What account permissions are required for HttpListener.Start()?

[Guest]

With least-privilege user account (LUA) HttpListenr.Start() throws an
HttpListenerException with ErrorCode == 5 (ERROR_ACCESS_DENIED). This does
not occur when the user is a member of the Administrators group.

There's no mention of what privileges the current users requires in order to
use this method in the documentation for this method.

What permissions must be granted to a user account in order to call this
method?

In a more general sense, where can we find user account access permission
requirements for all .NET framework methods?

 

[Michael Nemtsev]

Hello Peter Ritchie [C# MVP],

Did u try sample from there http://msdn2.microsoft.com/en-us/library/system.net.httplistener.aspx
?

Do u use SSL?

P> With least-privilege user account (LUA) HttpListenr.Start() throws an
P> HttpListenerException with ErrorCode == 5 (ERROR_ACCESS_DENIED).
P> This does not occur when the user is a member of the Administrators
P> group.
P>
P> There's no mention of what privileges the current users requires in
P> order to use this method in the documentation for this method.
P>
P> What permissions must be granted to a user account in order to call
P> this method?
P>
P> In a more general sense, where can we find user account access
P> permission requirements for all .NET framework methods?
P>
---
WBR,
Michael Nemtsev :: blog: http://spaces.msn.com/laflour

"At times one remains faithful to a cause only because its opponents do not
cease to be insipid." (c) Friedrich Nietzsche

 

[Guest]

While the HttpListenerContext would ease elevating the privileges for that
particular call (instead of resorting to full-blown impersonation), it
doesn't provide detail to create a user account or context with
least-privileges. E.g., yes, I can use an administrative account for the
context to make the call to HttpListener.Start() work; but that elevates the
privileges too high (I'm assuming Start() doesn't need full administrator
privileges) and still need to know what the minimum access an account
requires in order to use this method

Thanks -- Peter.

 

[Steven Cheng[MSFT]]

Hello Peter,

Thank you for posting.

As for the HttpListener's permission issue you mentioned, based on my
research, it is caused by the URLACL of the windows xp or windows 2003's
HTTP.SYS kernal modulet. By default only SYSTEM or the local Administrators
group can listen to http prefixes.If you want to let other custom accounts
listening on certain URL prefixes, you need to explicitly grant access to
other accounts.

For this it is convenient to use the httpcfg.exe tool, for example:

httpcfg.exe set urlacl /u http://localhost:80/StevenCheng/ /a
DA;;GX;;;WD)

In the above command, "set urlacl" means we'll add an URLACL configuration
entry. And the URLACL's url is specified through /u switch, the security
ACL is supplied through the /a switch(use SDDL string).

In the above example, "DA;;GX;;;WD)" means we grant(A) Generic Execute
permission(GX) to everynoe(WD). If we want to grant permission to a
specific user, we need to use that user account's SID (to replace the WD
here ).

There is a tool named "GetSid.exe" in the platform sdk which can help
conveniently get sid string of a specific user account.

The httpcfg.exe tool can be get through the windows XP sp2 support tools or
windows 2003 SP1 support tools(getsid.exe is also included in the tools):

#Windows Server 2003 Service Pack 1 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=6ec50b78-8be1-4e81-
b3be-4e7ac4f0912d&DisplayLang=en

#Windows XP Service Pack 2 Support Tools
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=
49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en

In addition, I've also noticed that the existing documentation on
HttpListener class is far from complete which hasn't mentioned most of the
things I listed here. Regarding on this, I've also sent the feedback to our
internal dev team so that they can notice this doc problem. Meanwhile, I
would also recommend you submit this request and feedback about this in our
product feedback center so that our dev team can also hear more about the
products and docs from the community.

Thanks for your understanding!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial

response from the community or a Microsoft Support Engineer within 1
business day is

acceptable. Please note that each follow up response may take approximately
2 business days

as the support professional working with you may need further investigation
to reach the

most efficient resolution. The offering is not appropriate for situations
that require

urgent, real-time or phone-based interactions or complex project analysis
and dump analysis

issues. Issues of this nature are best handled working with a dedicated
Microsoft Support

Engineer by contacting Microsoft Customer Support Services (CSS) at

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Cheng[MSFT]]

Hi Peter,

Sorry to forget the feedback site link in my last reply, here it is:

#Visual Studio and .NET Framework Feedback
http://connect.microsoft.com/feedback/default.aspx?SiteID=210

If you have anything unclear in my last reply, please feel free to let me
know.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks Stephen, that sounds like it should answer the question. I'll try and
echo that information on the MSDN Wiki for HttpListen so others can get it
until the documentation has been updated.

I'll post a reply if I need further clarification.

Thanks -- Peter
--
Browse http://connect.microsoft.com/VisualStudio/feedback/ and vote.
http://www.peterRitchie.com/blog/
Microsoft MVP, Visual Developer - Visual C#

 

[Steven Cheng[MSFT]]

Thanks for your response Peter,

No prob! If you meet any further problem or anything else need
clarification, please feel free to post here.

BTW, actually I also plan to write a blog entry against this issue .

Good luck!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Flowering Weeds]

"Peter Ritchie [C# MVP]"

You only used the .NET documents
try the real docs too!

HTTP Server API Start Page [HTTP] Version 1.0
http://msdn.microsoft.com/library/en-us/http/http/http_api_start_page.asp

HTTP Server API Version 2.0 Reference [HTTP]
http://msdn.microsoft.com/library/en-us/http/http/http_server_api_version_2_0_reference.asp

MSDN Search
http://search.msdn.microsoft.com/search/default.aspx?siteId=0&tab=0&query=httpcfg

HttpCfg ACL Helper
http://www.leastprivilege.com/HttpCfgACLHelper.aspx

MSN Search
http://search.msn.com/results.aspx?q=+HttpCfg

And the creators of Http.sys

Windows Network Development platforms,
technologies and APIs such as Winsock,
WSK, WinINet, Http.sys, WinHttp, QoS
and System.Net

Windows Network Development
http://blogs.msdn.com/wndp/

..NET Framework Networking and Communication
http://forums.microsoft.com/msdn/showforum.aspx?forumid=40&siteid=1

Be aware IIS6 thinks they own http.sys
themselves - and almost all doc writers
believe so too! IIS7 and Http.sys play
a lot better with other http.sys processes!

IIS.net : Vista Editions and IIS 7 Features :
Microsoft Internet Information Services
http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=1100

Enjoy!