|
Home > Archive > IIS Server > November 2004 > IIS 6 & Server Permisions
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 6 & Server Permisions
|
|
| GingerNinja 2004-10-29, 7:48 am |
| I've tried posting this a couple of days ago and it didnt seem to make
it to the server so I'll try again.
I have a VB COM DLL that is fired from an ASP page which calls an
executable on the server which zips up some files. This works fine for
a Win 2000 or XP running IIS 5 but does not run on Windows 2003 IIS6.
The executable works if you run it in the command line but not when
its called from the website. My hunch on this ones tells me its a
permissions thing, but being quite new to Windows 2003 server and IIS
6 I'm not sure what to look at. If anyone else has come accross this
type of problem and have found a work around then please let me know.
This website is an internal intranet and as such wont be exposed to
the outside world, so security isnt so much of an issue.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| Showkat Lone [MSFT] 2004-10-30, 5:49 pm |
| Hi ,
What error do you get?
Follow these articles and see if this resolves your problem.
Serve Unknown MIME Types
http://support.microsoft.com/?id=326965
812614 Default permissions and user rights for IIS 6.0
http://support.microsoft.com/?id=812614
Thanks
Showkat [MSFT]
--------------------
>From: GingerNinja <graham@_innesfamily.co.uk>
>X-Newsreader: AspNNTP 1.50 (ActionJackson.com)
>Subject: IIS 6 & Server Permisions
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>Content-Transfer-Encoding: 7bit
>Message-ID: <eacf0ZavEHA.1524@TK2MSFTNGP09.phx.gbl>
>Newsgroups: microsoft.public.inetserver.iis
>Date: Fri, 29 Oct 2004 04:00:07 -0700
>NNTP-Posting-Host: 67.41.129.85
>Lines: 1
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.inetserver.iis:322279
>X-Tomcat-NG: microsoft.public.inetserver.iis
>
>I've tried posting this a couple of days ago and it didnt seem to make
>it to the server so I'll try again.
>
>I have a VB COM DLL that is fired from an ASP page which calls an
>executable on the server which zips up some files. This works fine for
>a Win 2000 or XP running IIS 5 but does not run on Windows 2003 IIS6.
>
>The executable works if you run it in the command line but not when
>its called from the website. My hunch on this ones tells me its a
>permissions thing, but being quite new to Windows 2003 server and IIS
>6 I'm not sure what to look at. If anyone else has come accross this
>type of problem and have found a work around then please let me know.
>This website is an internal intranet and as such wont be exposed to
>the outside world, so security isnt so much of an issue.
>
>*** Sent via Developersdex http://www.codecomments.com ***
>Don't just participate in USENET...get rewarded for it!
>
| |
| GingerNinja 2004-10-30, 5:49 pm |
| Thanks for the reply, just to be extra help full IIS isnt throwing back
an error, the code continues as though everything is fine.
Sorry this is a bit vague, if I had more indication from IIS as to the
problem I'd be able to google it better  , I'm clutching at straws for
this one.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| David Wang [Msft] 2004-11-01, 7:48 am |
| Just to be clear -- you are having an application-level problem that has
nothing to do with IIS. In other words, IIS is merely running some external
process to do something -- what that code does with errors, IIS has no idea
nor responsibility. Thus, the lack of information is due to no fault of IIS
and is practically by-design. OS/IIS gives application full
control/responsibility to do that. Whether the application deals with it
instead of ignoring it via ON ERROR RESUME NEXT, that's up to the
application.
I don't have the documentation on this handy, but you should know that by
default (and it's configurable), remote-authenticated users from IIS web
pages cannot launch any commands from the System32 directory -- in
particular, CMD.EXE -- so you can't shell out to run any programs, etc,
unless you are directly calling CreateProcess* APIs. Only Administrators
have default rights to do this.
Also, you haven't given information on whether the failure happens:
1. Because the VB COM Object cannot be instantiated
2. Because the VB COM Object failed to access the EXE on the server
3. The EXE on the server failed to access the files to ZIP it
4. The EXE on the server failed to create the ZIP file in the specified
folder
IIS is not responsible for any of these failures. You may find an ASP error
when #1 happens, but the VB COM Object is responsible for reporting #2, #3,
#4.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"GingerNinja" <graham@_innesfamily.co.uk> wrote in message
news:OKSLIAtvEHA.3228@TK2MSFTNGP12.phx.gbl...
