Ask a Question related to ASP.NET Security, Design and Development.
-
Gabriel R #1
IIS ADSI virtual dir creation problem from web application
I am trying to create a virtual directory using ADSI, with the following
C# code:
string Server = <srv>;
string ApplicationName = <app>;
DirectoryEntry root = new DirectoryEntry("IIS://" + Server +
"/W3SVC/1/Root", adminusername, adminuserpass);
// look up the virtual dir
DirectoryEntry app = null;
foreach (DirectoryEntry e in root.Children)
{
if (e.SchemaClassName == "IISWebVirtualDir" && e.Name.ToUpper() ==
ApplicationName.ToUpper())
{
app = e; break;
}
}
if (app == null)
{
// create the virtual dir
app = root.Children.Add(ApplicationName, "IISWebVirtualDir");
}
// create the application attached to it
app.Invoke("AppCreate", false);
// set the properties of the virtual dir
app.Properties["Path"][0] = "D:\\Web";
app.Properties["DefaultDoc"][0] = "default.aspx";
app.Properties["AppFriendlyName"][0] = ApplicationName;
app.CommitChanges();
The code works fine if I run it from a Windows Forms application,
however if it's run from a web application I get a COMException: Access
denied.
The web application runs under the credentials of the admin user (I used
<identity impersonate=true ...> in web.config).
How could I solve this problem?
Gabriel
*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!
Gabriel R Guest
-
Web Application, virtual directory
Hi, here the situation: My purpose is to have one physical directory(PD) (c:\webapplication) and a lot of virtual directory(VD) pointing to ... -
Running XML Web Service from IIS Virtual Directory without creating application
How do you run an XML Web Service from within an IIS Virtual Directory without creating an application. According to Microsoft you can do this,... -
ASP, ADSI and IIS 6.0 Problem
Hi - I wrote an ASP script that adds users to Active Directory. I have been running this script sucessfully on Windows 2000 with IIS 5.0 for a... -
Instant creation virtual folders
You don't have to create a virtual path for that, you can create a path relative to your script. Use the filesystemobject to do this, just make sure... -
Application and Session variables visible in Virtual Directories
Hi, If a virtual directory set as application then it got is own set of sessions. Natty Gur, CTO Dao2Com Ltd. 28th Baruch Hirsch st.... -
Joe Kaplan \(MVP - ADSI\) #2 Re: IIS ADSI virtual dir creation problem from web application
One thing to know about the IIS provider is that it doesn't respect the
username and password properties. It always uses the security context of
the current thread. Therefore, you need to make sure you change that
instead. I'm not sure why this isn't welll documented or doesn't throw an
exception, but that's the way it is.
Joe K.
"Gabriel R" <rozsagabor@yahoo.com> wrote in message
news:%23NMAAWt0EHA.3840@TK2MSFTNGP10.phx.gbl...>I am trying to create a virtual directory using ADSI, with the following
> C# code:
>
> string Server = <srv>;
> string ApplicationName = <app>;
> DirectoryEntry root = new DirectoryEntry("IIS://" + Server +
> "/W3SVC/1/Root", adminusername, adminuserpass);
> // look up the virtual dir
> DirectoryEntry app = null;
> foreach (DirectoryEntry e in root.Children)
> {
> if (e.SchemaClassName == "IISWebVirtualDir" && e.Name.ToUpper() ==
> ApplicationName.ToUpper())
> {
> app = e; break;
> }
> }
> if (app == null)
> {
> // create the virtual dir
> app = root.Children.Add(ApplicationName, "IISWebVirtualDir");
> }
> // create the application attached to it
> app.Invoke("AppCreate", false);
> // set the properties of the virtual dir
> app.Properties["Path"][0] = "D:\\Web";
> app.Properties["DefaultDoc"][0] = "default.aspx";
> app.Properties["AppFriendlyName"][0] = ApplicationName;
> app.CommitChanges();
>
> The code works fine if I run it from a Windows Forms application,
> however if it's run from a web application I get a COMException: Access
> denied.
> The web application runs under the credentials of the admin user (I used
> <identity impersonate=true ...> in web.config).
>
> How could I solve this problem?
>
> Gabriel
>
> *** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
> Don't just participate in USENET...get rewarded for it!
