K
Kirk
My web page needs to start a process on the server that runs as a
domain user so it can access the network. I'm using web services and
the new feature in .NET 2.0 that lets you start a process as a
different user. The following web service works fine until I uncomment
the lines setting UserName and Password. Then, Process.Start throws an
Access is Denied Exception. If I just comment out the
UserName/Password lines and reload the aspx, then it works fine.
My IIS runs as Local System, and I understand I cannot start a process
as a different user like this from a process owned by Local System.
So, I put this Web Service into an IIS Application Pool with the
Identity set to the local Administrator account. I also added local
Admin to the IIS_WPG group and granted access to "Adjust memory quotas
for a process" and "Replace a process level token" as required by MS
docs. Despite all this, it still tells me "Access is Denied" when I
try to start the process with ProcessStartInfo.UserName set. Even if,
as the code below shows, I try to start with with the name and password
of the local Adminstrator (the same account the pool is configured to
use anyway)!
But if I simply comment out UserName and Password and re-invoke the web
method, the process runs fine; whoami.exe tells me it is the local
Administrator as expected. What other access do I need to grant local
Administrator to allow it to create this process as a different user?
Details: this is with .NET 2.0, of course (1.1 does not support running
a process as a different user). I'm running everything on Windows
Server 2003. I have impersonation enabled in my web.config, and I'm
using Integrated authentication on the IIS virtual directory that this
aspx is in. When I invoke the service via the default aspx browser, I
connect as a domain user.
<%@ WebService Language="C#" Class="Kirk.ForkIt" %>
using System;
using System.IO;
using System.Collections;
using System.Security;
using System.Web.Services;
using System.Diagnostics;
namespace Kirk
{
public class ForkIt
{
[WebMethod]
public string Main()
{
Process p = new Process();
ProcessStartInfo pInfo = new
ProcessStartInfo(@"c:\windows\system32\whoami.exe");
SecureString password = new SecureString();
// set value for password here.
password.AppendChar('s');
password.AppendChar('e');
password.AppendChar('c');
password.AppendChar('r');
password.AppendChar('e');
password.AppendChar('t');
//pInfo.UserName = "Administrator";
//pInfo.Password = password;
pInfo.CreateNoWindow = true;
pInfo.UseShellExecute = false;
pInfo.RedirectStandardOutput = true;
p.StartInfo = pInfo;
p.Start();
String output = p.StandardOutput.ReadToEnd();
p.WaitForExit();
return output;
}
}
}
domain user so it can access the network. I'm using web services and
the new feature in .NET 2.0 that lets you start a process as a
different user. The following web service works fine until I uncomment
the lines setting UserName and Password. Then, Process.Start throws an
Access is Denied Exception. If I just comment out the
UserName/Password lines and reload the aspx, then it works fine.
My IIS runs as Local System, and I understand I cannot start a process
as a different user like this from a process owned by Local System.
So, I put this Web Service into an IIS Application Pool with the
Identity set to the local Administrator account. I also added local
Admin to the IIS_WPG group and granted access to "Adjust memory quotas
for a process" and "Replace a process level token" as required by MS
docs. Despite all this, it still tells me "Access is Denied" when I
try to start the process with ProcessStartInfo.UserName set. Even if,
as the code below shows, I try to start with with the name and password
of the local Adminstrator (the same account the pool is configured to
use anyway)!
But if I simply comment out UserName and Password and re-invoke the web
method, the process runs fine; whoami.exe tells me it is the local
Administrator as expected. What other access do I need to grant local
Administrator to allow it to create this process as a different user?
Details: this is with .NET 2.0, of course (1.1 does not support running
a process as a different user). I'm running everything on Windows
Server 2003. I have impersonation enabled in my web.config, and I'm
using Integrated authentication on the IIS virtual directory that this
aspx is in. When I invoke the service via the default aspx browser, I
connect as a domain user.
<%@ WebService Language="C#" Class="Kirk.ForkIt" %>
using System;
using System.IO;
using System.Collections;
using System.Security;
using System.Web.Services;
using System.Diagnostics;
namespace Kirk
{
public class ForkIt
{
[WebMethod]
public string Main()
{
Process p = new Process();
ProcessStartInfo pInfo = new
ProcessStartInfo(@"c:\windows\system32\whoami.exe");
SecureString password = new SecureString();
// set value for password here.
password.AppendChar('s');
password.AppendChar('e');
password.AppendChar('c');
password.AppendChar('r');
password.AppendChar('e');
password.AppendChar('t');
//pInfo.UserName = "Administrator";
//pInfo.Password = password;
pInfo.CreateNoWindow = true;
pInfo.UseShellExecute = false;
pInfo.RedirectStandardOutput = true;
p.StartInfo = pInfo;
p.Start();
String output = p.StandardOutput.ReadToEnd();
p.WaitForExit();
return output;
}
}
}