IIS Virtual Directory Create Failure :(

E

Eskimo

System.UnauthorizedAccessException: Access is denied.
at System.DirectoryServices.Interop.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at CreateVirtualDirectories.Dal.CreateWebVirtualDirectory.Create

....

tried on the local development box and it had issues like this

until I gave permissions like described in Article ID 329986, scroll down,
Method A.

It is a double hop as I did the test at the bottom in the Quick Test section.



Code snippets:

Web.config for web service having the error shown above...

<identity impersonate="true" />
....

SCHEMA= "IIsWebVirtualDir";
mRootSubPath = "/W3SVC/1/Root";

....

DirectoryEntry deRoot= new DirectoryEntry("IIS://" + "localhost"
+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTypes.Secure);

....

if (Directory.Exists("c:\temp\Eskimo\") == false)
{

Directory.CreateDirectory("c:\temp\Eskimo\");

}

deRoot.RefreshCache();

DirectoryEntry deNewVDir =
deRoot.Children.Add("Eskimo",mSchema);

deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");

....
deNewVDir.Properties["AccessRead"][0] =true;
deNewVDir.Properties["AccessWrite"][0] = true;
deNewVDir.Properties["AccessExecute"][0] = true;
deNewVDir.Properties["AuthAnonymous"][0] = false;
deNewVDir.Properties["AuthBasic"][0] = false;
deNewVDir.Properties["AuthNTLM"][0] = true;
deNewVDir.Properties["ContentIndexed"][0] = false;
deNewVDir.Properties["EnableDirBrowsing"][0] = true;
...
deNewVDir.Invoke("AppCreate",true);

deNewVDir.CommitChanges();
deRoot.CommitChanges();

deNewVDir.Close();

deRoot.Close();
....

Now: in a windows application it works great! I have a DLL project and a
windows app test project and the web service accessing the DLL project.
In a web service I get the error listed above... :(
 
D

Dan Rogers

Hi,

If I understand you, you're trying to make IIS hosted managed code in a web
service dynamically define new VROOTS on the server that the web service is
on, and you are getting an access deined error.

The managed code for your service is going to need to have permissions to
do these administrator operations, and thus either be impersonating an
administrator account (not a good idea if you ask me) or running in the
security context of an administrator (e.g. being called by and
administrator and assuming the administrators permissions). The latter is
possible by placing the calls in the administrator's security context.
This is done by setting the credential cache in the proxy to the default
identity (the calling user).

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------
Thread-Topic: IIS Virtual Directory Create Failure :(
thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ==
X-WBNR-Posting-Host: 63.162.177.130
From: =?Utf-8?B?RXNraW1v?= <[email protected]>
Subject: IIS Virtual Directory Create Failure :(
Date: Thu, 4 Nov 2004 15:28:07 -0800
Lines: 74
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26386
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices


System.UnauthorizedAccessException: Access is denied.
at System.DirectoryServices.Interop.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at CreateVirtualDirectories.Dal.CreateWebVirtualDirectory.Create

...

tried on the local development box and it had issues like this

until I gave permissions like described in Article ID 329986, scroll down,
Method A.

It is a double hop as I did the test at the bottom in the Quick Test section.



Code snippets:

Web.config for web service having the error shown above...

<identity impersonate="true" />
...

SCHEMA= "IIsWebVirtualDir";
mRootSubPath = "/W3SVC/1/Root";

...

DirectoryEntry deRoot= new DirectoryEntry("IIS://" + "localhost"
+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTypes.Secure);

...

if (Directory.Exists("c:\temp\Eskimo\") == false)
{

Directory.CreateDirectory("c:\temp\Eskimo\");

}

deRoot.RefreshCache();

DirectoryEntry deNewVDir =
deRoot.Children.Add("Eskimo",mSchema);

deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");

...
deNewVDir.Properties["AccessRead"][0] =true;
deNewVDir.Properties["AccessWrite"][0] = true;
deNewVDir.Properties["AccessExecute"][0] = true;
deNewVDir.Properties["AuthAnonymous"][0] = false;
deNewVDir.Properties["AuthBasic"][0] = false;
deNewVDir.Properties["AuthNTLM"][0] = true;
deNewVDir.Properties["ContentIndexed"][0] = false;
deNewVDir.Properties["EnableDirBrowsing"][0] = true;
...
deNewVDir.Invoke("AppCreate",true);

deNewVDir.CommitChanges();
deRoot.CommitChanges();

deNewVDir.Close();

deRoot.Close();
...

