Network access from c# code (called from ASP.Net)

[Guest]

Hello
We have a web application written in ASP.Net that calls an external C# program (.exe). This C# program needs to access data from a different server and is not able to do so. We use impersonate in the web config for the ASP code to be able to access the network and it is working fine. But since the C# exe is being called from the ASP code, it is apparently not running with the privileges of the userID specified in the web.config for the ASP code
We tried trusting this assembly using the .Net Framework wizard to the highest level possible, but that didn't help. If we change the machine.config and hardcode the userid and password in the "process model" (change the system/autogenerate), the C# program is able to access the network, but I am not sure that is the right way to do this..
We call the exe by using System.Diagnostics.Process .Start (we specify the startinfo.filename as the filename of the C# exe to execute

We don't have the C# code (just the exe), so putting the functionality of the C# program into the ASP page code is not an option

Could someone please help figure out the ideal way to do this?
Thanks

 

[DM McGowan II]

Hello,
We have a web application written in ASP.Net that calls an external

C# program (.exe). This C# program needs to access data from a different
server and is not able to do so. We use impersonate in the web config for
the ASP code to be able to access the network and it is working fine. But
since the C# exe is being called from the ASP code, it is apparently not
running with the privileges of the userID specified in the web.config for
the ASP code.

We tried trusting this assembly using the .Net Framework wizard to the

highest level possible, but that didn't help. If we change the
machine.config and hardcode the userid and password in the "process model"
(change the system/autogenerate), the C# program is able to access the
network, but I am not sure that is the right way to do this...

We call the exe by using System.Diagnostics.Process .Start (we specify the

startinfo.filename as the filename of the C# exe to execute)

We don't have the C# code (just the exe), so putting the functionality of

the C# program into the ASP page code is not an option.

Could someone please help figure out the ideal way to do this?
Thanks

I'd recommend this article that a friend had sent to me.
http://www.15seconds.com/Issue/020312.htm

 

[Guest]

Thank you for your quick response... I am able to get the application to work by modifying the proceess model user ID/password in the machine.config. The only concern I have with this approach is that any other .Net web application that I install on this server will automatically get the rights that this user ID has and that is not something desirable. Is there a way that I can give these rights only the C# program that I am calling in my code (and not to any other application that might be installed at a later point in time)

Thanks

 

[DM McGowan II]

Thank you for your quick response... I am able to get the application to

work by modifying the proceess model user ID/password in the machine.config.
The only concern I have with this approach is that any other .Net web
application that I install on this server will automatically get the rights
that this user ID has and that is not something desirable. Is there a way
that I can give these rights only the C# program that I am calling in my
code (and not to any other application that might be installed at a later
point in time)?

Thanks

This might be what you're looking for, search VS.NET docs for "Impersonating
and Reverting". It appears to work similarly (in function) to the su command
on UNIX.

 

[Yan-Hong Huang[MSFT]]

Hello Jose,

For this question, please refer to this KB artile:
"INFO: Implementing Impersonation in an ASP.NET Application"
http://support.microsoft.com/?id=306158

You can refer to the "Impersonate a Specific User for All the Requests of
an ASP.NET Application" part in this article.
1) Grant the "Act as part of the operating system" privilege to the ASPNET
account (the least privileged account). In this way, you can grant right in
a special location and then undoimpersonate it when finished.
2) Change the account that the Aspnet_wp.exe process runs under. However,
this may not what you want.

Specially, you can Impersonate a user in code according to the other two
methods in that KB article. Please try them and let us know whether it
works for you.

Does that answer your question?

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Yan-Hong Huang[MSFT]]

Hello Joseph,

When you change machine.config to a network logon ID, the asp.net worker
process are spawn under that network logon ID identity. Also, the spawn C#
program process is under that network logon ID identity. You can prove it
by watching task manager in the system.

When you change to that network logon ID in web.config, the asp.net worker
process are still spawn under aspnet account. However, the execution
context of asp.net worker process is that network logon ID. So you can
access network resource in asp.net code successfully. However, when you
spawn a C# program, that C# program are still under aspnet account (not
that network logon ID). The aspnet account are a local account and may not
have access to that network resource. Even after you add it to admin group,
it is still a local admin account. That should be the reason of the
program. I think you can also watch task manager in the system this time to
see the user name of this C# program.

To resolve it, we need to:

1) Change processmodel to the network logon ID in machine.config, as what
you did now.
2) You may also change the source code of that C# application, make network
logon ID and password as its parameters, and call LogonUser in that C#
program. So when you use CreateProcess to run C# program, the C# program
will impersonate by itself. This may resolve the problem for you. And it
won't affect other web applications on your machine.

If there is any unclear, please feel free to post here. Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Hello Yanhong
Thank you for your suggestions... the only concern I have about changing the id/pwd in the processmodel is that every other asp application that is installed on this server will also have this same access and that is a risk that I am concerned about. Is there any way to ensure that only this C# program gets to use this network ID/pwd for access
Unfortunately, we don't have the access to the C# program (it is third party program) - else the best way would have been to implement that C# program code (or at least the network access part of it) in the web application itself where it could use the ID/pwd specified in the "impersonate" of the web.confi

Could you suggest some way of ensuring that only this program gets to use this ID
Thanks again for your help
- Joseph

 

[Yan-Hong Huang[MSFT]]

Hello Joseph,

If we change username/password in the machine.config file, all the web
applications using that version of asp.net will use that identity. This
can't be changed in asp.net application.

I totally understand your concern. That is also why I suggest you change
the code of that C# program. However, it seems that you can't do that
either due to not having source code.

There is no way to change the behavior if you use CreateProcess. I have
some other suggestions for you:

1) Call CreateProcessWithLogonW to launch that C# program. This API has
usename and passwrod parameters. It may have the C# application run under a
network logon ID.

2) Or change the authentication level of that network resouce so that it
can trust the aspnet account of your local machine.

Thanks.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thank you for your response Yanhong. I haven't used the CreateProcessWithLogonW yet - but it sounds promising! I will read up about that and hopefully that will help. I will update you on what I find

Thanks once again
Regard
- Joseph

 

[Yan-Hong Huang[MSFT]]

Hi Joseph,

It is my pleasure to be of assistance. The keypoint here is to watch task
manager to see the owner of the C# process. If it changes to that domain
user account, then it should be OK. If it is still aspnet, then we have to
change machine.config to do that.

Thanks for working with us so closely.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.