Ask a Question related to ASP.NET Web Services, Design and Development.
-
Jonathan Trevor #1
IExtractImage, Impersonation, GDI and "access denied" for non-local admins
Hi,
We're using the IExtractImage interface from behind a .NET web service to
generate thumbnails for various files in our network (windows domain).
Impersonating etc. is all ok - if a user logs into the web service we can
open the file, delete the file, etc. Everything behaves as expected.
However, we cannot generate thumbnails for Powerpoint (etc) using
IExtractImage if the user is not a local admin on that server machine,
receiving a win32 error code which corresponds to "Access denied". If the
user logging into the web service is given *local* admin rights on the
server, then the IExtractImage succeeds for any file (local or networked).
However thats not something we want to do!
I'm really unsure what the problem is. No matter whether the user is local
admin or not, they can do everything with the domain accessible files (UNC
identified) they would normally be able to do. In the thumbnail code
everything seems on track - we get the PIDLs ok, getlocation returns fine
but the final extract image call (in the impersonated process) on the
IExtractImage interface returns "Access denied" - and the error goes away
when local admin rights are granted on the server for that user (so nothing
to do with network permissions).
I have several thoughts on the issue but no real idea which is correct or
how to go about addressing the hypotheses:
(a) some temporary file is being created on the server machine by the
Extract call
(b) that the GDI is being (presumably) used to create the bitmap (handle
returned by the Extract call) and somehow the Extract thread can't create it
(c) there is some side-effect of being in the local admin group which is
necessary
I thought that some threading issue may be to blame (Extract running under a
different COM thread) but that doesn't really correlate with the problem
going away when the user is made local admin.
Thoughts?
Jonathan
Jonathan Trevor Guest
-
"Access Denied" Error After Server Change
I have a number of hosting clients that use Contribute. Since I upgraded my hosting server, they are unable to connect - or more accurately, they... -
"Access Denied" on file I could open yesterday
Using Contribute 3.11 running Windows 2000 sp4. Monday was able to use Contribute just fine. Tuesday was experiencing "Access Denied" errors when... -
"Access is denied" error when running schtasks.exe under ASPNET account in win2k3 server
Hi all, I am trying to run schtasks.exe from asp.net application wich uses forms authentication under ASPNET account. It gives me "Access is... -
RewritePath throws "Access is Denied" when rewriting to directory level
Hello, I have a problem trying to rewrite a path in ASP.NET 1.1 - each rewrite throws an Access is Denied error, even though anonymous access is... -
Error: "Unable to debug on server,Access is denied"
I installed dotnet and when i try to run a web application i get the error messagebox saying "Unable to debug on server,Access is denied.Would you... -
Jonathan Trevor #2 IExtractImage, Impersonation, GDI and "access denied" for non-local admins
Hi,
We're using the IExtractImage interface from behind a .NET web service to
generate thumbnails for various files in our network (windows domain).
Impersonating etc. is all ok - if a user logs into the web service we can
open the file, delete the file, etc. Everything behaves as expected.
However, we cannot generate thumbnails for Powerpoint (etc) using
IExtractImage if the user is not a local admin on that server machine,
receiving a win32 error code which corresponds to "Access denied". If the
user logging into the web service is given *local* admin rights on the
server, then the IExtractImage succeeds for any file (local or networked).
However thats not something we want to do!
I'm really unsure what the problem is. No matter whether the user is local
admin or not, they can do everything with the domain accessible files (UNC
identified) they would normally be able to do. In the thumbnail code
everything seems on track - we get the PIDLs ok, getlocation returns fine
but the final extract image call (in the impersonated process) on the
IExtractImage interface returns "Access denied" - and the error goes away
when local admin rights are granted on the server for that user (so nothing
to do with network permissions).
I have several thoughts on the issue but no real idea which is correct or
how to go about addressing the hypotheses:
(a) some temporary file is being created on the server machine by the
Extract call
(b) that the GDI is being (presumably) used to create the bitmap (handle
returned by the Extract call) and somehow the Extract thread can't create it
(c) there is some side-effect of being in the local admin group which is
necessary
I thought that some threading issue may be to blame (Extract running under a
different COM thread) but that doesn't really correlate with the problem
going away when the user is made local admin.
Thoughts?
Jonathan
Jonathan Trevor Guest
-
Chad A. Beckner #3 Re: IExtractImage, Impersonation, GDI and "access denied" for non-local admins
Sorry, this is a little bit off topic. Have you been able to extract an
image of an HTML file?
