Professional Web Applications Themes

IExtractImage, Impersonation, GDI and "access denied" for non-local admins - ASP.NET Web Services

Hi, We're using the IExtractImage interface from behind a .NET web service to generate thumbnails for various files in our network (windows domain). Impersonating etc. is all ok - if a user logs into the web service we can open the file, delete the file, etc. Everything behaves as expected. However, we cannot generate thumbnails for Powerpoint (etc) using IExtractImage if the user is not a local admin on that server machine, receiving a win32 error code which corresponds to "Access denied". If the user logging into the web service is given *local* admin rights on the server, then the ...

  1. #1

    Default IExtractImage, Impersonation, GDI and "access denied" for non-local admins

    Hi,

    We're using the IExtractImage interface from behind a .NET web service to
    generate thumbnails for various files in our network (windows domain).
    Impersonating etc. is all ok - if a user logs into the web service we can
    open the file, delete the file, etc. Everything behaves as expected.

    However, we cannot generate thumbnails for Powerpoint (etc) using
    IExtractImage if the user is not a local admin on that server machine,
    receiving a win32 error code which corresponds to "Access denied". If the
    user logging into the web service is given *local* admin rights on the
    server, then the IExtractImage succeeds for any file (local or networked).
    However thats not something we want to do!

    I'm really unsure what the problem is. No matter whether the user is local
    admin or not, they can do everything with the domain accessible files (UNC
    identified) they would normally be able to do. In the thumbnail code
    everything seems on track - we get the PIDLs ok, getlocation returns fine
    but the final extract image call (in the impersonated process) on the
    IExtractImage interface returns "Access denied" - and the error goes away
    when local admin rights are granted on the server for that user (so nothing
    to do with network permissions).

    I have several thoughts on the issue but no real idea which is correct or
    how to go about addressing the hypotheses:
    (a) some temporary file is being created on the server machine by the
    Extract call
    (b) that the GDI is being (presumably) used to create the bitmap (handle
    returned by the Extract call) and somehow the Extract thread can't create it
    (c) there is some side-effect of being in the local admin group which is
    necessary

    I thought that some threading issue may be to blame (Extract running under a
    different COM thread) but that doesn't really correlate with the problem
    going away when the user is made local admin.

    Thoughts?
    Jonathan


    Jonathan Trevor Guest

  2. #2

    Default IExtractImage, Impersonation, GDI and "access denied" for non-local admins

    Hi,

    We're using the IExtractImage interface from behind a .NET web service to
    generate thumbnails for various files in our network (windows domain).
    Impersonating etc. is all ok - if a user logs into the web service we can
    open the file, delete the file, etc. Everything behaves as expected.

    However, we cannot generate thumbnails for Powerpoint (etc) using
    IExtractImage if the user is not a local admin on that server machine,
    receiving a win32 error code which corresponds to "Access denied". If the
    user logging into the web service is given *local* admin rights on the
    server, then the IExtractImage succeeds for any file (local or networked).
    However thats not something we want to do!

    I'm really unsure what the problem is. No matter whether the user is local
    admin or not, they can do everything with the domain accessible files (UNC
    identified) they would normally be able to do. In the thumbnail code
    everything seems on track - we get the PIDLs ok, getlocation returns fine
    but the final extract image call (in the impersonated process) on the
    IExtractImage interface returns "Access denied" - and the error goes away
    when local admin rights are granted on the server for that user (so nothing
    to do with network permissions).

    I have several thoughts on the issue but no real idea which is correct or
    how to go about addressing the hypotheses:
    (a) some temporary file is being created on the server machine by the
    Extract call
    (b) that the GDI is being (presumably) used to create the bitmap (handle
    returned by the Extract call) and somehow the Extract thread can't create it
    (c) there is some side-effect of being in the local admin group which is
    necessary

    I thought that some threading issue may be to blame (Extract running under a
    different COM thread) but that doesn't really correlate with the problem
    going away when the user is made local admin.

    Thoughts?
    Jonathan


    Jonathan Trevor Guest

  3. #3

    Default Re: IExtractImage, Impersonation, GDI and "access denied" for non-local admins

    Sorry, this is a little bit off topic. Have you been able to extract an
    image of an HTML file?

