Re: Error 1307: Adding File Permissions to NTFS using System.Management Object in ASP.NET

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Ben Dewey (ben.dewey_at_scientiae.com)
Date: 05/06/04 

Date: Thu, 6 May 2004 12:19:16 -0400

Willy,

How do I set up the impersonation through web.config?

I tried using this code below, but I kept getting a "The security ID
structure is invalid." error. Is this what you were talking about doing?

Also, have you ever heard of the Microsoft.Win32.Security Namespace
(http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e609
8575-dda0-48b8-9abf-e0705af065d9). I was playing around with that a little
bit and it seemed to work. Are there any issues with using this namespace?

Code:
--------------------------------------
ADsSecurityUtilityClass secuUtil = new ADsSecurityUtilityClass();
object secuDesc = secuUtil.GetSecurityDescriptor(
    this.FolderName,
    (int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
    (int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
if (secuDesc != null)
{
// Since we asked for ADS_SD_FORMAT_IID format, that means the returned
// object is IADsSecurityDescriptor. So we can use the methods on this
// object to get more information about the secutity descrptor.
ActiveDs.IADsSecurityDescriptor folderSD = (IADsSecurityDescriptor)secuDesc;

AccessControlEntry newAce = new AccessControlEntryClass();
ActiveDs.IADsAccessControlList folderAcl =
(ActiveDs.IADsAccessControlList)folderSD.DiscretionaryAcl;

newAce.AceType = (int)ActiveDs.ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
switch (permissionType)
{
case DsPermissionTypes.Read:
    newAce.AccessMask = DsPermissions.FILE_LIST_DIRECTORY;
    break;
case DsPermissionTypes.Write:
    newAce.AccessMask = DsPermissions.FILE_ADD_FILE |
DsPermissions.FILE_ADD_SUBDIRECTORY;
    break;
case DsPermissionTypes.Delete:
    newAce.AccessMask = DsPermissions.FILE_DELETE_CHILD |
DsPermissions.FILE_TRAVERSE;
    break;
case DsPermissionTypes.ChangePermissions:
    newAce.AccessMask = DsPermissions.WRITE_DAC |
DsPermissions.READ_CONTROL;
    break;
}

newAce.AceFlags=(int)ActiveDs.ADS_ACEFLAG_ENUM.ADS_ACEFLAG_INHERIT_ACE;
newAce.Flags=(int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_OBJECT_TYPE_PRESENT
| (int)ActiveDs.ADS_FLAGTYPE_ENUM.ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT;

newAce.AceType = (int)ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED;
newAce.Trustee = @"bdewey";
newAce.AccessMask = -1;

string trustee = (domain==null)?username:domain + @"\" + username;
newAce.Trustee = trustee;

folderAcl.AddAce(newAce);
folderSD.DiscretionaryAcl = folderAcl;

secuUtil.SetSecurityDescriptor(this.FolderName,
(int)ActiveDs.ADS_PATHTYPE_ENUM.ADS_PATH_FILE,
folderSD,
(int)ActiveDs.ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
}

"Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
news:e0qZq$3MEHA.3016@tk2msftngp13.phx.gbl...
> Ben,
>
> Your code run's as "ASPNET" and uses ASPNET's access token when connecting
> to WMI, however, ASPNET has no privileges to change the filesystem object
> ACL's.
> So you need to run this code with elevated privileges, here you have a
> number of options:
> - or, impersonate a power user (using your web config file, or in code),
> - or, run this from a server type COM+ application, using a power user's
> identity.
> I would also suggest to use the System.DirectoryServices namespace (and
add
> a reference to Activeds.tlb) instead of WMI to manage FS ACL's, that way
> you don't have to add System.Management stuff to your code, and you don't
> have to care about WMI security settings.
>
>
> Willy.
>
> "Ben Dewey" <bdewey01@hotmail.com> wrote in message
> news:a708280.0405060543.2a7ef1@posting.google.com...
> > Project:
> > ----------------------------
> >
> > I am creating a HTTPS File Transfer App using ASP.NET and C#. I am
> > utilizing ActiveDirectory and windows security to manage the
> > permissions. Why reinvent the wheel, right? Everything so far is
> > working well with the Active Directory. The problem I am having is
> > with adding File Permissions to a directory. I am currently using
> > some code courtesy of "Willy Denoyette [MVP]"
> >
> > Problem:
> > ----------------------------
> >
> > When I try to add user permissions to a specific folder using the same
> > code in a sample console app it works correctly. When I execute the
> > code from ASP.NET I get a return code of 1307, everytime.
> >
> > Which means - 1307 This security ID may not be assigned as the owner
> > of this object.
> > (http://www.hiteksoftware.com/mize/Knowledge/articles/049.htm).
> >
> > Can anyone tell me why this is happening? Willy?
> >
> > Environment:
> > ----------------------------
> >
> > I am developing with Framework 1.1 and Windows XP. The users are
> > coming from AD on a Windows 2003 Server.
> >
> > I have given ASPNET object full access to the folder C:\test. I have
> > also give ASPNET object full access to Root/CIMV2 in
> > CompMgmt.msc/Services and Apps/WMI Control
> >
> > Code:
> > ----------------------------
> > The DsSettings Object is just a simple class tht contains the Login
> > and Path information for LDAP.
> >
> >
> > public bool GrantPermission(string username, string domain, DsSettings
> > settings)
> > {
> > try
> > {
> >
> > byte[] bSid = (byte[])DsWrapper.GetUser(username,
> > settings).DsEntry.Properties["objectSID"].Value;
> > ManagementObject LogicalFileSecuritySetting = new
> > ManagementObject( new ManagementPath(
> > @"ROOT\CIMV2:Win32_LogicalFileSecuritySetting.Path='c:\\test'") );
> > ManagementBaseObject outParams;
> > outParams =
> > LogicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor",
> > null, null);
> >
> > ManagementBaseObject Descriptor =
> > ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
> > ManagementBaseObject[] DACLObject = ( ( ManagementBaseObject[] )(
> > Descriptor.Properties["DACL"].Value ) );
> >
> > ManagementObject newTrusteeUser = ( new ManagementClass(
> > @"ROOT\CIMV2:Win32_Trustee" ) ).CreateInstance();
> > newTrusteeUser["Domain"] = domain;
> > newTrusteeUser["Name"] = username;
> > newTrusteeUser["SID"] = bSid;
> >
> > ManagementObject newACEUser = ( new ManagementClass(
> > @"ROOT\CIMV2:Win32_Ace" ) ).CreateInstance();
> > newACEUser["Trustee"] = newTrusteeUser;
> > newACEUser["AceFlags"] = 3;
> > newACEUser["AceType"] = 0;
> > newACEUser["AccessMask"] = 2032127;// Full Access Mask
> > ManagementBaseObject[] DACLObjectNew = new ManagementBaseObject[]
> > {newACEUser};
> > Descriptor.Properties["DACL"].Value = DACLObjectNew;
> > ManagementBaseObject inParams = null;
> > inParams =
> > LogicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
> > inParams["Descriptor"] = Descriptor;
> > outParams =
> > LogicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor",
> > inParams, null);
> >
> > // This line is where I get a result back of 1307 in ASP.NET
> > uint result= (uint)(outParams.Properties["ReturnValue"].Value);
> >
> > LogicalFileSecuritySetting.Dispose();
> > return true;
> > }
> > catch(Exception exp)
> > {
> > throw exp;
> > }
> > }
> >
> >
> > Logs:
> > ----------------------------
> > C:\WINDOWS\system32\WBEM\Logs\Framework.log
> > ----------------------------
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:06.093 thread:1916
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:06.203 thread:2540
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:06.203 thread:2540
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:07.968 thread:1916
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:07.984 thread:1916
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:07.984 thread:1916
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.000 thread:1916
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.093 thread:1916
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.093 thread:1916
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.203 thread:2540
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.203 thread:2540
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.218 thread:2540
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.218 thread:2540
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
> > Shell Name Explorer.exe in Registry not found in process
> > list. 05/06/2004 09:39:08.312 thread:2540
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.163
]
> > Unable to locate Shell Process, Impersonation failed. 05/06/2004
> > 09:39:08.312 thread:2540
> >
[d:\xpsp1\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.179
]
>
>

Relevant Pages

  • RE: Extracting NT password hashes from registry export file
    ... Extracting NT password hashes from registry export file ... This list is provided by the SecurityFocus Security Intelligence Alert Service. ...
    (Pen-Test)
  • [NT] Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Management Console snap in, the System Attendant makes ... changes to the permissions on the Windows Registry to allow Exchange ... There is a flaw in how the System Attendant makes these Registry ...
    (Securiteam)
  • Re: manual FBreseal question
    ... right after changing CURRENT_USER in the registry. ... my user shell lauched my company software with no problem. ... The first batch file is run after logon as administrator when the system ... Account, User Account, and Explorer Shell components in my configuration. ...
    (microsoft.public.windowsxp.embedded)
  • [NT] NoHTML Built-in Outlook 2002 Feature Protects Against Malicious Code
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... non-encrypted e-mail in plain text format. ... guarantee that problems resulting from the incorrect use of Registry ... For information about how to edit the registry, ...
    (Securiteam)
  • Re: Minimum NTFS Permissions on the SystemDrive
    ... File system and registry access control list modifications ... Microsoft Windows XP and Microsoft Windows Server 2003 have considerably ... You can no longer use the Anonymous security ... Additional ACL changes may invalidate all or most of the application ...
    (microsoft.public.windows.server.security)