Professional Web Applications Themes

IIS Virtual Directory Create Failure :( - ASP.NET Web Services

System.UnauthorizedAccesception: Access is denied. at System.DirectoryServices.Interop.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChan ges() at CreateVirtualDirectories.Dal.CreateWebVirtualDirec tory.Create .... tried on the local development box and it had issues like this until I gave permissions like described in Article ID 329986, scroll down, Method A. It is a double hop as I did the test at the bottom in the Quick Test section. Code snippets: Web.config for web service having the error shown above... <identity impersonate="true" /> .... SCHEMA= "IIsWebVirtualDir"; mRootSubPath = "/W3SVC/1/Root"; .... DirectoryEntry deRoot= new DirectoryEntry("IIS://" + "localhost" + mRootSubPath,winAcctId,winAcctPwd,AuthenticationTy pes.Secure); .... if (Directory.Exists("c:\temp\Eskimo\") == false) { Directory.CreateDirectory("c:\temp\Eskimo\"); } deRoot.RefreshCache(); DirectoryEntry deNewVDir = deRoot.Children.Add("Eskimo",mSchema); ...

  1. #1

    Default IIS Virtual Directory Create Failure :(


    System.UnauthorizedAccesception: Access is denied.
    at System.DirectoryServices.Interop.IAds.SetInfo()
    at System.DirectoryServices.DirectoryEntry.CommitChan ges()
    at CreateVirtualDirectories.Dal.CreateWebVirtualDirec tory.Create

    ....

    tried on the local development box and it had issues like this

    until I gave permissions like described in Article ID 329986, scroll down,
    Method A.

    It is a double hop as I did the test at the bottom in the Quick Test section.



    Code snippets:

    Web.config for web service having the error shown above...

    <identity impersonate="true" />
    ....

    SCHEMA= "IIsWebVirtualDir";
    mRootSubPath = "/W3SVC/1/Root";

    ....

    DirectoryEntry deRoot= new DirectoryEntry("IIS://" + "localhost"
    + mRootSubPath,winAcctId,winAcctPwd,AuthenticationTy pes.Secure);

    ....

    if (Directory.Exists("c:\temp\Eskimo\") == false)
    {

    Directory.CreateDirectory("c:\temp\Eskimo\");

    }

    deRoot.RefreshCache();

    DirectoryEntry deNewVDir =
    deRoot.Children.Add("Eskimo",mSchema);

    deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");

    ....
    deNewVDir.Properties["AccessRead"][0] =true;
    deNewVDir.Properties["AccessWrite"][0] = true;
    deNewVDir.Properties["Accesecute"][0] = true;
    deNewVDir.Properties["AuthAnonymous"][0] = false;
    deNewVDir.Properties["AuthBasic"][0] = false;
    deNewVDir.Properties["AuthNTLM"][0] = true;
    deNewVDir.Properties["ContentIndexed"][0] = false;
    deNewVDir.Properties["EnableDirBrowsing"][0] = true;
    ...
    deNewVDir.Invoke("AppCreate",true);

    deNewVDir.CommitChanges();
    deRoot.CommitChanges();

    deNewVDir.Close();

    deRoot.Close();
    ....

    Now: in a windows application it works great! I have a DLL project and a
    windows app test project and the web service accessing the DLL project.
    In a web service I get the error listed above... :(

    --
    tym, Eskimo
    Eskimo Guest

  2. #2

    Default RE: IIS Virtual Directory Create Failure :(

    Hi,

    If I understand you, you're trying to make IIS hosted managed code in a web
    service dynamically define new VROOTS on the server that the web service is
    on, and you are getting an access deined error.

    The managed code for your service is going to need to have permissions to
    do these administrator operations, and thus either be impersonating an
    administrator account (not a good idea if you ask me) or running in the
    security context of an administrator (e.g. being called by and
    administrator and assuming the administrators permissions). The latter is
    possible by placing the calls in the administrator's security context.
    This is done by setting the credential cache in the proxy to the default
    identity (the calling user).

