Process.Start with Username hangs
in [CSharp]
|
Prev: Datagridview sort programattically in virtual mode
Next: Paste an attached file in Outlook from the Clipboard in Windows Fo
From: Willy Denoyette [MVP] on 9 Feb 2006 11:47 "Kirk" <kirk.martinez(a)gmail.com> wrote in message news:1139471651.638820.120280(a)f14g2000cwb.googlegroups.com... | OS is Windows 2003 Server. I run IE6 and invoke the Web Service via | the Invoke button from the default generator for .asmx files. The asmx | file is also local to the web server; everything is on the same | machine. | | I have impersonate set to true in my | C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config file, | and I am logged in as a domain user (DOMAIN/SOFTINFO, same DOMAIN that | the server is in) with Administrative priviledges. When I invoke the | service, Environment.DomainName="SW-WEB" | Environment.UserName="IUSR_SWDEVL2" (SW-WEB is the name of the machine, | SWDEVL2 was the previous name of the machine). | Environment.UserName="IUSR_SWDEVL2" That's an indication that you are impersonating 'the' "anonymous" user. | If I remove impersonation from my web.config, the service throws an | exception...Access is Denied. Environment.DomainName="DOMAIN" | Environment.UserName="SYSTEM". Not sure what SYSTEM really means, but | I suppose it doesn't have permission to create processes. Anyway, | that's why I enabled impersonation in the first place (plus it's how my | old ASP stuff works and I like it for our intranet). | That's an indication that you run your asp.net process as localsystem. Note that you can't create another process using different user credentials (as you do in your code) from a process that runs as localsystem (W2K3 and XP SP2). | I'm no expert, but my understanding is that impersonation will run my | Web Service thread as the client user, however, when my process forks, | it will run as the IIS user. I'm a bit confused, though, becuase I | would expect UserName to be "SOFTINFO" for the case where I have | impersonation turned on. Perhaps you can clarify this. | Yes, taht's because you haven enabled Windows authentication while impersonating (see you web.config file), so you are impersonating the default "anonymous" user which has the form IUSR_XXXXX, where XXXXX is the machine name. | The Web Service is inline, and running from an Application Pool with | Identity set to Local System. I also set it to Network Service and | witness the same behavior. If I set it to Local Service I get the | following error when I Invoke the Web Service (this is not a problem | for me, but it might be a clue, I don't know): | "Local Service" or (better) "local network" must be granted access rights to the TEMP folder and a couple of other folder too. Note that all of these question can better be answered when you post to the asp or aspnet NG's, this NG is for C# only. Willy.
From: Kirk on 9 Feb 2006 14:12 Thanks. Your reply, some sleep, and a fresh pot of coffe have alerted me to the fact that my virtual directory under IIS was set to allow anonymous access -- not what I intended. So...I set it to integrated Windows auth and now I see the DOMAIN user in Environment.UserName when I invoke the service (as expected). However, I get an Access is Denied exception when I try to start the process when I set the ProcesStartInfo UserName and Password to the local Administrator account. If I don't set UserName and Password in ProcessStartInfo, then the service runs fine. In that case, I see UserName is the domain user I logged in as when challenged from the browser, and whoami.exe returns "nt authority / system". I suspect the issue is what you said: "Note that you can't create another process using different user credentials (as you do in your code) from a process that runs as localsystem (W2K3 and XP SP2)." I assume the solution is to use an Application Pool to run the Web Service in a process owned by a different user. So I set the Configurable Identity section of the App Pool properties to use Local Administrator (and added Administrator to the IIS_WPG group, and granted user rights as specified here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx). Now when I invoke without UserName set, whoami tells me it is the local Administrator as expected. But if I set UserName, I still get Access is Denied. What other access do I need to grant local Administrator to allow it to create this process as a different user? I will cross-post this to the aspnet NG. Thanks, again. Kirk
From: Kirk on 10 Feb 2006 13:24 Willy, I hope you haven't given up on me. I'm getting no responses from the other newsgroups. Do you have any further suggestions for me? Thanks, Kirk
From: Willy Denoyette [MVP] on 10 Feb 2006 14:35 "Kirk" <kirk.martinez(a)gmail.com> wrote in message news:1139512331.428063.290520(a)g43g2000cwa.googlegroups.com... | Thanks. Your reply, some sleep, and a fresh pot of coffe have alerted | me to the fact that my virtual directory under IIS was set to allow | anonymous access -- not what I intended. So...I set it to integrated | Windows auth and now I see the DOMAIN user in Environment.UserName when | I invoke the service (as expected). However, I get an Access is Denied | exception when I try to start the process when I set the | ProcesStartInfo UserName and Password to the local Administrator | account. If I don't set UserName and Password in ProcessStartInfo, | then the service runs fine. In that case, I see UserName is the domain | user I logged in as when challenged from the browser, and whoami.exe | returns "nt authority / system". | | I suspect the issue is what you said: "Note that you can't create | another process using different user credentials (as you do in your | code) from a process that runs as localsystem (W2K3 and XP SP2)." I | assume the solution is to use an Application Pool to run the Web | Service in a process owned by a different user. So I set the | Configurable Identity section of the App Pool properties to use Local | Administrator (and added Administrator to the IIS_WPG group, and | granted user rights as specified here: | http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx). | Now when I invoke without UserName set, whoami tells me it is the | local Administrator as expected. But if I set UserName, I still get | Access is Denied. What other access do I need to grant local | Administrator to allow it to create this process as a different user? | | I will cross-post this to the aspnet NG. And who's the user you set, is it a local user? If it's a local user, can he launch the command from the command line (using runas) Willy.
From: Kirk on 10 Feb 2006 17:13
I tried domain users as well as the local (server) administrator account, which I thought for sure should work since that's what the pool is running as, but still no luck. I can run "runas /user:Administrator "c:\windows\system32\whoami.exe" no problem. (I can see that it is in fact running if I runas a batch file that calls whoami.exe over and over so the cmd box doesn't disappear right away.) I can also run it as domain users (I tried using a domain account instead of Administrator to manage the pool, but that didn't help). A quick recap of my config and stuff just to check sanity: * Windows Server 2003 with .NET 2.0 SDK installed * IIS virtual directory for web_services set to integrated Windows authentication * web_services use app pool WebServices * WebServices app pool sets Identity Configurable: local server Administrator account * (I also ran aspnet_regiis.exe -ga on Administrator just in case) * Impersonate set to true in web.config; authentication Windows * Browser connects to aspx page as a separate domain user with access to aspx file My basic web service to invoke whoami.exe works fine with this config unless you set UserName and Password on ProcessStartInfo. All UserNames will fail, but most striking is the local server Administrator also fails (even though that's what the pool uses). The result is an Access is Denied exception from Process.Start. Thanks, Kirk |