S
samuel zhang
I try to query the windows service status with an asp.net application.
The page is on MachineA, if I login to MachineA with my domain acocunt and
browse it in IE, it display the correct result. If I login in to another
MachineB in the same domain, and with same domain aount to view the page on
MachineA, it shows the ACCESS_DENIED error. My domain user account is in
Local Administrators Group of those two machines.
1. The IIS is set to Integrated WIndows authentication.
2. The web project web.config file contains the following lines
<authentication mode="Windows" />
<identity impersonate="true" />
3. The username value in ProcessModel section in machine.config of
ASP.NET is SYSTEM
4. The framework is VisualStudio.NET 2003. The build number is v1.1.4322.
System is Windows2000 Server SP4.
5. I use the following code
[DllImport("Advapi32.dll", EntryPoint="OpenSCManagerW", SetLastError=true,
CharSet=CharSet.Unicode, ExactSpelling=true,
CallingConvention=CallingConvention.Winapi)]
public static extern int OpenSCManagerW([MarshalAs(UnmanagedType.LPWStr)]
string machinename,[MarshalAs(UnmanagedType.LPStr)] string databasename,uint
access);
int iSC;
const uint SC_MANAGER_ENUMERATE_SERVICE =0x0004;
Console.WriteLine(System.Security.Principal.WindowsIdentity.GetCurrent().Nam
e); //This prints my domain account. It displays same domain account
whether I browse the page on localmachine or remote machine
iSC=OpenSCManagerW("\\\\MachineC" ,null,SC_MANAGER_ENUMERATE_SERVICE);
//Here to query a service on a third machine. Return correct handle if
browsed in MachineA, and will return 0 when I browse it in MachineB. . If
here I query the local machine(MachineA), it works find in both
scenario(local browsing or remote browsing)
if (iSC==0) { error=Marshal.GetLastWin32Error();} //When I browse in
MachineB, the error is 5 which means the ACCESS_DENIED
6. More strange thing is that if I impersonate the domain account
explicitly. It works fine in both scenarios. The code is listed here.
[DllImport("Advapi32.dll", EntryPoint="OpenSCManagerW", SetLastError=true,
CharSet=CharSet.Unicode, ExactSpelling=true,
CallingConvention=CallingConvention.Winapi)]
public static extern int OpenSCManagerW([MarshalAs(UnmanagedType.LPWStr)]
string machinename,[MarshalAs(UnmanagedType.LPStr)] string databasename,uint
access);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool LogonUser(String lpszUsername, String lpszDomain,
String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr
phToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int
SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
int iSC;
const uint SC_MANAGER_ENUMERATE_SERVICE =0x0004;
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_INTERACTIVE = 2;
const int SecurityImpersonation = 2;
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);
tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;
LogonUser(Mycount,MyDomain,Mypassword , LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref tokenHandle);
DuplicateToken(tokenHandle, SecurityImpersonation, ref dupeTokenHandle);
WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
WindowsImpersonationContext impersonatedUser = newId.Impersonate();
Console.WriteLine(System.Security.Principal.WindowsIdentity.GetCurrent().Nam
e); //This prints my domain account. It displays same domain account in
both scenario
iSC=OpenSCManagerW("\\\\"+ servername,null,SC_MANAGER_ENUMERATE_SERVICE);
//This time it works fine on both machines!
What's the differerence between those two scenarios? Does the ASP.NET
impersonate my account correctly? I donot want to impersonate a specific
user in the code, since I have to give the password in the program.
Any help is appreciated.
Sam.
The page is on MachineA, if I login to MachineA with my domain acocunt and
browse it in IE, it display the correct result. If I login in to another
MachineB in the same domain, and with same domain aount to view the page on
MachineA, it shows the ACCESS_DENIED error. My domain user account is in
Local Administrators Group of those two machines.
1. The IIS is set to Integrated WIndows authentication.
2. The web project web.config file contains the following lines
<authentication mode="Windows" />
<identity impersonate="true" />
3. The username value in ProcessModel section in machine.config of
ASP.NET is SYSTEM
4. The framework is VisualStudio.NET 2003. The build number is v1.1.4322.
System is Windows2000 Server SP4.
5. I use the following code
[DllImport("Advapi32.dll", EntryPoint="OpenSCManagerW", SetLastError=true,
CharSet=CharSet.Unicode, ExactSpelling=true,
CallingConvention=CallingConvention.Winapi)]
public static extern int OpenSCManagerW([MarshalAs(UnmanagedType.LPWStr)]
string machinename,[MarshalAs(UnmanagedType.LPStr)] string databasename,uint
access);
int iSC;
const uint SC_MANAGER_ENUMERATE_SERVICE =0x0004;
Console.WriteLine(System.Security.Principal.WindowsIdentity.GetCurrent().Nam
e); //This prints my domain account. It displays same domain account
whether I browse the page on localmachine or remote machine
iSC=OpenSCManagerW("\\\\MachineC" ,null,SC_MANAGER_ENUMERATE_SERVICE);
//Here to query a service on a third machine. Return correct handle if
browsed in MachineA, and will return 0 when I browse it in MachineB. . If
here I query the local machine(MachineA), it works find in both
scenario(local browsing or remote browsing)
if (iSC==0) { error=Marshal.GetLastWin32Error();} //When I browse in
MachineB, the error is 5 which means the ACCESS_DENIED
6. More strange thing is that if I impersonate the domain account
explicitly. It works fine in both scenarios. The code is listed here.
[DllImport("Advapi32.dll", EntryPoint="OpenSCManagerW", SetLastError=true,
CharSet=CharSet.Unicode, ExactSpelling=true,
CallingConvention=CallingConvention.Winapi)]
public static extern int OpenSCManagerW([MarshalAs(UnmanagedType.LPWStr)]
string machinename,[MarshalAs(UnmanagedType.LPStr)] string databasename,uint
access);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool LogonUser(String lpszUsername, String lpszDomain,
String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr
phToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int
SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
int iSC;
const uint SC_MANAGER_ENUMERATE_SERVICE =0x0004;
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_LOGON_INTERACTIVE = 2;
const int SecurityImpersonation = 2;
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0);
tokenHandle = IntPtr.Zero;
dupeTokenHandle = IntPtr.Zero;
LogonUser(Mycount,MyDomain,Mypassword , LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref tokenHandle);
DuplicateToken(tokenHandle, SecurityImpersonation, ref dupeTokenHandle);
WindowsIdentity newId = new WindowsIdentity(dupeTokenHandle);
WindowsImpersonationContext impersonatedUser = newId.Impersonate();
Console.WriteLine(System.Security.Principal.WindowsIdentity.GetCurrent().Nam
e); //This prints my domain account. It displays same domain account in
both scenario
iSC=OpenSCManagerW("\\\\"+ servername,null,SC_MANAGER_ENUMERATE_SERVICE);
//This time it works fine on both machines!
What's the differerence between those two scenarios? Does the ASP.NET
impersonate my account correctly? I donot want to impersonate a specific
user in the code, since I have to give the password in the program.
Any help is appreciated.
Sam.