Now: in a windows application it works great! I have a DLL project and a
windows app test project and the web service accessing the DLL project.
In a web service I get the error listed above... :(
 
E

Eskimo

Dan,

Thanks for the suggestion, however, I used the following snippet...that
didnt work even with an administrator logged in...impersonation didn't work
either...

I think it's IIS -> ADSI where the permission problem is on the server. I'm
on xp pro and it works great!

When I log into the server 2003 box as a member of the admin group it fails
spectacularly with "Access is Denied."

System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

<call web service method>

impersonationContext.Undo();

Dan Rogers said:
Hi,

If I understand you, you're trying to make IIS hosted managed code in a web
service dynamically define new VROOTS on the server that the web service is
on, and you are getting an access deined error.

The managed code for your service is going to need to have permissions to
do these administrator operations, and thus either be impersonating an
administrator account (not a good idea if you ask me) or running in the
security context of an administrator (e.g. being called by and
administrator and assuming the administrators permissions). The latter is
possible by placing the calls in the administrator's security context.
This is done by setting the credential cache in the proxy to the default
identity (the calling user).

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------
Thread-Topic: IIS Virtual Directory Create Failure :(
thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ==
X-WBNR-Posting-Host: 63.162.177.130
From: =?Utf-8?B?RXNraW1v?= <[email protected]>
Subject: IIS Virtual Directory Create Failure :(
Date: Thu, 4 Nov 2004 15:28:07 -0800
Lines: 74
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26386
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices


System.UnauthorizedAccessException: Access is denied.
at System.DirectoryServices.Interop.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at CreateVirtualDirectories.Dal.CreateWebVirtualDirectory.Create

...

tried on the local development box and it had issues like this

until I gave permissions like described in Article ID 329986, scroll down,
Method A.

It is a double hop as I did the test at the bottom in the Quick Test section.



Code snippets:

Web.config for web service having the error shown above...

<identity impersonate="true" />
...

SCHEMA= "IIsWebVirtualDir";
mRootSubPath = "/W3SVC/1/Root";

...

DirectoryEntry deRoot= new DirectoryEntry("IIS://" + "localhost"
+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTypes.Secure);

...

if (Directory.Exists("c:\temp\Eskimo\") == false)
{

Directory.CreateDirectory("c:\temp\Eskimo\");

}

deRoot.RefreshCache();

DirectoryEntry deNewVDir =
deRoot.Children.Add("Eskimo",mSchema);

deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");

...
deNewVDir.Properties["AccessRead"][0] =true;
deNewVDir.Properties["AccessWrite"][0] = true;
deNewVDir.Properties["AccessExecute"][0] = true;
deNewVDir.Properties["AuthAnonymous"][0] = false;
deNewVDir.Properties["AuthBasic"][0] = false;
deNewVDir.Properties["AuthNTLM"][0] = true;
deNewVDir.Properties["ContentIndexed"][0] = false;
deNewVDir.Properties["EnableDirBrowsing"][0] = true;
...
deNewVDir.Invoke("AppCreate",true);

deNewVDir.CommitChanges();
deRoot.CommitChanges();

deNewVDir.Close();

deRoot.Close();
...

Now: in a windows application it works great! I have a DLL project and a
windows app test project and the web service accessing the DLL project.
In a web service I get the error listed above... :(
 
D

Dan Rogers

Ahhh. I think this is a matter of the later OS being more secure. Code
access security is going to do a lot to prevent internet hosted logic from
doing things that require admin permissions. You want to think VERY
carefully about undoing this protection. Since .NET 1.1 was shipped as a
part of Windows Server 2003, I suspect that the policy expressions that
shipped with this version were more restrictive. If this is the case, no
amount of impersonation is going to fix this - since the call is
originating from a web service and thus is sand boxed. You'd have to
override code access security for these specific operations. I would still
add logic to such a service to make sure that the caller is a member of a
group the caller recognizes ad an admin, since once you over-ride the
sandbox security, no other protections would be keeping a non-admin from
making a call that if overdone could flood your box and disable your server.