    I hope this helps

    Dan Rogers
    Microsoft Corporation
    --------------------
    >Thread-Topic: IIS Virtual Directory Create Failure :(
    >thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ==
    >X-WBNR-Posting-Host: 63.162.177.130
    >From: =?Utf-8?B?RXNraW1v?= <Eskimodiscussions.microsoft.com>
    >Subject: IIS Virtual Directory Create Failure :(
    >Date: Thu, 4 Nov 2004 15:28:07 -0800
    >Lines: 74
    >Message-ID: <E288D499-3B3F-4B1D-BC17-D3F32A78249Cmicrosoft.com>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > cht="Utf-8"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >Content-Class: urn:content-classes:message
    >Importance: normal
    >Priority: normal
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservic es
    >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >Xref: cpmsftngxa10.phx.gbl
    microsoft.public.dotnet.framework.aspnet.webservic es:26386
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
    >
    >
    >System.UnauthorizedAccesception: Access is denied.
    > at System.DirectoryServices.Interop.IAds.SetInfo()
    > at System.DirectoryServices.DirectoryEntry.CommitChan ges()
    > at CreateVirtualDirectories.Dal.CreateWebVirtualDirec tory.Create
    >
    >...
    >
    > tried on the local development box and it had issues like this
    >
    >until I gave permissions like described in Article ID 329986, scroll down,
    >Method A.
    >
    >It is a double hop as I did the test at the bottom in the Quick Test
    section.
    >
    >
    >
    >Code snippets:
    >
    >Web.config for web service having the error shown above...
    >
    ><identity impersonate="true" />
    >...
    >
    > SCHEMA= "IIsWebVirtualDir";
    > mRootSubPath = "/W3SVC/1/Root";
    >
    >...
    >
    > DirectoryEntry deRoot= new DirectoryEntry("IIS://" +
    "localhost"
    >+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTy pes.Secure);
    >
    >...
    >
    > if (Directory.Exists("c:\temp\Eskimo\") == false)
    > {
    >
    > Directory.CreateDirectory("c:\temp\Eskimo\");
    >
    > }
    >
    > deRoot.RefreshCache();
    >
    > DirectoryEntry deNewVDir =
    >deRoot.Children.Add("Eskimo",mSchema);
    >
    > deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");
    >
    >...
    > deNewVDir.Properties["AccessRead"][0] =true;
    > deNewVDir.Properties["AccessWrite"][0] = true;
    > deNewVDir.Properties["Accesecute"][0] = true;
    > deNewVDir.Properties["AuthAnonymous"][0] = false;
    > deNewVDir.Properties["AuthBasic"][0] = false;
    > deNewVDir.Properties["AuthNTLM"][0] = true;
    > deNewVDir.Properties["ContentIndexed"][0] = false;
    > deNewVDir.Properties["EnableDirBrowsing"][0] = true;
    > ...
    > deNewVDir.Invoke("AppCreate",true);
    >
    > deNewVDir.CommitChanges();
    > deRoot.CommitChanges();
    >
    > deNewVDir.Close();
    >
    > deRoot.Close();
    >...
    >
    >Now: in a windows application it works great! I have a DLL project and a
    >windows app test project and the web service accessing the DLL project.
    >In a web service I get the error listed above... :(
    >
    >--
    >tym, Eskimo
    >
    Dan Rogers Guest

  3. #3

    Default RE: IIS Virtual Directory Create Failure :(

    Dan,

    Thanks for the suggestion, however, I used the following snippet...that
    didnt work even with an administrator logged in...impersonation didn't work
    either...

    I think it's IIS -> ADSI where the permission problem is on the server. I'm
    on xp pro and it works great!

    When I log into the server 2003 box as a member of the admin group it fails
    spectacularly with "Access is Denied."