Thanks for the reply, just to be extra help full IIS isnt throwing back
an error, the code continues as though everything is fine.
Sorry this is a bit vague, if I had more indication from IIS as to the
problem I'd be able to google it better , I'm clutching at straws for
this one.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| GingerNinja 2004-11-01, 7:48 am |
| but you should know that by
default (and it's configurable), remote-authenticated users from IIS web
pages cannot launch any commands from the System32 directory -- in
particular, CMD.EXE -- so you can't shell out to run any programs
Thats strange because this works on Windows 2000, Windows XP Prof and
Windows NT out of the box. Perhaps because these operating systems arent
specifically server o/s's we are less restricted on what we can do, in
which case the Windows 2003 server needs reconfiguring, I've checked
like for like (as best I can on IIS 5 -> IIS 6) and they seem the same.
>1. Because the VB COM Object cannot be instantiated
I previously said that the code continues, so the vb object is
definitely being created, in fact the line after the exe is called it
deletes the files that have just been zipped so I know its continuing
its execution
2. Because the VB COM Object failed to access the EXE on the server
3. The EXE on the server failed to access the files to ZIP it
4. The EXE on the server failed to create the ZIP file in the specified
folder
For the last 3, because this works on all the other OS's I wouldnt
consider this to be a problem UNLESS it were an IIS or broader Windows
2003 configuration issue, which just brings me around to my main
question.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| David Wang [Msft] 2004-11-01, 5:53 pm |
| > Thats strange because this works on Windows 2000,
> Windows XP Prof and Windows NT out of the box.
> Perhaps because these operating systems arent
> specifically server o/s's we are less restricted on
> what we can do, in which case the Windows 2003
> server needs reconfiguring
As I've said, this is a security change explicitly made on Windows Server
2003. It consists of several interacting parts, some of which are
configurable (like file ACLs) and others are not configurable (like compiled
code is different).
I can say that Code Red worked on Windows NT and Windows 2000 out of the
box -- is it Windows Server 2003 that needs to be reconfigured or the older
OS ?
> For the last 3, because this works on all the other OS's I
> wouldnt consider this to be a problem UNLESS it were an
> IIS or broader Windows 2003 configuration issue,
> which just brings me around to my main question.
ACLs and security permissions have changed on Windows Server 2003 which may
affect compatibility. I suggest troubleshooting the application to
determine which permission it is now lacking and consciously decide whether
it needs it or not.
Prior version of IIS gave applications infinite power so everything
magically worked. That is insecure design, so on IIS6, applications have
minimal power, so everything requires explicit configuration to function.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"GingerNinja" <graham@_innesfamily.co.uk> wrote in message
news:O6dEOZAwEHA.3276@TK2MSFTNGP15.phx.gbl...
but you should know that by
default (and it's configurable), remote-authenticated users from IIS web
pages cannot launch any commands from the System32 directory -- in
particular, CMD.EXE -- so you can't shell out to run any programs
Thats strange because this works on Windows 2000, Windows XP Prof and
Windows NT out of the box. Perhaps because these operating systems arent
specifically server o/s's we are less restricted on what we can do, in
which case the Windows 2003 server needs reconfiguring, I've checked
like for like (as best I can on IIS 5 -> IIS 6) and they seem the same.
>1. Because the VB COM Object cannot be instantiated
I previously said that the code continues, so the vb object is
definitely being created, in fact the line after the exe is called it
deletes the files that have just been zipped so I know its continuing
its execution
2. Because the VB COM Object failed to access the EXE on the server
3. The EXE on the server failed to access the files to ZIP it
4. The EXE on the server failed to create the ZIP file in the specified
folder
For the last 3, because this works on all the other OS's I wouldnt
consider this to be a problem UNLESS it were an IIS or broader Windows
2003 configuration issue, which just brings me around to my main
question.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| GingerNinja 2004-11-03, 7:48 am |
| So you've essentially come around full circle to tell me is a
configuration issue... well i knew that already... so thanks!!
If anyone stumbles on what has become a right mess of a thread, and they
have the same problem as I did, then the answer is.... look at your
Application Pooling settings for your website, once I reduced mine from
"Network Security" to "Local System" my exe could be called from the COM
object and everything was runing as it should.
HOWEVER I must point out (only because some other smart XXX will if I
dont) .... your Application Pooling has been set to "Network Service"
for increased security, if you reduce it to "Local Service" or "Local
Security" you are obviously increasing the security risk to your server.