I hope this helps

Dan
--------------------
Thread-Topic: IIS Virtual Directory Create Failure :(
thread-index: AcTMurvE7+6ff34BSxC8pHYgFuZQvQ==
X-WBNR-Posting-Host: 63.162.177.130
From: =?Utf-8?B?RXNraW1v?= <[email protected]>
References: <[email protected]>
Subject: RE: IIS Virtual Directory Create Failure :(
Date: Wed, 17 Nov 2004 07:33:05 -0800
Lines: 146
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26666
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices

Dan,

Thanks for the suggestion, however, I used the following snippet...that
didnt work even with an administrator logged in...impersonation didn't work
either...

I think it's IIS -> ADSI where the permission problem is on the server. I'm
on xp pro and it works great!

When I log into the server 2003 box as a member of the admin group it fails
spectacularly with "Access is Denied."

System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

<call web service method>

impersonationContext.Undo();

Dan Rogers said:
Hi,

If I understand you, you're trying to make IIS hosted managed code in a web
service dynamically define new VROOTS on the server that the web service is
on, and you are getting an access deined error.

The managed code for your service is going to need to have permissions to
do these administrator operations, and thus either be impersonating an
administrator account (not a good idea if you ask me) or running in the
security context of an administrator (e.g. being called by and
administrator and assuming the administrators permissions). The latter is
possible by placing the calls in the administrator's security context.
This is done by setting the credential cache in the proxy to the default
identity (the calling user).

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------
Thread-Topic: IIS Virtual Directory Create Failure :(
thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ==
X-WBNR-Posting-Host: 63.162.177.130
From: =?Utf-8?B?RXNraW1v?= <[email protected]>
Subject: IIS Virtual Directory Create Failure :(
Date: Thu, 4 Nov 2004 15:28:07 -0800
Lines: 74
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26386
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices


System.UnauthorizedAccessException: Access is denied.
at System.DirectoryServices.Interop.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at CreateVirtualDirectories.Dal.CreateWebVirtualDirectory.Create

...

tried on the local development box and it had issues like this

until I gave permissions like described in Article ID 329986, scroll down,
Method A.

It is a double hop as I did the test at the bottom in the Quick Test section.



Code snippets:

Web.config for web service having the error shown above...

<identity impersonate="true" />
...

SCHEMA= "IIsWebVirtualDir";
mRootSubPath = "/W3SVC/1/Root";

...

DirectoryEntry deRoot= new DirectoryEntry("IIS://" + "localhost"
+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTypes.Secure);

...

if (Directory.Exists("c:\temp\Eskimo\") == false)
{

Directory.CreateDirectory("c:\temp\Eskimo\");

}

deRoot.RefreshCache();

DirectoryEntry deNewVDir =
deRoot.Children.Add("Eskimo",mSchema);

deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");

...
deNewVDir.Properties["AccessRead"][0] =true;
deNewVDir.Properties["AccessWrite"][0] = true;
deNewVDir.Properties["AccessExecute"][0] = true;
deNewVDir.Properties["AuthAnonymous"][0] = false;
deNewVDir.Properties["AuthBasic"][0] = false;
deNewVDir.Properties["AuthNTLM"][0] = true;
deNewVDir.Properties["ContentIndexed"][0] = false;
deNewVDir.Properties["EnableDirBrowsing"][0] = true;
...
deNewVDir.Invoke("AppCreate",true);

deNewVDir.CommitChanges();
deRoot.CommitChanges();

deNewVDir.Close();

deRoot.Close();
...

Now: in a windows application it works great! I have a DLL project and a
windows app test project and the web service accessing the DLL project.
In a web service I get the error listed above... :(
 
E

Eskimo

Dan,

What can I do to "You'd have to override code access security for these
specific operations" ?

Where do I start with code access security? I did give fulltrust to the
assembly calling the IIS stuff with caspol -af <DLL ASSEMBLY> I was wanting
to use full trust with...

I have an n-tier application, with a set of objects that manipulate ADSI
with the .NET framework classes found in System.DirectoryServices.