Chad
"Jonathan Trevor" <trevor@fxpal.com> wrote in message
news:eJ8c2QxXEHA.3664@TK2MSFTNGP12.phx.gbl...nothing> Hi,
>
> We're using the IExtractImage interface from behind a .NET web service to
> generate thumbnails for various files in our network (windows domain).
> Impersonating etc. is all ok - if a user logs into the web service we can
> open the file, delete the file, etc. Everything behaves as expected.
>
> However, we cannot generate thumbnails for Powerpoint (etc) using
> IExtractImage if the user is not a local admin on that server machine,
> receiving a win32 error code which corresponds to "Access denied". If the
> user logging into the web service is given *local* admin rights on the
> server, then the IExtractImage succeeds for any file (local or networked).
> However thats not something we want to do!
>
> I'm really unsure what the problem is. No matter whether the user is local
> admin or not, they can do everything with the domain accessible files (UNC
> identified) they would normally be able to do. In the thumbnail code
> everything seems on track - we get the PIDLs ok, getlocation returns fine
> but the final extract image call (in the impersonated process) on the
> IExtractImage interface returns "Access denied" - and the error goes away
> when local admin rights are granted on the server for that user (soit> to do with network permissions).
>
> I have several thoughts on the issue but no real idea which is correct or
> how to go about addressing the hypotheses:
> (a) some temporary file is being created on the server machine by the
> Extract call
> (b) that the GDI is being (presumably) used to create the bitmap (handle
> returned by the Extract call) and somehow the Extract thread can't createa> (c) there is some side-effect of being in the local admin group which is
> necessary
>
> I thought that some threading issue may be to blame (Extract running under> different COM thread) but that doesn't really correlate with the problem
> going away when the user is made local admin.
>
> Thoughts?
> Jonathan
>
>
Chad A. Beckner Guest
-
Chad A. Beckner #4 Re: IExtractImage, Impersonation, GDI and "access denied" for non-local admins
Sorry, this is a little bit off topic. Have you been able to extract an
image of an HTML file?
Chad
"Jonathan Trevor" <trevor@fxpal.com> wrote in message
news:eJ8c2QxXEHA.3664@TK2MSFTNGP12.phx.gbl...nothing> Hi,
>
> We're using the IExtractImage interface from behind a .NET web service to
> generate thumbnails for various files in our network (windows domain).
> Impersonating etc. is all ok - if a user logs into the web service we can
> open the file, delete the file, etc. Everything behaves as expected.
>
> However, we cannot generate thumbnails for Powerpoint (etc) using
> IExtractImage if the user is not a local admin on that server machine,
> receiving a win32 error code which corresponds to "Access denied". If the
> user logging into the web service is given *local* admin rights on the
> server, then the IExtractImage succeeds for any file (local or networked).
> However thats not something we want to do!
>
> I'm really unsure what the problem is. No matter whether the user is local
> admin or not, they can do everything with the domain accessible files (UNC
> identified) they would normally be able to do. In the thumbnail code
> everything seems on track - we get the PIDLs ok, getlocation returns fine
> but the final extract image call (in the impersonated process) on the
> IExtractImage interface returns "Access denied" - and the error goes away
> when local admin rights are granted on the server for that user (soit> to do with network permissions).
>
> I have several thoughts on the issue but no real idea which is correct or
> how to go about addressing the hypotheses:
> (a) some temporary file is being created on the server machine by the
> Extract call
> (b) that the GDI is being (presumably) used to create the bitmap (handle
> returned by the Extract call) and somehow the Extract thread can't createa> (c) there is some side-effect of being in the local admin group which is
> necessary
>
> I thought that some threading issue may be to blame (Extract running under> different COM thread) but that doesn't really correlate with the problem
> going away when the user is made local admin.
>
> Thoughts?
> Jonathan
>
>
Chad A. Beckner Guest
-
Jonathan Trevor #5 Re: IExtractImage, Impersonation, GDI and "access denied" for non-local admins
As an update I had a minor brainwave after posting this w.r.t. option (a)
and started monitoring the entire filesystem during the Extract call to the
IExtractImage interface using a great utility from sysinternals. It looks
like microsoft office (or whatever implements that interface) uses
windows/temp to write a temporary file during the extraction. Giving the
user permission to write to that directory solves the problem. It seems like
a bug in the way office implements the thumbnailing code.