    System.Security.Principal.WindowsImpersonationCont ext
    impersonationContext;
    impersonationContext =
    ((System.Security.Principal.WindowsIdentity)User.I dentity).Impersonate();

    <call web service method>

    impersonationContext.Undo();

    "Dan Rogers" wrote:
    > Hi,
    >
    > If I understand you, you're trying to make IIS hosted managed code in a web
    > service dynamically define new VROOTS on the server that the web service is
    > on, and you are getting an access deined error.
    >
    > The managed code for your service is going to need to have permissions to
    > do these administrator operations, and thus either be impersonating an
    > administrator account (not a good idea if you ask me) or running in the
    > security context of an administrator (e.g. being called by and
    > administrator and assuming the administrators permissions). The latter is
    > possible by placing the calls in the administrator's security context.
    > This is done by setting the credential cache in the proxy to the default
    > identity (the calling user).
    >
    > I hope this helps
    >
    > Dan Rogers
    > Microsoft Corporation
    > --------------------
    > >Thread-Topic: IIS Virtual Directory Create Failure :(
    > >thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ==
    > >X-WBNR-Posting-Host: 63.162.177.130
    > >From: =?Utf-8?B?RXNraW1v?= <Eskimodiscussions.microsoft.com>
    > >Subject: IIS Virtual Directory Create Failure :(
    > >Date: Thu, 4 Nov 2004 15:28:07 -0800
    > >Lines: 74
    > >Message-ID: <E288D499-3B3F-4B1D-BC17-D3F32A78249Cmicrosoft.com>
    > >MIME-Version: 1.0
    > >Content-Type: text/plain;
    > > cht="Utf-8"
    > >Content-Transfer-Encoding: 7bit
    > >X-Newsreader: Microsoft CDO for Windows 2000
    > >Content-Class: urn:content-classes:message
    > >Importance: normal
    > >Priority: normal
    > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservic es
    > >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    > >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > >Xref: cpmsftngxa10.phx.gbl
    > microsoft.public.dotnet.framework.aspnet.webservic es:26386
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
    > >
    > >
    > >System.UnauthorizedAccesception: Access is denied.
    > > at System.DirectoryServices.Interop.IAds.SetInfo()
    > > at System.DirectoryServices.DirectoryEntry.CommitChan ges()
    > > at CreateVirtualDirectories.Dal.CreateWebVirtualDirec tory.Create
    > >
    > >...
    > >
    > > tried on the local development box and it had issues like this
    > >
    > >until I gave permissions like described in Article ID 329986, scroll down,
    > >Method A.
    > >
    > >It is a double hop as I did the test at the bottom in the Quick Test
    > section.
    > >
    > >
    > >
    > >Code snippets:
    > >
    > >Web.config for web service having the error shown above...
    > >
    > ><identity impersonate="true" />
    > >...
    > >
    > > SCHEMA= "IIsWebVirtualDir";
    > > mRootSubPath = "/W3SVC/1/Root";
    > >
    > >...
    > >
    > > DirectoryEntry deRoot= new DirectoryEntry("IIS://" +
    > "localhost"
    > >+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTy pes.Secure);
    > >
    > >...
    > >
    > > if (Directory.Exists("c:\temp\Eskimo\") == false)
    > > {
    > >
    > > Directory.CreateDirectory("c:\temp\Eskimo\");
    > >
    > > }
    > >
    > > deRoot.RefreshCache();
    > >
    > > DirectoryEntry deNewVDir =
    > >deRoot.Children.Add("Eskimo",mSchema);
    > >
    > > deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");
    > >
    > >...
    > > deNewVDir.Properties["AccessRead"][0] =true;
    > > deNewVDir.Properties["AccessWrite"][0] = true;
    > > deNewVDir.Properties["Accesecute"][0] = true;
    > > deNewVDir.Properties["AuthAnonymous"][0] = false;
    > > deNewVDir.Properties["AuthBasic"][0] = false;
    > > deNewVDir.Properties["AuthNTLM"][0] = true;
    > > deNewVDir.Properties["ContentIndexed"][0] = false;
    > > deNewVDir.Properties["EnableDirBrowsing"][0] = true;
    > > ...
    > > deNewVDir.Invoke("AppCreate",true);
    > >
    > > deNewVDir.CommitChanges();
    > > deRoot.CommitChanges();
    > >
    > > deNewVDir.Close();
    > >
    > > deRoot.Close();
    > >...
    > >
    > >Now: in a windows application it works great! I have a DLL project and a
    > >windows app test project and the web service accessing the DLL project.
    > >In a web service I get the error listed above... :(
    > >
    > >--
    > >tym, Eskimo
    > >
    >
    >
    Eskimo Guest