Dan Rogers said:
Ahhh. I think this is a matter of the later OS being more secure. Code
access security is going to do a lot to prevent internet hosted logic from
doing things that require admin permissions. You want to think VERY
carefully about undoing this protection. Since .NET 1.1 was shipped as a
part of Windows Server 2003, I suspect that the policy expressions that
shipped with this version were more restrictive. If this is the case, no
amount of impersonation is going to fix this - since the call is
originating from a web service and thus is sand boxed. You'd have to
override code access security for these specific operations. I would still
add logic to such a service to make sure that the caller is a member of a
group the caller recognizes ad an admin, since once you over-ride the
sandbox security, no other protections would be keeping a non-admin from
making a call that if overdone could flood your box and disable your server.

I hope this helps

Dan
--------------------
Thread-Topic: IIS Virtual Directory Create Failure :(
thread-index: AcTMurvE7+6ff34BSxC8pHYgFuZQvQ==
X-WBNR-Posting-Host: 63.162.177.130
From: =?Utf-8?B?RXNraW1v?= <[email protected]>
References: <[email protected]>
Subject: RE: IIS Virtual Directory Create Failure :(
Date: Wed, 17 Nov 2004 07:33:05 -0800
Lines: 146
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26666
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices

Dan,

Thanks for the suggestion, however, I used the following snippet...that
didnt work even with an administrator logged in...impersonation didn't work
either...

I think it's IIS -> ADSI where the permission problem is on the server. I'm
on xp pro and it works great!

When I log into the server 2003 box as a member of the admin group it fails
spectacularly with "Access is Denied."

System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

<call web service method>

impersonationContext.Undo();

Dan Rogers said:
Hi,

If I understand you, you're trying to make IIS hosted managed code in a web
service dynamically define new VROOTS on the server that the web service is
on, and you are getting an access deined error.

The managed code for your service is going to need to have permissions to
do these administrator operations, and thus either be impersonating an
administrator account (not a good idea if you ask me) or running in the
security context of an administrator (e.g. being called by and
administrator and assuming the administrators permissions). The latter is
possible by placing the calls in the administrator's security context.
This is done by setting the credential cache in the proxy to the default
identity (the calling user).

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------
Thread-Topic: IIS Virtual Directory Create Failure :(
thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ==
X-WBNR-Posting-Host: 63.162.177.130
From: =?Utf-8?B?RXNraW1v?= <[email protected]>
Subject: IIS Virtual Directory Create Failure :(
Date: Thu, 4 Nov 2004 15:28:07 -0800
Lines: 74
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:26386
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices


System.UnauthorizedAccessException: Access is denied.
at System.DirectoryServices.Interop.IAds.SetInfo()
at System.DirectoryServices.DirectoryEntry.CommitChanges()
at CreateVirtualDirectories.Dal.CreateWebVirtualDirectory.Create

...

tried on the local development box and it had issues like this

until I gave permissions like described in Article ID 329986, scroll down,
Method A.

It is a double hop as I did the test at the bottom in the Quick Test
section.



Code snippets:

Web.config for web service having the error shown above...

<identity impersonate="true" />
...

SCHEMA= "IIsWebVirtualDir";
mRootSubPath = "/W3SVC/1/Root";

...

DirectoryEntry deRoot= new DirectoryEntry("IIS://" +
"localhost"
+ mRootSubPath,winAcctId,winAcctPwd,AuthenticationTypes.Secure);

...

if (Directory.Exists("c:\temp\Eskimo\") == false)
{

Directory.CreateDirectory("c:\temp\Eskimo\");

}

deRoot.RefreshCache();

DirectoryEntry deNewVDir =
deRoot.Children.Add("Eskimo",mSchema);

deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\");

...
deNewVDir.Properties["AccessRead"][0] =true;
deNewVDir.Properties["AccessWrite"][0] = true;
deNewVDir.Properties["AccessExecute"][0] = true;
deNewVDir.Properties["AuthAnonymous"][0] = false;
deNewVDir.Properties["AuthBasic"][0] = false;
deNewVDir.Properties["AuthNTLM"][0] = true;
deNewVDir.Properties["ContentIndexed"][0] = false;
deNewVDir.Properties["EnableDirBrowsing"][0] = true;
...
deNewVDir.Invoke("AppCreate",true);

deNewVDir.CommitChanges();
deRoot.CommitChanges();

deNewVDir.Close();

deRoot.Close();
...

Now: in a windows application it works great! I have a DLL project and a
windows app test project and the web service accessing the DLL project.
In a web service I get the error listed above... :(
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,997
Messages
2,570,239
Members
46,827
Latest member
DMUK_Beginner

Latest Threads

Top