 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / November 2004IIS Virtual Directory Create Failure :(
System.UnauthorizedAccessException: Access is denied. at System.DirectoryServices.Interop.IAds.SetInfo() at System.DirectoryServices.DirectoryEntry.CommitChanges() at CreateVirtualDirectories.Dal.CreateWebVirtualDirectory.Create ... tried on the local development box and it had issues like this until I gave permissions like described in Article ID 329986, scroll down, Method A. It is a double hop as I did the test at the bottom in the Quick Test section. Code snippets: Web.config for web service having the error shown above... <identity impersonate="true" /> ... SCHEMA= "IIsWebVirtualDir"; mRootSubPath = "/W3SVC/1/Root"; ... DirectoryEntry deRoot= new DirectoryEntry("IIS://" + "localhost" + mRootSubPath,winAcctId,winAcctPwd,AuthenticationTypes.Secure); ... if (Directory.Exists("c:\temp\Eskimo\") == false) { Directory.CreateDirectory("c:\temp\Eskimo\"); } deRoot.RefreshCache(); DirectoryEntry deNewVDir = deRoot.Children.Add("Eskimo",mSchema); deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\"); ... deNewVDir.Properties["AccessRead"][0] =true; deNewVDir.Properties["AccessWrite"][0] = true; deNewVDir.Properties["AccessExecute"][0] = true; deNewVDir.Properties["AuthAnonymous"][0] = false; deNewVDir.Properties["AuthBasic"][0] = false; deNewVDir.Properties["AuthNTLM"][0] = true; deNewVDir.Properties["ContentIndexed"][0] = false; deNewVDir.Properties["EnableDirBrowsing"][0] = true; ... deNewVDir.Invoke("AppCreate",true); deNewVDir.CommitChanges(); deRoot.CommitChanges(); deNewVDir.Close(); deRoot.Close(); ... Now: in a windows application it works great! I have a DLL project and a windows app test project and the web service accessing the DLL project. In a web service I get the error listed above... :(  Signaturetym, Eskimo Hi, If I understand you, you're trying to make IIS hosted managed code in a web service dynamically define new VROOTS on the server that the web service is on, and you are getting an access deined error. The managed code for your service is going to need to have permissions to do these administrator operations, and thus either be impersonating an administrator account (not a good idea if you ask me) or running in the security context of an administrator (e.g. being called by and administrator and assuming the administrators permissions). The latter is possible by placing the calls in the administrator's security context. This is done by setting the credential cache in the proxy to the default identity (the calling user). I hope this helps Dan Rogers Microsoft Corporation -------------------- >Thread-Topic: IIS Virtual Directory Create Failure :( >thread-index: AcTCxfBi2xjrBaTfSM2bHVVte4BerQ== [quoted text clipped - 17 lines] >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26386 >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices > [quoted text clipped - 66 lines] >windows app test project and the web service accessing the DLL project. >In a web service I get the error listed above... :( Dan, Thanks for the suggestion, however, I used the following snippet...that didnt work even with an administrator logged in...impersonation didn't work either... I think it's IIS -> ADSI where the permission problem is on the server. I'm on xp pro and it works great! When I log into the server 2003 box as a member of the admin group it fails spectacularly with "Access is Denied." System.Security.Principal.WindowsImpersonationContext impersonationContext; impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate(); <call web service method> impersonationContext.Undo(); > Hi, > [quoted text clipped - 110 lines] > >windows app test project and the web service accessing the DLL project. > >In a web service I get the error listed above... :( Ahhh. I think this is a matter of the later OS being more secure. Code access security is going to do a lot to prevent internet hosted logic from doing things that require admin permissions. You want to think VERY carefully about undoing this protection. Since .NET 1.1 was shipped as a part of Windows Server 2003, I suspect that the policy expressions that shipped with this version were more restrictive. If this is the case, no amount of impersonation is going to fix this - since the call is originating from a web service and thus is sand boxed. You'd have to override code access security for these specific operations. I would still add logic to such a service to make sure that the caller is a member of a group the caller recognizes ad an admin, since once you over-ride the sandbox security, no other protections would be keeping a non-admin from making a call that if overdone could flood your box and disable your server. I hope this helps Dan -------------------- >Thread-Topic: IIS Virtual Directory Create Failure :( >thread-index: AcTMurvE7+6ff34BSxC8pHYgFuZQvQ== >X-WBNR-Posting-Host: 63.162.177.130 >From: =?Utf-8?B?RXNraW1v?= <Eskimo@discussions.microsoft.com> >References: <E288D499-3B3F-4B1D-BC17-D3F32A78249C@microsoft.com> <BsZ7jyDzEHA.1184@cpmsftngxa10.phx.gbl> >Subject: RE: IIS Virtual Directory Create Failure :( >Date: Wed, 17 Nov 2004 07:33:05 -0800 [quoted text clipped - 13 lines] >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26666 >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices > [quoted text clipped - 109 lines] >> > >> > deNewVDir.Properties["Path"].Insert(0,"c:\temp\Eskimo\"); >> >... >> > deNewVDir.Properties["AccessRead"][0] =true; [quoted text clipped - 19 lines] >> >windows app test project and the web service accessing the DLL project. >> >In a web service I get the error listed above... :( Dan, What can I do to "You'd have to override code access security for these specific operations" ? Where do I start with code access security? I did give fulltrust to the assembly calling the IIS stuff with caspol -af <DLL ASSEMBLY> I was wanting to use full trust with... I have an n-tier application, with a set of objects that manipulate ADSI with the .NET framework classes found in System.DirectoryServices. > Ahhh. I think this is a matter of the later OS being more secure. Code > access security is going to do a lot to prevent internet hosted logic from [quoted text clipped - 185 lines] > >> >windows app test project and the web service accessing the DLL project. > >> >In a web service I get the error listed above... :( Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.