    Chad


    "Jonathan Trevor" <trevorfxpal.com> wrote in message
    news:eJ8c2QxXEHA.3664TK2MSFTNGP12.phx.gbl...
    > Hi,
    >
    > We're using the IExtractImage interface from behind a .NET web service to
    > generate thumbnails for various files in our network (windows domain).
    > Impersonating etc. is all ok - if a user logs into the web service we can
    > open the file, delete the file, etc. Everything behaves as expected.
    >
    > However, we cannot generate thumbnails for Powerpoint (etc) using
    > IExtractImage if the user is not a local admin on that server machine,
    > receiving a win32 error code which corresponds to "Access denied". If the
    > user logging into the web service is given *local* admin rights on the
    > server, then the IExtractImage succeeds for any file (local or networked).
    > However thats not something we want to do!
    >
    > I'm really unsure what the problem is. No matter whether the user is local
    > admin or not, they can do everything with the domain accessible files (UNC
    > identified) they would normally be able to do. In the thumbnail code
    > everything seems on track - we get the PIDLs ok, getlocation returns fine
    > but the final extract image call (in the impersonated process) on the
    > IExtractImage interface returns "Access denied" - and the error goes away
    > when local admin rights are granted on the server for that user (so
    nothing
    > to do with network permissions).
    >
    > I have several thoughts on the issue but no real idea which is correct or
    > how to go about addressing the hypotheses:
    > (a) some temporary file is being created on the server machine by the
    > Extract call
    > (b) that the GDI is being (presumably) used to create the bitmap (handle
    > returned by the Extract call) and somehow the Extract thread can't create
    it
    > (c) there is some side-effect of being in the local admin group which is
    > necessary
    >
    > I thought that some threading issue may be to blame (Extract running under
    a
    > different COM thread) but that doesn't really correlate with the problem
    > going away when the user is made local admin.
    >
    > Thoughts?
    > Jonathan
    >
    >

    Chad A. Beckner Guest

  4. #4

    Default Re: IExtractImage, Impersonation, GDI and "access denied" for non-local admins

    Sorry, this is a little bit off topic. Have you been able to extract an
    image of an HTML file?

    Chad


    "Jonathan Trevor" <trevorfxpal.com> wrote in message
    news:eJ8c2QxXEHA.3664TK2MSFTNGP12.phx.gbl...
    > Hi,
    >
    > We're using the IExtractImage interface from behind a .NET web service to
    > generate thumbnails for various files in our network (windows domain).
    > Impersonating etc. is all ok - if a user logs into the web service we can
    > open the file, delete the file, etc. Everything behaves as expected.
    >
    > However, we cannot generate thumbnails for Powerpoint (etc) using
    > IExtractImage if the user is not a local admin on that server machine,
    > receiving a win32 error code which corresponds to "Access denied". If the
    > user logging into the web service is given *local* admin rights on the
    > server, then the IExtractImage succeeds for any file (local or networked).
    > However thats not something we want to do!
    >
    > I'm really unsure what the problem is. No matter whether the user is local
    > admin or not, they can do everything with the domain accessible files (UNC
    > identified) they would normally be able to do. In the thumbnail code
    > everything seems on track - we get the PIDLs ok, getlocation returns fine
    > but the final extract image call (in the impersonated process) on the
    > IExtractImage interface returns "Access denied" - and the error goes away
    > when local admin rights are granted on the server for that user (so
    nothing
    > to do with network permissions).
    >
    > I have several thoughts on the issue but no real idea which is correct or
    > how to go about addressing the hypotheses:
    > (a) some temporary file is being created on the server machine by the
    > Extract call
    > (b) that the GDI is being (presumably) used to create the bitmap (handle
    > returned by the Extract call) and somehow the Extract thread can't create
    it
    > (c) there is some side-effect of being in the local admin group which is
    > necessary
    >
    > I thought that some threading issue may be to blame (Extract running under
    a
    > different COM thread) but that doesn't really correlate with the problem
    > going away when the user is made local admin.
    >
    > Thoughts?
    > Jonathan
    >
    >

    Chad A. Beckner Guest

  5. #5

    Default Re: IExtractImage, Impersonation, GDI and "access denied" for non-local admins

    As an update I had a minor brainwave after posting this w.r.t. option (a)
    and started monitoring the entire filesystem during the Extract call to the
    IExtractImage interface using a great utility from sysinternals. It looks
    like microsoft office (or whatever implements that interface) uses
    windows/temp to write a temporary file during the extraction. Giving the
    user permission to write to that directory solves the problem. It seems like
    a bug in the way office implements the thumbnailing code.

    Oh, and we do have problems getting HTMLs to thumbnail too. I suspect its
    another equivalent problem under impersonation where the IExtractImage
    implementation is assuming some permissions which have not been set.