  4. #4

    Default RE: IIS Virtual Directory Create Failure :(

    Ahhh. I think this is a matter of the later OS being more secure. Code
    access security is going to do a lot to prevent internet hosted logic from
    doing things that require admin permissions. You want to think VERY
    carefully about undoing this protection. Since .NET 1.1 was shipped as a
    part of Windows Server 2003, I suspect that the policy expressions that
    shipped with this version were more restrictive. If this is the case, no
    amount of impersonation is going to fix this - since the call is
    originating from a web service and thus is sand boxed. You'd have to
    override code access security for these specific operations. I would still
    add logic to such a service to make sure that the caller is a member of a
    group the caller recognizes ad an admin, since once you over-ride the
    sandbox security, no other protections would be keeping a non-admin from
    making a call that if overdone could flood your box and disable your server.

    I hope this helps

    Dan
    --------------------
    >Thread-Topic: IIS Virtual Directory Create Failure :(
    >thread-index: AcTMurvE7+6ff34BSxC8pHYgFuZQvQ==
    >X-WBNR-Posting-Host: 63.162.177.130
    >From: =?Utf-8?B?RXNraW1v?= <Eskimodiscussions.microsoft.com>
    >References: <E288D499-3B3F-4B1D-BC17-D3F32A78249Cmicrosoft.com>
    <BsZ7jyDzEHA.1184cpmsftngxa10.phx.gbl>
    >Subject: RE: IIS Virtual Directory Create Failure :(
    >Date: Wed, 17 Nov 2004 07:33:05 -0800
    >Lines: 146
    >Message-ID: <E07C3395-6C1C-47C1-AFB4-39473F4FEB74microsoft.com>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > cht="Utf-8"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >Content-Class: urn:content-classes:message
    >Importance: normal
    >Priority: normal
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservic es
    >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFT NGXA03.phx.gbl
    >Xref: cpmsftngxa10.phx.gbl
    microsoft.public.dotnet.framework.aspnet.webservic es:26666
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
    >
    >Dan,
    >
    >Thanks for the suggestion, however, I used the following snippet...that
    >didnt work even with an administrator logged in...impersonation didn't
    work
    >either...
    >
    >I think it's IIS -> ADSI where the permission problem is on the server.
    I'm
    >on xp pro and it works great!
    >
    >When I log into the server 2003 box as a member of the admin group it
    fails
    >spectacularly with "Access is Denied."
    >
    > System.Security.Principal.WindowsImpersonationCont ext
    >impersonationContext;
    > impersonationContext =
    >((System.Security.Principal.WindowsIdentity)User. Identity).Impersonate();
    >
    ><call web service method>
    >
    > impersonationContext.Undo();
    >
    >"Dan Rogers" wrote:
    >
    >> Hi,
    >>
    >> If I understand you, you're trying to make IIS hosted managed code in a
    web
    >> service dynamically define new VROOTS on the server that the web service
    is
    >> on, and you are getting an access deined error.
    >>
    >> The managed code for your service is going to need to have permissions
    to
    >> do these administrator operations, and thus either be impersonating an
    >> administrator account (not a good idea if you ask me) or running in the
    >> security context of an administrator (e.g. being called by and
    >> administrator and assuming the administrators permissions). The latter
    is
    >> possible by placing the calls in the administrator's security context.
    >> This is done by setting the credential cache in the proxy to the default
