Process start and Impersonation
I have problem with starting processes in impersonated context in ASP.NET 2.0.
I am starting new Process in my web service code. IIS 5.1, .NET 2.0
[WebMethod]
public string HelloWorld()
{
string path = @"C:KBGetWindowUser.exe";
ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.WorkingDirectory = Path.GetDirectoryName(path);
startInfo.FileName = path;
startInfo.UseShellExecute = false;
startInfo.CreateNoWindow = true;
startInfo.ErrorDialog = false;
startInfo.RedirectStandardOutput = true;
startInfo.RedirectStandardError = true;
Process docCreateProcess = Process.Start(startInfo);
string errors = docCreateProcess.StandardError.ReadToEnd();
string output = docCreateProcess.StandardOutput.ReadToEnd();
}
The "C:KBGetWindowUser.exe" is console application containing following code:
static void Main(string[] args)
{
Console.WriteLine("Windows: " + WindowsIdentity.GetCurrent().Name);
}
When I invoke web service without impersonation, everything works fine.
When I turn on impersonation, following error is written in "errors" variable in web service code:
Unhandled Exception: System.Security.SecurityException: Access is denied.rnrn at System.Security.Principal.WindowsIdentity.GetCurrentInternal(TokenAccessLevels desiredAccess, Boolean threadOnly)rn at System.Security.Principal.WindowsIdentity.GetCurrent()rn at ObfuscatedMdc.Program.Main(String[] args)rnThe Zone of the assembly that failed was:rnMyComputer
Impersonated user is local administrator and has access to C:KBGetWindowUser.exe executable.
When I specify window user explicitly in ProcesStartInfo properties Domain, User and Password, I got following message: http://img201.imageshack.us/img201/5870/pstartah8.jpg
Is it possible to start process with different credentials than ASPNET from asp.net (IIS 5.1) ?
You have to put privileged code into the GAC (or run in Full trust).
The code in the GAC must assert the XXXPermission, where XXX is what ever permission you are requesting, be it impersonation, access to the harddrive or what have you.
You should revert the assert immediately afterwords.
You should make sure that the API on your DLL that you put in the GAC has no opportunities for abuse. For example, if you were writing a website for letting users backup the server via a command line application, your API should old expose a method like "BackUp()" and not "LaunchAribitraryProcess(string path)"
The web.config file must have impersonation set up as well, or you will run into NTFS permission problems as well as CAS.
Here is the complete explanation.
You might also try wrapping your code inside
using (Impersonator person = new Impersonator("domainName", "userName",
"password")
{
// do something requiring special permissions
}
as mentioned in http://www.devnewsgroups.net/group/microsoft.public.dotnet.framework.windowsforms/topic62740.aspx
What exactly are you trying to do? I can't quite see what the point of your code is in creating a different executable. It looks rather odd. Perhaps it would be more helpful to state the busines problem you are trying to solve first.
链接地址: http://www.djcxy.com/p/42130.html上一篇: OpenMPI:所有节点都以节点0运行
下一篇: 进程启动和模拟