RE: IIS Virtual Directory Create Failure :(
From: Dan Rogers (danro_at_microsoft.com)
Date: 11/18/04
- Next message: Dan Rogers: "Re: modify HttpMethod or HttpRequest propertys"
- Previous message: Dan Rogers: "Re: Schemas they say ..."
- In reply to: Eskimo: "RE: IIS Virtual Directory Create Failure :("
- Next in thread: Eskimo: "RE: IIS Virtual Directory Create Failure :("
- Reply: Eskimo: "RE: IIS Virtual Directory Create Failure :("
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 18 Nov 2004 22:52:13 GMT
Ahhh. I think this is a matter of the later OS being more secure. Code
access security is going to do a lot to prevent internet hosted logic from
doing things that require admin permissions. You want to think VERY
carefully about undoing this protection. Since .NET 1.1 was shipped as a
part of Windows Server 2003, I suspect that the policy expressions that
shipped with this version were more restrictive. If this is the case, no
amount of impersonation is going to fix this - since the call is
originating from a web service and thus is sand boxed. You'd have to
override code access security for these specific operations. I would still
add logic to such a service to make sure that the caller is a member of a
group the caller recognizes ad an admin, since once you over-ride the
sandbox security, no other protections would be keeping a non-admin from
making a call that if overdone could flood your box and disable your server.
I hope this helps
Dan
--------------------
>Thread-Topic: IIS Virtual Directory Create Failure :(
>thread-index: AcTMurvE7+6ff34BSxC8pHYgFuZQvQ==
>X-WBNR-Posting-Host: 63.162.177.130
>From: =?Utf-8?B?RXNraW1v?= <Eskimo@discussions.microsoft.com>
>References: <E288D499-3B3F-4B1D-BC17-D3F32A78249C@microsoft.com>
<BsZ7jyDzEHA.1184@cpmsftngxa10.phx.gbl>
>Subject: RE: IIS Virtual Directory Create Failure :(
>Date: Wed, 17 Nov 2004 07:33:05 -0800
>Lines: 146
>Message-ID: <E07C3395-6C1C-47C1-AFB4-39473F4FEB74@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:26666
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>
>Dan,
>
>Thanks for the suggestion, however, I used the following snippet...that
>didnt work even with an administrator logged in...impersonation didn't
work
>either...
>
>I think it's IIS -> ADSI where the permission problem is on the server.
I'm
>on xp pro and it works great!
>
>When I log into the server 2003 box as a member of the admin group it
fails
>spectacularly with "Access is Denied."
>
> System.Security.Principal.WindowsImpersonationContext
>impersonationContext;
> impersonationContext =
>((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
>
><call web service method>
>
> impersonationContext.Undo();
>
>"Dan Rogers" wrote:
>
>> Hi,
>>
>> If I understand you, you're trying to make IIS hosted managed code in a
web
>> service dynamically define new VROOTS on the server that the web service
is
>> on, and you are getting an access deined error.
>>
>> The managed code for your service is going to need to have permissions
to
>> do these administrator operations, and thus either be impersonating an
>> administrator account (not a good idea if you ask me) or running in the
>> security context of an administrator (e.g. being called by and
>> administrator and assuming the administrators permissions). The latter
is
>> possible by placing the calls in the administrator's security context.
>> This is done by setting the credential cache in the proxy to the default
>> identity (the calling user).
>>
>> I hope this helps
>>
>> Dan Rogers
>> Microsoft Corporation
>> --------------------
>> >Thread-Topic: IIS Virtual Directory Create Failure :(
>> >thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ==
>> >X-WBNR-Posting-Host: 63.162.177.130
>> >From: =?Utf-8?B?RXNraW1v?= <Eskimo@discussions.microsoft.com>
>> >Subject: IIS Virtual Directory Create Failure :(
>> >Date: Thu, 4 Nov 2004 15:28:07 -0800
>> >Lines: 74
>> >Message-ID: <E288D499-3B3F-4B1D-BC17-D3F32A78249C@microsoft.com>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 7bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>> >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: cpmsftngxa10.phx.gbl
>> microsoft.public.dotnet.framework.aspnet.webservices:26386
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>> >
>> >
>> >System.UnauthorizedAccessException: Access is denied.
>> > at System.DirectoryServices.Interop.IAds.SetInfo()
>> > at System.DirectoryServices.DirectoryEntry.CommitChanges()
>> > at CreateVirtualDirectories.Dal.CreateWebVirtualDirectory.Create
>> >
>> >...
>> >
>> > tried on the local development box and it had issues like this
>> >
>> >until I gave permissions like described in Article ID 329986, scroll
down,
>> >Method A.
>> >
>> >It is a double hop as I did the test at the bottom in the Quick Test
>> section.
>> >
>> >
>> >
>> >Code snippets:
>> >
>> >Web.config for web service having the error shown above...
>> >
>> ><identity impersonate="true" />
>> >...
>> >
>> > SCHEMA= "IIsWebVirtualDir";
>> > mRootSubPath = "/W3SVC/1/Root";
>> >
>> >...
>> >
>> > DirectoryEntry deRoot= new DirectoryEntry("IIS://" +
>> "localhost"
>> >+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTypes.Secure);
>> >
>> >...
>> >
>> > if (Directory.Exists("c:\temp\Eskimo\") == false)
>> > {
>> >
>> > Directory.CreateDirectory("c:\temp\Eskimo\");
>> >
>> > }
>> >
>> > deRoot.RefreshCache();
>> >
>> > DirectoryEntry deNewVDir =
>> >deRoot.Children.Add("Eskimo",mSchema);
>> >
>> >
deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");
>> >
>> >...
>> > deNewVDir.Properties["AccessRead"][0] =true;
>> > deNewVDir.Properties["AccessWrite"][0] = true;
>> > deNewVDir.Properties["AccessExecute"][0] = true;
>> > deNewVDir.Properties["AuthAnonymous"][0] = false;
>> > deNewVDir.Properties["AuthBasic"][0] = false;
>> > deNewVDir.Properties["AuthNTLM"][0] = true;
>> > deNewVDir.Properties["ContentIndexed"][0] = false;
>> > deNewVDir.Properties["EnableDirBrowsing"][0] = true;
>> > ...
>> > deNewVDir.Invoke("AppCreate",true);
>> >
>> > deNewVDir.CommitChanges();
>> > deRoot.CommitChanges();
>> >
>> > deNewVDir.Close();
>> >
>> > deRoot.Close();
>> >...
>> >
>> >Now: in a windows application it works great! I have a DLL project and
a
>> >windows app test project and the web service accessing the DLL project.
>> >In a web service I get the error listed above... :(
>> >
>> >--
>> >tym, Eskimo
>> >
>>
>>
>
- Next message: Dan Rogers: "Re: modify HttpMethod or HttpRequest propertys"
- Previous message: Dan Rogers: "Re: Schemas they say ..."
- In reply to: Eskimo: "RE: IIS Virtual Directory Create Failure :("
- Next in thread: Eskimo: "RE: IIS Virtual Directory Create Failure :("
- Reply: Eskimo: "RE: IIS Virtual Directory Create Failure :("
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
