Identity crisis on a WS

[luis]

I need to change dynamically some DNS registers of our domain
I figured that a WS would do the job so I developed a WS that has only one web method that receives an ID and an IP address from it clients. It verifies the ID and then proceeds to change the DNS pointer with the “dnscmd.exe†utility on a Win2000 server

<WebMethod()> Public Function Nueva(ByVal quienSoy As String, ByVal miIP As String) As Strin
Dim miPInfo As ProcessStartInf
Dim miProc As Proces
Dim regreso As Strin

miPInfo = New ProcessStartInf
With miPInf
.FileName = "C:\WinNT\System32\dnscmd.exe
.Arguments = ". /RecordDelete diato.com.mx " & quienSoy & " A /f
.RedirectStandardOutput = Tru
.UseShellExecute = Fals
End Wit

miProc = Process.Start(miPInfo
miProc.WaitForExit(
regreso = miProc.StandardOutput.ReadToEn
Return regres
End Functio

When I run these method I get a “Command failed: ERROR_ACCESS_DENIED 5 (00000005)†as the return string (StandardOut of the process

I went a added a user in this machine and made it a member of the “administrators†group
I used the ASPNET_Setreg utility to encrypt the user name and password in the registry

I added these lines in the Web.Confg file

<identity impersonate="true
userName="registry:HKLM\SOFTWARE\MyApp\MyId\ASPNET_SETREG,userName
password="registry:HKLM\SOFTWARE\ MyApp\MyId\ASPNET_SETREG,password" /

I restarted the system and I get the same error message

What am I doing wrong
What else do I need to do
Is there a smarter way to change DNS registers

(Of course, if I run the dnscmd utility from the CMD box it runs ok

Thanks

Luis

 

[[MSFT]]

Hi Luis,

You may add a web method and return following string to see the account
your web service run with:

System.Security.Principal.WindowsIdentity.GetCurrent().Name

If it is not the administrator account you planed, you may try impersonate
in the web service. Here is a article about this:

INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Luis]

Luke,

I checked with "System.Security.Principal.WindowsIdentity.GetCurrent().Name" and in fact I do have the DOMAIN\USER combination that I expected (a user that is a memeber of the administrators group).
I eve andded this user to the Act as part of the operating system key in Local Security Policies.

I am still geting the same ERROR_ACCESS_DENIED 5 (0000005) err msg.

Do you have any suggestions?

Luis

 

[[MSFT]]

Hi Luis,

I suggest you monitor the process with two utilities: regmon and filemon.
They can monitor all the access on file system and registry. If there is an
Access Denied problem, they will record it.

You may download them from:

http://www.systeminternals.com/products/repairandrecovery/index.asp?pid=ap

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Luis]

Luke,

Instead of "investing" the $249 I gave this particular user full control over the registry and over c:\winnt

Inaddition I added MyApp.dll in the framework configuration utility, I /Runtime Security Ploc Machine and User policies with full trust.

To me it sounds as if it was an access problem either to the registry or the file system (wich, as far as I understood, is exactly what those utilities do...), this would sove it.

It did NOT.

Luis

 

[Luis]

Luke,

Instead of ivesting the 249 dls I gave this specific user full access on al registry and in c:\winnt
In addition I added myapp.dll to the machine & user trees in the .Net framework configuration utility.

I thought that if I had an access problem these action woul cure it.

I am still getting the same error.

Luis

 

[[MSFT]]

Hi Luis,

I know they have some free dowload links:

http://www.sysinternals.com/ntw2k/source/filemon.shtml

http://www.sysinternals.com/ntw2k/source/regmon.shtml

"WINNT" folder may not be the only file path it request. I still suggest
you perform a trace with above utilities.

Luke

 

[Luis]

Luke,

I've dowloaded and run the utilities yo sugested.
I've looked at all entries in both screens and have not found any signgle "ACCESS_DENIED".
I've isolated all entries for "dnscmd.exe" and "aspnet_wp.exe" procesess and I dont see anything strange but this line on Filemon:
9:51:06 AM dnscmd.exe:1876 QUERY INFORMATION C:\WinNT\System32\dnscmd.exe.Local FILE NOT FOUND Attributes: Error
Any clues?