    >> identity (the calling user).
    >>
    >> I hope this helps
    >>
    >> Dan Rogers
    >> Microsoft Corporation
    >> --------------------
    >> >Thread-Topic: IIS Virtual Directory Create Failure :(
    >> >thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ==
    >> >X-WBNR-Posting-Host: 63.162.177.130
    >> >From: =?Utf-8?B?RXNraW1v?= <Eskimodiscussions.microsoft.com>
    >> >Subject: IIS Virtual Directory Create Failure :(
    >> >Date: Thu, 4 Nov 2004 15:28:07 -0800
    >> >Lines: 74
    >> >Message-ID: <E288D499-3B3F-4B1D-BC17-D3F32A78249Cmicrosoft.com>
    >> >MIME-Version: 1.0
    >> >Content-Type: text/plain;
    >> > cht="Utf-8"
    >> >Content-Transfer-Encoding: 7bit
    >> >X-Newsreader: Microsoft CDO for Windows 2000
    >> >Content-Class: urn:content-classes:message
    >> >Importance: normal
    >> >Priority: normal
    >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >> >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservic es
    >> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    >> >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >> >Xref: cpmsftngxa10.phx.gbl
    >> microsoft.public.dotnet.framework.aspnet.webservic es:26386
    >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
    >> >
    >> >
    >> >System.UnauthorizedAccesception: Access is denied.
    >> > at System.DirectoryServices.Interop.IAds.SetInfo()
    >> > at System.DirectoryServices.DirectoryEntry.CommitChan ges()
    >> > at CreateVirtualDirectories.Dal.CreateWebVirtualDirec tory.Create
    >> >
    >> >...
    >> >
    >> > tried on the local development box and it had issues like this
    >> >
    >> >until I gave permissions like described in Article ID 329986, scroll
    down,
    >> >Method A.
    >> >
    >> >It is a double hop as I did the test at the bottom in the Quick Test
    >> section.
    >> >
    >> >
    >> >
    >> >Code snippets:
    >> >
    >> >Web.config for web service having the error shown above...
    >> >
    >> ><identity impersonate="true" />
    >> >...
    >> >
    >> > SCHEMA= "IIsWebVirtualDir";
    >> > mRootSubPath = "/W3SVC/1/Root";
    >> >
    >> >...
    >> >
    >> > DirectoryEntry deRoot= new DirectoryEntry("IIS://" +
    >> "localhost"
    >> >+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTy pes.Secure);
    >> >
    >> >...
    >> >
    >> > if (Directory.Exists("c:\temp\Eskimo\") == false)
    >> > {
    >> >
    >> > Directory.CreateDirectory("c:\temp\Eskimo\");
    >> >
    >> > }
    >> >
    >> > deRoot.RefreshCache();
    >> >
    >> > DirectoryEntry deNewVDir =
    >> >deRoot.Children.Add("Eskimo",mSchema);
    >> >
    >> >
    deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");
    >> >
    >> >...
    >> > deNewVDir.Properties["AccessRead"][0] =true;
    >> > deNewVDir.Properties["AccessWrite"][0] = true;
    >> > deNewVDir.Properties["Accesecute"][0] = true;
    >> > deNewVDir.Properties["AuthAnonymous"][0] = false;
    >> > deNewVDir.Properties["AuthBasic"][0] = false;
    >> > deNewVDir.Properties["AuthNTLM"][0] = true;
    >> > deNewVDir.Properties["ContentIndexed"][0] = false;
    >> > deNewVDir.Properties["EnableDirBrowsing"][0] = true;
    >> > ...
    >> > deNewVDir.Invoke("AppCreate",true);
    >> >
    >> > deNewVDir.CommitChanges();
    >> > deRoot.CommitChanges();
    >> >
    >> > deNewVDir.Close();
    >> >
    >> > deRoot.Close();
    >> >...
    >> >
    >> >Now: in a windows application it works great! I have a DLL project and
    a
    >> >windows app test project and the web service accessing the DLL project.
    >> >In a web service I get the error listed above... :(
    >> >
    >> >--
    >> >tym, Eskimo
    >> >
    >>
    >>
    >
    Dan Rogers Guest

