 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / June 2004Identity crisis on a WS
I need to change dynamically some DNS registers of our domain I figured that a WS would do the job so I developed a WS that has only one web method that receives an ID and an IP address from it clients. It verifies the ID and then proceeds to change the DNS pointer with the “dnscmd.exe” utility on a Win2000 server <WebMethod()> Public Function Nueva(ByVal quienSoy As String, ByVal miIP As String) As Strin Dim miPInfo As ProcessStartInf Dim miProc As Proces Dim regreso As Strin miPInfo = New ProcessStartInf With miPInf .FileName = "C:\WinNT\System32\dnscmd.exe .Arguments = ". /RecordDelete diato.com.mx " & quienSoy & " A /f .RedirectStandardOutput = Tru .UseShellExecute = Fals End Wit miProc = Process.Start(miPInfo miProc.WaitForExit( regreso = miProc.StandardOutput.ReadToEn Return regres End Functio When I run these method I get a “Command failed: ERROR_ACCESS_DENIED 5 (00000005)” as the return string (StandardOut of the process I went a added a user in this machine and made it a member of the “administrators” group I used the ASPNET_Setreg utility to encrypt the user name and password in the registry I added these lines in the Web.Confg file <identity impersonate="true userName="registry:HKLM\SOFTWARE\MyApp\MyId\ASPNET_SETREG,userName password="registry:HKLM\SOFTWARE\ MyApp\MyId\ASPNET_SETREG,password" / I restarted the system and I get the same error message What am I doing wrong What else do I need to do Is there a smarter way to change DNS registers (Of course, if I run the dnscmd utility from the CMD box it runs ok Thanks Hi Luis, You may add a web method and return following string to see the account your web service run with: System.Security.Principal.WindowsIdentity.GetCurrent().Name If it is not the administrator account you planed, you may try impersonate in the web service. Here is a article about this: INFO: Implementing Impersonation in an ASP.NET Application http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158 Luke Microsoft Online Support  SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Luke, I checked with "System.Security.Principal.WindowsIdentity.GetCurrent().Name" and in fact I do have the DOMAIN\USER combination that I expected (a user that is a memeber of the administrators group). I eve andded this user to the Act as part of the operating system key in Local Security Policies. I am still geting the same ERROR_ACCESS_DENIED 5 (0000005) err msg. Do you have any suggestions? Luis > Hi Luis, > [quoted text clipped - 15 lines] > (This posting is provided "AS IS", with no warranties, and confers no > rights.) Hi Luis, I suggest you monitor the process with two utilities: regmon and filemon. They can monitor all the access on file system and registry. If there is an Access Denied problem, they will record it. You may download them from: http://www.systeminternals.com/products/repairandrecovery/index.asp?pid=ap Luke Microsoft Online Support SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Luke, Instead of "investing" the $249 I gave this particular user full control over the registry and over c:\winnt Inaddition I added MyApp.dll in the framework configuration utility, I /Runtime Security Ploc Machine and User policies with full trust. To me it sounds as if it was an access problem either to the registry or the file system (wich, as far as I understood, is exactly what those utilities do...), this would sove it. It did NOT. Luis > Hi Luis, > [quoted text clipped - 12 lines] > (This posting is provided "AS IS", with no warranties, and confers no > rights.) Luke, Instead of ivesting the 249 dls I gave this specific user full access on al registry and in c:\winnt In addition I added myapp.dll to the machine & user trees in the .Net framework configuration utility. I thought that if I had an access problem these action woul cure it. I am still getting the same error. Luis > Hi Luis, > [quoted text clipped - 12 lines] > (This posting is provided "AS IS", with no warranties, and confers no > rights.) Hi Luis, I know they have some free dowload links: http://www.sysinternals.com/ntw2k/source/filemon.shtml http://www.sysinternals.com/ntw2k/source/regmon.shtml "WINNT" folder may not be the only file path it request. I still suggest you perform a trace with above utilities. Luke Luke, I've dowloaded and run the utilities yo sugested. I've looked at all entries in both screens and have not found any signgle "ACCESS_DENIED". I've isolated all entries for "dnscmd.exe" and "aspnet_wp.exe" procesess and I dont see anything strange but this line on Filemon: 9:51:06 AM dnscmd.exe:1876 QUERY INFORMATION C:\WinNT\System32\dnscmd.exe.Local FILE NOT FOUND Attributes: Error Any clues? Luis > Hi Luis, > [quoted text clipped - 8 lines] > > Luke Hi Luis, From the trace log, the process of "dnscmd.exe" has been launched. Have you compare the the trace with when you execute dnscmd from command line? Any difference? Additioanlly, did you work with IIS 5 or IIS 6? Luke Microsoft Online Support SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Luke, I've compared the output of both utilities and I don’t see any differences between them. Regmon is identical and Filemon has slightly different entries due to the fact that dnscmd is launched from different processes (CMD.EXE vs aspnet_wp.exe) Inetinfo.exe has version 5.00.0984 What else can I do? Luis > Hi Luis, > [quoted text clipped - 8 lines] > (This posting is provided "AS IS", with no warranties, and confers no > rights.) Hi Luis, I think we may consider other way for the issue. For example, we can create a COM+ component to execute the DNSCMD.exe and then call the COM+ component in Web service. Here is a sample about this: http://support.microsoft.com/?id=306296 Luke Microsoft Online Support SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Luke, I do not know if I am right but I think that this is not .NET Web Services issue only. In which other ng would you recommend posting to see if anyone out there has a solution for my problem? Luis > Hi Luis, > [quoted text clipped - 12 lines] > (This posting is provided "AS IS", with no warranties, and confers no > rights.) Hi Luis, What is the account your COM+ component run with? It is better to use a Domain user with local adminitrator. Only Domain user can query the AD information. I also suggest you may post the issue in microsoft.public.win2000.active_directory. There may be more people there who are falimiar with DNSCMD.exe. Luke Microsoft Online Support SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) The user the COM+ coponent is running with is a user that is a member of both the local "Administrators" and the local "Users" groups. I also tested with a domain user that was included in Domain Admins and Domain Users groups. Anything else that I can do? Luis > Hi Luis, > [quoted text clipped - 10 lines] > (This posting is provided "AS IS", with no warranties, and confers no > rights.) You may try to set the ProcessStartInfo's property WorkingDirectory to "c:\windows\system32" or your actual System folder to see if it will help. If this didn't help, please let me know. I will involve more resource on this issue to make it out. Luke Microsoft Online Support SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.