Oh, and we do have problems getting HTMLs to thumbnail too. I suspect its
another equivalent problem under impersonation where the IExtractImage
implementation is assuming some permissions which have not been set.
Jonathan
"Jonathan Trevor" <trevor@fxpal.com> wrote in message
news:eJ8c2QxXEHA.3664@TK2MSFTNGP12.phx.gbl...nothing> Hi,
>
> We're using the IExtractImage interface from behind a .NET web service to
> generate thumbnails for various files in our network (windows domain).
> Impersonating etc. is all ok - if a user logs into the web service we can
> open the file, delete the file, etc. Everything behaves as expected.
>
> However, we cannot generate thumbnails for Powerpoint (etc) using
> IExtractImage if the user is not a local admin on that server machine,
> receiving a win32 error code which corresponds to "Access denied". If the
> user logging into the web service is given *local* admin rights on the
> server, then the IExtractImage succeeds for any file (local or networked).
> However thats not something we want to do!
>
> I'm really unsure what the problem is. No matter whether the user is local
> admin or not, they can do everything with the domain accessible files (UNC
> identified) they would normally be able to do. In the thumbnail code
> everything seems on track - we get the PIDLs ok, getlocation returns fine
> but the final extract image call (in the impersonated process) on the
> IExtractImage interface returns "Access denied" - and the error goes away
> when local admin rights are granted on the server for that user (soit> to do with network permissions).
>
> I have several thoughts on the issue but no real idea which is correct or
> how to go about addressing the hypotheses:
> (a) some temporary file is being created on the server machine by the
> Extract call
> (b) that the GDI is being (presumably) used to create the bitmap (handle
> returned by the Extract call) and somehow the Extract thread can't createa> (c) there is some side-effect of being in the local admin group which is
> necessary
>
> I thought that some threading issue may be to blame (Extract running under> different COM thread) but that doesn't really correlate with the problem
> going away when the user is made local admin.
>
> Thoughts?
> Jonathan
>
>
Jonathan Trevor Guest
-
Jonathan Trevor #6 Re: IExtractImage, Impersonation, GDI and "access denied" for non-local admins
As an update I had a minor brainwave after posting this w.r.t. option (a)
and started monitoring the entire filesystem during the Extract call to the
IExtractImage interface using a great utility from sysinternals. It looks
like microsoft office (or whatever implements that interface) uses
windows/temp to write a temporary file during the extraction. Giving the
user permission to write to that directory solves the problem. It seems like
a bug in the way office implements the thumbnailing code.
Oh, and we do have problems getting HTMLs to thumbnail too. I suspect its
another equivalent problem under impersonation where the IExtractImage
implementation is assuming some permissions which have not been set.
Jonathan
"Jonathan Trevor" <trevor@fxpal.com> wrote in message
news:eJ8c2QxXEHA.3664@TK2MSFTNGP12.phx.gbl...nothing> Hi,
>
> We're using the IExtractImage interface from behind a .NET web service to
> generate thumbnails for various files in our network (windows domain).
> Impersonating etc. is all ok - if a user logs into the web service we can
> open the file, delete the file, etc. Everything behaves as expected.
>
> However, we cannot generate thumbnails for Powerpoint (etc) using
> IExtractImage if the user is not a local admin on that server machine,
> receiving a win32 error code which corresponds to "Access denied". If the
> user logging into the web service is given *local* admin rights on the
> server, then the IExtractImage succeeds for any file (local or networked).
> However thats not something we want to do!
>
> I'm really unsure what the problem is. No matter whether the user is local
> admin or not, they can do everything with the domain accessible files (UNC
> identified) they would normally be able to do. In the thumbnail code
> everything seems on track - we get the PIDLs ok, getlocation returns fine
> but the final extract image call (in the impersonated process) on the
> IExtractImage interface returns "Access denied" - and the error goes away
> when local admin rights are granted on the server for that user (soit> to do with network permissions).
>
> I have several thoughts on the issue but no real idea which is correct or
> how to go about addressing the hypotheses:
> (a) some temporary file is being created on the server machine by the
> Extract call
> (b) that the GDI is being (presumably) used to create the bitmap (handle
> returned by the Extract call) and somehow the Extract thread can't createa> (c) there is some side-effect of being in the local admin group which is
> necessary
>
> I thought that some threading issue may be to blame (Extract running under> different COM thread) but that doesn't really correlate with the problem
> going away when the user is made local admin.
>
> Thoughts?
> Jonathan
>
>
Jonathan Trevor Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