  5. #5

    Default RE: IIS Virtual Directory Create Failure :(

    Dan,

    What can I do to "You'd have to override code access security for these
    specific operations" ?

    Where do I start with code access security? I did give fulltrust to the
    assembly calling the IIS stuff with caspol -af <DLL ASSEMBLY> I was wanting
    to use full trust with...

    I have an n-tier application, with a set of objects that manipulate ADSI
    with the .NET framework classes found in System.DirectoryServices.



    "Dan Rogers" wrote:
    > Ahhh. I think this is a matter of the later OS being more secure. Code
    > access security is going to do a lot to prevent internet hosted logic from
    > doing things that require admin permissions. You want to think VERY
    > carefully about undoing this protection. Since .NET 1.1 was shipped as a
    > part of Windows Server 2003, I suspect that the policy expressions that
    > shipped with this version were more restrictive. If this is the case, no
    > amount of impersonation is going to fix this - since the call is
    > originating from a web service and thus is sand boxed. You'd have to
    > override code access security for these specific operations. I would still
    > add logic to such a service to make sure that the caller is a member of a
    > group the caller recognizes ad an admin, since once you over-ride the
    > sandbox security, no other protections would be keeping a non-admin from
    > making a call that if overdone could flood your box and disable your server.
    >
    > I hope this helps
    >
    > Dan
    > --------------------
    > >Thread-Topic: IIS Virtual Directory Create Failure :(
    > >thread-index: AcTMurvE7+6ff34BSxC8pHYgFuZQvQ==
    > >X-WBNR-Posting-Host: 63.162.177.130
    > >From: =?Utf-8?B?RXNraW1v?= <Eskimodiscussions.microsoft.com>
    > >References: <E288D499-3B3F-4B1D-BC17-D3F32A78249Cmicrosoft.com>
    > <BsZ7jyDzEHA.1184cpmsftngxa10.phx.gbl>
    > >Subject: RE: IIS Virtual Directory Create Failure :(
    > >Date: Wed, 17 Nov 2004 07:33:05 -0800
    > >Lines: 146
    > >Message-ID: <E07C3395-6C1C-47C1-AFB4-39473F4FEB74microsoft.com>
    > >MIME-Version: 1.0
    > >Content-Type: text/plain;
    > > cht="Utf-8"
    > >Content-Transfer-Encoding: 7bit
    > >X-Newsreader: Microsoft CDO for Windows 2000
    > >Content-Class: urn:content-classes:message
    > >Importance: normal
    > >Priority: normal
    > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservic es
    > >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    > >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFT NGXA03.phx.gbl
    > >Xref: cpmsftngxa10.phx.gbl
    > microsoft.public.dotnet.framework.aspnet.webservic es:26666
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
    > >
    > >Dan,
    > >
    > >Thanks for the suggestion, however, I used the following snippet...that
    > >didnt work even with an administrator logged in...impersonation didn't
    > work
    > >either...
    > >
    > >I think it's IIS -> ADSI where the permission problem is on the server.
    > I'm
    > >on xp pro and it works great!
    > >
    > >When I log into the server 2003 box as a member of the admin group it
    > fails
    > >spectacularly with "Access is Denied."
    > >
    > > System.Security.Principal.WindowsImpersonationCont ext
    > >impersonationContext;
    > > impersonationContext =
    > >((System.Security.Principal.WindowsIdentity)User. Identity).Impersonate();
    > >
    > ><call web service method>
    > >
    > > impersonationContext.Undo();
    > >
    > >"Dan Rogers" wrote:
    > >
    > >> Hi,
    > >>
    > >> If I understand you, you're trying to make IIS hosted managed code in a
    > web
    > >> service dynamically define new VROOTS on the server that the web service
    > is
    > >> on, and you are getting an access deined error.
    > >>
    > >> The managed code for your service is going to need to have permissions
    > to
    > >> do these administrator operations, and thus either be impersonating an
    > >> administrator account (not a good idea if you ask me) or running in the
    > >> security context of an administrator (e.g. being called by and
    > >> administrator and assuming the administrators permissions). The latter
    > is
    > >> possible by placing the calls in the administrator's security context.
    > >> This is done by setting the credential cache in the proxy to the default
    > >> identity (the calling user).
    > >>
    > >> I hope this helps
    > >>
