Also tried to create the object using CreateObject or using
New, but get the Access Denied error either way.

What am I missing here?

A simple possible solution for this issue is impersonating the ASP.NET application or adding the ASP.NET account to the same user group of your login account.

One difference is the login account is running on a domain, and the
ASP.NET account is local. I would think this doesn't matter, since the
project folder is http://localhost/thewebapp/.

I'm probably way off track with all of these efforts, but I figured if
I made everything as permissive as possible, I could get it to work
and then start adding restrictions 1 by 1 to find out what the problem
is. But I haven't been able to make things permissive enough to even
pull this off.

Thanks for any advice... Again, I'm new to .NET, so it could be
something that seems obvious to everybody else out there...

Will

 

[will eichert]

Here's another possible issue,

The COM class lives in an outofprocess Activex EXE, not a DLL. I
noticed that when I add this EXE to the web app using Add COM
References in the IDE, it creates a file called
Interop.SensorServices.Dll. This seems odd to me. Does COM
compatibility work with Activex EXE's? Is there something I need to
explicitly do to use an Activex EXE from .NET?

Thanks,

Will

 

[will eichert]

So, I just built an Activex DLL, and instantiated a class from it
instead of from the Activex EXE. Works like a charm.

Nothing else is different (no permissions are different, that is).
This proves that it's something related to using Activex EXE
outofprocess components.

Can these components be used from ASP.NET? What specifically would I
need to do to resolve this problem?

Thanks for any help,

Will

 

[Jacob Yang [MSFT]]

Hi Will,

The "out of process" components can be used from ASP.NET. What we should do
is changing the DCOM permissions on this ActiveX EXE component
appropriately via the dcomcnfg command.

There is a Knowledge Base article for a known problem in IIS 4 but I do not
think you are using IIS 4.

PRB: Cannot Launch Out of Process Component Under IIS 4
http://support.microsoft.com/default.aspx?scid=kb;en-us;184682

I hope it helps.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[will eichert]

You're correct, I'm running IIS 5, and this component is a
production component that's been used by ASP for a couple
of years, no problem. It's giving me this Access Error when
I try to use it from a .NET web application.

I'm using it on the local machine which also runs IIS, so
what's DCOM got to do with it? I wouldn't think DCOM would
be involved here. Correct me if I'm wrong about this. If
so, what specifically do I have to change using dcomcnfg?

Are there any samples or examples of how to use an Activex
COM out-of-process EXE from ASP.NET? I can only find
examples for DLLs.

Will

 

[will eichert]

OK, I got it. Jacob, you're correct, dcomcnfg was the key.
For anyone else having this problem, here are the specifics.

from
http://support.microsoft.com/default.aspx?scid=kb;en-us;317012
(much good info in this article) I saw this info:

"Starting Out-of-Process COM Servers
Applications that must start out-of-process COM servers
while running as the ASPNET account can specifically grant
launch permissions to the account by using the Dcomcnfg.exe
tool."

Running dcomcnfg, select your COM server and hit
Properties, Security tab, select Use Custom Launch
Permissions and hit the Edit button, and give "Allow
Launch" access to the local ASPNET account.

Will

 

[Jacob Yang [MSFT]]

Hi Will,

Thank you very much for sharing the important information. It is helpful to
everybody here.

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.