Re: PKZIPC, ASP and WSH
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 10/28/04
- Next message: David Wang [Msft]: "Re: Script problems with Win2003"
- Previous message: roopeman: "Re: How to set a password for a folder under windows XP?"
- In reply to: Rob Wharram: "Re: PKZIPC, ASP and WSH"
- Next in thread: Gerry Hickman: "Re: PKZIPC, ASP and WSH"
- Reply: Gerry Hickman: "Re: PKZIPC, ASP and WSH"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 27 Oct 2004 23:26:23 -0700
I'd like to note that you are using WshShell.Run with both a hidden window
style and "false" parameter, which is possibly the most undebuggable
state -- the ASP page transparently kicks off the PKZIPC.EXE process and
does NOT wait for it to finish processing before completing the ASP page
response, and you cannot see any window from these console processes on the
server. And you're trying to figure out what is going wrong.... Just does
not seem like a good idea to me.
I suggest for debugging purposes, you temporarily:
1. Change the WshShell.Run to use windowstyle=1 and true for bWaitOnReturn
2. Go to Services control panel applet and change both the "IIS Admin
Service" and "World Wide Web Publishing Service" to have "Interact with
Desktop" checked. Make sure to restart IIS after doing this to have it take
effect (i.e. NET STOP /y IISADMIN & NET START W3SVC)
3. Now, make a request to your ASP page
You should now see the PKZIPC.EXE window pop up for every request, which
should show you more of what is going on. Please report what you find.
Regarding your question about "I'm curious about how IIS works with users to
run this process" -- here is a basic description of how IIS processes and
executes requests.
1. Request comes in off the network
2. IIS parses the request into request line (verb, URL, version) and
headers, and goes through logic to figure out what to do with this request
3. IIS must have a user token to execute the request (i.e. use this user
token to create a CGI process, load an ISAPI DLL, or load a resource from
disk processing). This user token is obtained either via configured
username/password (like AnonymousUserName/WamUserName/UNCUserName) or via
some authentication protocol -- i.e. for "Anonymous access" it really means
"log in this specific user to get a user token to handle any request", and
for any authentication mechanism it means "go through the appropriate
protocol handshake to obtain that user's token".
4. IIS executes requests to generate a response using user token from (3) in
one of the following ways:
a. Static File -- call CreateFile to access the resource and stream it back
as a response to the client.
b. Dynamic File, Directly Executable -- these are CGI EXE and ISAPI DLLs
which can be immediately CreateProcess* or LoadLibrary by IIS to execute
binary code to produce a response stream to send back to the client
c. Dynamic File, ScriptMapped -- this is where a Dynamic File from (b) is
associated with a file extension such that it handles response generation
for all those requests -- i.e. .ASP is ScriptMapped to ASP.DLL, an ISAPI
DLL. Whenever a request for .ASP comes in, IIS uses ASP.DLL as the
"ScriptEngine" to process the .ASP request and generate a response.
5. Response is sent back from (4). Go back to (1) if more requests come in.
We are basically talking about 4c here. The relevant bits of information
needed are:
1. What is the user token that is executing the line of code in question.
You need to give all authentication protocols enabled and active for the URL
in question. Anonymous, Basic, Integrated, etc. In other words, if you
configure the AnonymousUserName and credentials but DO NOT have Anonymous
authentication enabled, it's obviously not used.
The authentication protocol determines the identity that IIS will use to
call into the ScriptMapped Dynamic File (i.e. ASP page). By default, IIS
impersonates the identity obtained via authentication protocol for all
requests.
Default Anonymous User identity is IUSR_<machinename>, default Process
Identity for Low Isolation is LocalSystem, default Process Identity for
Medium/High Isolation is IWAM_<machinename>. Both anonymous user and
medium/high isolation user are further configurable on a per-URL level, so
it can override system/website defaults.
Now, ASP uses the impersonated user identity to execute its requests (unlike
ASP.Net, which has a configurable option to either use the impersonated user
identity, process identity, or custom identity -- but we digress here...).
However, this does not prevent code in ASP page itself from running
components/code that call "RevertToSelf()" or otherwise modify the
impersonated identity executing the ASP page.
2. What are the effective ACLs on all resources in question that is being
accessed by the user identity from #1. Be careful of Deny ACLs that take
precedence over Allow ACLs, and be aware about ACLs inheriting from parent
to child
3. Any overall User Privileges affecting behaviors of #1 and #2. Such as
"Bypass Traverse Checking", "Logon Locally", etc
Your scenario should work by default on IIS5 -- so I'm surprised that it
doesn't. It is probably due to some special configuration on your
server(s), so we'll have to systematic troubleshoot and figure out what it
is. Troubleshooting starts with gathering output so that further decisions
can be made.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Rob Wharram" <googlegroups@resonanze.com> wrote in message news:OvhOdnDvEHA.1824@TK2MSFTNGP10.phx.gbl... I forgot to mention that the OS on the server is Win 2K Server Service Pack 4. Your suggestion to take out "%comspec% /c" worked the same way, pkzipc starts as a process on the server (I can see it in Task Manager), but nothing happens. I'm curious about how IIS works with users to run this process, maybe I've got it wrong. The ASP page resides within a website that we can call "website1" and the virtual directory that I created with the ScriptUser is within "website1". The virtual directory contains the images that I want to zip and is also where the zip file will be created. Does IIS use "IUSR_SERVERNAME" when the ASP page runs within "website1" or does it use ScriptUser because the files that are being zipped are in the virtual directory? Which user needs permissions on pkzipc? Thanks for all of your help! Rob *** Sent via Developersdex http://www.developersdex.com *** Don't just participate in USENET...get rewarded for it!
- Next message: David Wang [Msft]: "Re: Script problems with Win2003"
- Previous message: roopeman: "Re: How to set a password for a folder under windows XP?"
- In reply to: Rob Wharram: "Re: PKZIPC, ASP and WSH"
- Next in thread: Gerry Hickman: "Re: PKZIPC, ASP and WSH"
- Reply: Gerry Hickman: "Re: PKZIPC, ASP and WSH"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