Luis

 

[[MSFT]]

Hi Luis,

From the trace log, the process of "dnscmd.exe" has been launched. Have you
compare the the trace with when you execute dnscmd from command line? Any
difference? Additioanlly, did you work with IIS 5 or IIS 6?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Luis]

Luke,
I've compared the output of both utilities and I don’t see any differences between them.
Regmon is identical and Filemon has slightly different entries due to the fact that dnscmd is launched from different processes (CMD.EXE vs aspnet_wp.exe)

Inetinfo.exe has version 5.00.0984

What else can I do?

Luis

 

[[MSFT]]

Hi Luis,

I think we may consider other way for the issue. For example, we can create
a COM+ component to execute the DNSCMD.exe and then call the COM+ component
in Web service.

Here is a sample about this:

http://support.microsoft.com/?id=306296

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Luis]

Luke,

I do not know if I am right but I think that this is not .NET Web Services issue only.
In which other ng would you recommend posting to see if anyone out there has a solution for my problem?

Luis

 

[[MSFT]]

Hi Luis,

What is the account your COM+ component run with? It is better to use a
Domain user with local adminitrator. Only Domain user can query the AD
information. I also suggest you may post the issue in
microsoft.public.win2000.active_directory. There may be more people there
who are falimiar with DNSCMD.exe.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Luis]

The user the COM+ coponent is running with is a user that is a member of both the local "Administrators" and the local "Users" groups.

I also tested with a domain user that was included in Domain Admins and Domain Users groups.

Anything else that I can do?

Luis

 

[[MSFT]]

You may try to set the ProcessStartInfo's property WorkingDirectory to
"c:\windows\system32" or your actual System folder to see if it will help.
If this didn't help, please let me know. I will involve more resource on
this issue to make it out.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[[MSFT]]

Hi Luis,

Since you have create a COM + component for DNSCMD, can you call this
component in a WIndows Form application? Additionally, I think you need to
use a Domain user who are also in local administrator.

Luke

 

[Luis]

Eureka!

Believe it or not, IT WORKS from a Windows App using the COM+ component with the same user that we are trying to use in the Web Service.
We can conclude that:

- The COM+ component is working fine;
- The user we are using has the capabilities to perform the command (its not a user related security problem)
- This is a Web Services related problem

I feel somehow that we are getting closer although I don’t see the door yet…

What else can we do?

Luis

 

[[MSFT]]

Hi Luis,

I found a similar issue which is also caused by AT command. The exception
is also "Access is denied".

The solution is different between IIS 6 and IIS 5.

In IIS 6, you can set the default appPool's indentity to "Local System" and
restart IIS.

In IIS 5, you need set the isolation level for the web application to High,
and a related application will be generated in COM+. ANd then set the COM+
application's identity to local System account. ( This COM+ application is
generated by IIS, not the COM+ component we discuss before).

You may try this

Luke

 

[[MSFT]]

Hi Luis,

I perform a same test on a Windows 2000 server. However, I get correct
result from the AT process. You may check if you use System account in
machine.config <processModal> element, and impersonate set to true in
web.config <identity> element. Additionally, You need make if the "access
denied " error from the web service or from the process you created.

Luke

 

[Vishal]

Hi Luis,
I am having a similar problem with IIS 6.0 on a windows 2003 server.

I have a ASP .NET applicaiton and a application pool configfured to run with a domain user credentials. This domain user is a also a local administrator.
I have a piece of code that executes a Windows API fucntion (translatename)to get a fully qualified domain name of the user that logs on the web site.

This function fails with a error code ERROR_ACCESS_DENIED when running from the ASP .NET application. However if I execute the same piece of code from a application on the command line it works. I log on as the above mentioned domain user before while running the app to validate that the domain user has priviliges to run the Win32 API fucnction

It seems like that there is something going on in the security context when code executes as a ASP .NET application.

Luis: Please share with us if you were you able to resolve your problem.

MSFT: Is there some IIS traces that can be enabled to triouble shoot this?

Thanks