Joe Kaplan \(MVP - ADSI\) Guest
-
Gabriel R via DotNetMonster.com #3 Re: IIS ADSI virtual dir creation problem from web application
I have tried to run the code impersonated (first calling impersonateValidUser then, after everything's done, undoImpersonation). I have used:
#region setup impersonation via interop
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
static System.Security.Principal.WindowsImpersonationCont ext impersonationContext;
[DllImport("advapi32.dll", CharSet=CharSet.Auto)]public static extern int LogonUser(String lpszUserName, String lpszDomain,String lpszPassword,int dwLogonType, int dwLogonProvider,ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet=System.Runtime.InteropServices.CharSet.Aut o, SetLastError=true)]public extern static int DuplicateToken(IntPtr hToken, int impersonationLevel, ref IntPtr hNewToken);
#endregion
#region impersonation methods
private static bool impersonateValidUser(String userName, String domain, String password)
{
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
// try raw impersonation (username, pass)
if (LogonUser(userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) == 0)
return false;
// duplicate the token and use it for impersonation
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null) return true;
else return false;
}
else return false;
}
private static void undoImpersonation()
{
impersonationContext.Undo();
}
#endregion
What's interesting is that it works fine on IIS 5.1 (WinXP), but it wouldn't work on IIS 5 (Win2k) or IIS 6 (Win2003). However, if run from a Windows Forms application, it works on all machines.
Is there another way to impersonate the current thread (apart from the functions I used from advapi32.dll)?
Thanks,
Gabriel
--
Message posted via [url]http://www.dotnetmonster.com[/url]
Gabriel R via DotNetMonster.com Guest
-
Joe Kaplan \(MVP - ADSI\) #4 Re: IIS ADSI virtual dir creation problem from web application
I'd suggest using the sample code that MS publishes for programmatic
impersonation:
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationCo ntextClassTopic.asp?frame=true[/url]
It has the benefit of some nicer error handling which might help explain
what didn't work on 2000 or 2003. Essentially, they should both work fine.
However, you do need "Act as part of the operating system" privilege to call
LogonUser under Windows 2000 which might be a deal breaker.
The other option is putting the code in a COM+ component and running that
under the identity you need to manage the server(s).
Another option might be to look at the WMI provider for IIS instead of ADSI.
It might give you more flexibility (although I don't know anything about
it).
HTH,
Joe K.
"Gabriel R via DotNetMonster.com" <forum@DotNetMonster.com> wrote in message
news:3b0b82514da04771911882f3133db3e6@DotNetMonste r.com...>I have tried to run the code impersonated (first calling
>impersonateValidUser then, after everything's done, undoImpersonation). I
>have used:
>
> #region setup impersonation via interop
> public const int LOGON32_LOGON_INTERACTIVE = 2;
> public const int LOGON32_PROVIDER_DEFAULT = 0;
> static System.Security.Principal.WindowsImpersonationCont ext
> impersonationContext;
>
> [DllImport("advapi32.dll", CharSet=CharSet.Auto)]public static extern int
> LogonUser(String lpszUserName, String lpszDomain,String lpszPassword,int
> dwLogonType, int dwLogonProvider,ref IntPtr phToken);
> [DllImport("advapi32.dll",
> CharSet=System.Runtime.InteropServices.CharSet.Aut o,
> SetLastError=true)]public extern static int DuplicateToken(IntPtr hToken,
> int impersonationLevel, ref IntPtr hNewToken);
> #endregion
>
> #region impersonation methods
> private static bool impersonateValidUser(String userName, String domain,
> String password)
> {
> WindowsIdentity tempWindowsIdentity;
> IntPtr token = IntPtr.Zero;
> IntPtr tokenDuplicate = IntPtr.Zero;
>
> // try raw impersonation (username, pass)
> if (LogonUser(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
> LOGON32_PROVIDER_DEFAULT, ref token) == 0)
> return false;
>
> // duplicate the token and use it for impersonation
> if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
> {
> tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
> impersonationContext = tempWindowsIdentity.Impersonate();
> if (impersonationContext != null) return true;
> else return false;
> }
> else return false;
> }
>
> private static void undoImpersonation()
> {
> impersonationContext.Undo();
> }
> #endregion
>
> What's interesting is that it works fine on IIS 5.1 (WinXP), but it
> wouldn't work on IIS 5 (Win2k) or IIS 6 (Win2003). However, if run from a
> Windows Forms application, it works on all machines.
>
> Is there another way to impersonate the current thread (apart from the
> functions I used from advapi32.dll)?
>
> Thanks,
> Gabriel
>
> --
> Message posted via [url]http://www.dotnetmonster.com[/url]
Joe Kaplan \(MVP - ADSI\) Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