    Jonathan

    "Jonathan Trevor" <trevorfxpal.com> wrote in message
    news:eJ8c2QxXEHA.3664TK2MSFTNGP12.phx.gbl...
    > Hi,
    >
    > We're using the IExtractImage interface from behind a .NET web service to
    > generate thumbnails for various files in our network (windows domain).
    > Impersonating etc. is all ok - if a user logs into the web service we can
    > open the file, delete the file, etc. Everything behaves as expected.
    >
    > However, we cannot generate thumbnails for Powerpoint (etc) using
    > IExtractImage if the user is not a local admin on that server machine,
    > receiving a win32 error code which corresponds to "Access denied". If the
    > user logging into the web service is given *local* admin rights on the
    > server, then the IExtractImage succeeds for any file (local or networked).
    > However thats not something we want to do!
    >
    > I'm really unsure what the problem is. No matter whether the user is local
    > admin or not, they can do everything with the domain accessible files (UNC
    > identified) they would normally be able to do. In the thumbnail code
    > everything seems on track - we get the PIDLs ok, getlocation returns fine
    > but the final extract image call (in the impersonated process) on the
    > IExtractImage interface returns "Access denied" - and the error goes away
    > when local admin rights are granted on the server for that user (so
    nothing
    > to do with network permissions).
    >
    > I have several thoughts on the issue but no real idea which is correct or
    > how to go about addressing the hypotheses:
    > (a) some temporary file is being created on the server machine by the
    > Extract call
    > (b) that the GDI is being (presumably) used to create the bitmap (handle
    > returned by the Extract call) and somehow the Extract thread can't create
    it
    > (c) there is some side-effect of being in the local admin group which is
    > necessary
    >
    > I thought that some threading issue may be to blame (Extract running under
    a
    > different COM thread) but that doesn't really correlate with the problem
    > going away when the user is made local admin.
    >
    > Thoughts?
    > Jonathan
    >
    >

    Jonathan Trevor Guest

  6. #6

    Default Re: IExtractImage, Impersonation, GDI and "access denied" for non-local admins

    As an update I had a minor brainwave after posting this w.r.t. option (a)
    and started monitoring the entire filesystem during the Extract call to the
    IExtractImage interface using a great utility from sysinternals. It looks
    like microsoft office (or whatever implements that interface) uses
    windows/temp to write a temporary file during the extraction. Giving the
    user permission to write to that directory solves the problem. It seems like
    a bug in the way office implements the thumbnailing code.

    Oh, and we do have problems getting HTMLs to thumbnail too. I suspect its
    another equivalent problem under impersonation where the IExtractImage
    implementation is assuming some permissions which have not been set.

    Jonathan

    "Jonathan Trevor" <trevorfxpal.com> wrote in message
    news:eJ8c2QxXEHA.3664TK2MSFTNGP12.phx.gbl...
    > Hi,
    >
    > We're using the IExtractImage interface from behind a .NET web service to
    > generate thumbnails for various files in our network (windows domain).
    > Impersonating etc. is all ok - if a user logs into the web service we can
    > open the file, delete the file, etc. Everything behaves as expected.
    >
    > However, we cannot generate thumbnails for Powerpoint (etc) using
    > IExtractImage if the user is not a local admin on that server machine,
    > receiving a win32 error code which corresponds to "Access denied". If the
    > user logging into the web service is given *local* admin rights on the
    > server, then the IExtractImage succeeds for any file (local or networked).
    > However thats not something we want to do!
    >
    > I'm really unsure what the problem is. No matter whether the user is local
    > admin or not, they can do everything with the domain accessible files (UNC
    > identified) they would normally be able to do. In the thumbnail code
    > everything seems on track - we get the PIDLs ok, getlocation returns fine
    > but the final extract image call (in the impersonated process) on the
    > IExtractImage interface returns "Access denied" - and the error goes away
    > when local admin rights are granted on the server for that user (so
    nothing
    > to do with network permissions).
    >
    > I have several thoughts on the issue but no real idea which is correct or
    > how to go about addressing the hypotheses:
    > (a) some temporary file is being created on the server machine by the
    > Extract call
    > (b) that the GDI is being (presumably) used to create the bitmap (handle
    > returned by the Extract call) and somehow the Extract thread can't create
    it
    > (c) there is some side-effect of being in the local admin group which is
    > necessary
    >
    > I thought that some threading issue may be to blame (Extract running under
    a
    > different COM thread) but that doesn't really correlate with the problem
    > going away when the user is made local admin.
    >
    > Thoughts?
    > Jonathan
    >
    >

    Jonathan Trevor Guest

Similar Threads

  1. "Access Denied" on file I could open yesterday
    By lic628 in forum Macromedia Contribute General Discussion
    Replies: 2
    Last Post: May 11th, 12:52 PM
  2. Replies: 1
    Last Post: October 19th, 06:55 PM
  3. Replies: 1
    Last Post: November 17th, 03:45 AM
  4. Replies: 0
    Last Post: August 26th, 07:00 PM
  5. Error: "Unable to debug on server,Access is denied"
    By ganesh in forum ASP.NET General
    Replies: 1
    Last Post: August 6th, 11:33 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139