    > >> Dan Rogers
    > >> Microsoft Corporation
    > >> --------------------
    > >> >Thread-Topic: IIS Virtual Directory Create Failure :(
    > >> >thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ==
    > >> >X-WBNR-Posting-Host: 63.162.177.130
    > >> >From: =?Utf-8?B?RXNraW1v?= <Eskimodiscussions.microsoft.com>
    > >> >Subject: IIS Virtual Directory Create Failure :(
    > >> >Date: Thu, 4 Nov 2004 15:28:07 -0800
    > >> >Lines: 74
    > >> >Message-ID: <E288D499-3B3F-4B1D-BC17-D3F32A78249Cmicrosoft.com>
    > >> >MIME-Version: 1.0
    > >> >Content-Type: text/plain;
    > >> > cht="Utf-8"
    > >> >Content-Transfer-Encoding: 7bit
    > >> >X-Newsreader: Microsoft CDO for Windows 2000
    > >> >Content-Class: urn:content-classes:message
    > >> >Importance: normal
    > >> >Priority: normal
    > >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > >> >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservic es
    > >> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    > >> >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > >> >Xref: cpmsftngxa10.phx.gbl
    > >> microsoft.public.dotnet.framework.aspnet.webservic es:26386
    > >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
    > >> >
    > >> >
    > >> >System.UnauthorizedAccesception: Access is denied.
    > >> > at System.DirectoryServices.Interop.IAds.SetInfo()
    > >> > at System.DirectoryServices.DirectoryEntry.CommitChan ges()
    > >> > at CreateVirtualDirectories.Dal.CreateWebVirtualDirec tory.Create
    > >> >
    > >> >...
    > >> >
    > >> > tried on the local development box and it had issues like this
    > >> >
    > >> >until I gave permissions like described in Article ID 329986, scroll
    > down,
    > >> >Method A.
    > >> >
    > >> >It is a double hop as I did the test at the bottom in the Quick Test
    > >> section.
    > >> >
    > >> >
    > >> >
    > >> >Code snippets:
    > >> >
    > >> >Web.config for web service having the error shown above...
    > >> >
    > >> ><identity impersonate="true" />
    > >> >...
    > >> >
    > >> > SCHEMA= "IIsWebVirtualDir";
    > >> > mRootSubPath = "/W3SVC/1/Root";
    > >> >
    > >> >...
    > >> >
    > >> > DirectoryEntry deRoot= new DirectoryEntry("IIS://" +
    > >> "localhost"
    > >> >+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTy pes.Secure);
    > >> >
    > >> >...
    > >> >
    > >> > if (Directory.Exists("c:\temp\Eskimo\") == false)
    > >> > {
    > >> >
    > >> > Directory.CreateDirectory("c:\temp\Eskimo\");
    > >> >
    > >> > }
    > >> >
    > >> > deRoot.RefreshCache();
    > >> >
    > >> > DirectoryEntry deNewVDir =
    > >> >deRoot.Children.Add("Eskimo",mSchema);
    > >> >
    > >> >
    > deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");
    > >> >
    > >> >...
    > >> > deNewVDir.Properties["AccessRead"][0] =true;
    > >> > deNewVDir.Properties["AccessWrite"][0] = true;
    > >> > deNewVDir.Properties["Accesecute"][0] = true;
    > >> > deNewVDir.Properties["AuthAnonymous"][0] = false;
    > >> > deNewVDir.Properties["AuthBasic"][0] = false;
    > >> > deNewVDir.Properties["AuthNTLM"][0] = true;
    > >> > deNewVDir.Properties["ContentIndexed"][0] = false;
    > >> > deNewVDir.Properties["EnableDirBrowsing"][0] = true;
    > >> > ...
    > >> > deNewVDir.Invoke("AppCreate",true);
    > >> >
    > >> > deNewVDir.CommitChanges();
    > >> > deRoot.CommitChanges();
    > >> >
    > >> > deNewVDir.Close();
    > >> >
    > >> > deRoot.Close();
    > >> >...
    > >> >
    > >> >Now: in a windows application it works great! I have a DLL project and
    > a
    > >> >windows app test project and the web service accessing the DLL project.
    > >> >In a web service I get the error listed above... :(
    > >> >
    > >> >--
    > >> >tym, Eskimo
    > >> >
    > >>
    > >>
    > >
    >
    >
    Eskimo Guest

Similar Threads

  1. Replies: 2
    Last Post: August 9th, 10:04 PM
  2. IIS Virtual Directory Create Failure in Web Service :(
    By Eskimo in forum ASP.NET Security
    Replies: 5
    Last Post: November 8th, 05:49 PM
  3. Have to Be A Virtual Directory?
    By Chan in forum ASP.NET Web Services
    Replies: 5
    Last Post: January 19th, 01:49 PM
  4. Create file in virtual directory
    By Glenn in forum ASP
    Replies: 6
    Last Post: August 27th, 10:25 PM
  5. How to create a new Virtual Directory?
    By qiuji in forum ASP.NET General
    Replies: 0
    Last Post: August 12th, 07:02 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139