One option is to create a new Application Pool and set the permissions
on that one, then add your site to the new Application Pool, at least
then you wont be increasing the risk through all your sites... still not
a great idea and you'll have to think about whether its not better
trying to work around the problem instead of this option, but the
information is here, use it as you will.
I hope this thread is of use to someone... because it wasnt to me!!
Thank you and goodnight
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| David Wang [Msft] 2004-11-04, 2:46 am |
| I'm sorry, but I cannot just tell you the answer. I'd rather people take
information, learn, and figure it out.
If I just told you to change the AppPool Identity to LocalSystem, no
information-transfer would have ever happened (in fact, there are several
OTHER caveats on this whole subject of launching code on IIS6 with
CreateProcess() which may subsequently invoke CMD.EXE, but I will leave it
to another day when someone is actually interested... I will simply make the
comment that if you avoid calling CMD.EXE after being invoke via
CreateProcess(), you would do well).
I'm sorry if you think it was a waste of your time because you simply
expected direct answers to your questions.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"GingerNinja" <graham@_innesfamily.co.uk> wrote in message
news:elodeGbwEHA.2876@TK2MSFTNGP12.phx.gbl...
So you've essentially come around full circle to tell me is a
configuration issue... well i knew that already... so thanks!!
If anyone stumbles on what has become a right mess of a thread, and they
have the same problem as I did, then the answer is.... look at your
Application Pooling settings for your website, once I reduced mine from
"Network Security" to "Local System" my exe could be called from the COM
object and everything was runing as it should.
HOWEVER I must point out (only because some other smart XXX will if I
dont) .... your Application Pooling has been set to "Network Service"
for increased security, if you reduce it to "Local Service" or "Local
Security" you are obviously increasing the security risk to your server.
One option is to create a new Application Pool and set the permissions
on that one, then add your site to the new Application Pool, at least
then you wont be increasing the risk through all your sites... still not
a great idea and you'll have to think about whether its not better
trying to work around the problem instead of this option, but the
information is here, use it as you will.
I hope this thread is of use to someone... because it wasnt to me!!
Thank you and goodnight
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| GingerNinja 2004-11-04, 7:48 am |
| > I'm sorry, but I cannot just tell you the answer. I'd rather
> people take information, learn, and figure it out.
Who do you think you are Yoda?!?!?
>I'm sorry if you think it was a waste of your time because
>you simply expected direct answers to your questions.
WHAT!!! Why would I ask a question if I didnt want a direct answer its
not:
microsoft.public.iwantvagueanswerstomyquestions.nothelpfullsoltuions
Seriously I think this thread is in danger of becomming a slanging
match... I'm sure your a nice guy David and I'm sure your just trying to
help, and for what its worth I DO appreciate you responding to my
thread, afterall you dont have to, right?
But I personally think that if you know the answer to a question you
should give it, tell them the caveats (if there are any) and let them
deal with the consequences, its THEIR choice.
For me personally I needed a solution as quickly as possible. For now,
at least we have a solution and I will be considering removing that
section completely and finding an alternative, I never liked it to begin
with and now I have the breathing room to find a more "elegant" secure
solution.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| Aubrey 2004-11-05, 5:50 pm |
| Hi there,
I'm having the same problem, maybe some else could contribute to a solution.
I'm using ASP pages on Windows 2003, previously on Windows 2000 where i was
instantiating a Java component with an ActiveX wrapper. I have tested this by
using a vbs script to call the component and it works as expected, but
unfortunately not when called from within the ASP page served by IIS6. Noting
happens the pages, it just hangs.
If it's a permission setting how will i change it, since the component isn't
registered in COM+? Or do i have to add read and execute to the entire JRE
folder?
Thanks
Aubrey
"GingerNinja" wrote:
>
> Who do you think you are Yoda?!?!?
>
>
> WHAT!!! Why would I ask a question if I didnt want a direct answer its
> not:
> microsoft.public.iwantvagueanswerstomyquestions.nothelpfullsoltuions
>
> Seriously I think this thread is in danger of becomming a slanging
> match... I'm sure your a nice guy David and I'm sure your just trying to
> help, and for what its worth I DO appreciate you responding to my
> thread, afterall you dont have to, right?
>
> But I personally think that if you know the answer to a question you
> should give it, tell them the caveats (if there are any) and let them
> deal with the consequences, its THEIR choice.
>
> For me personally I needed a solution as quickly as possible. For now,
> at least we have a solution and I will be considering removing that
> section completely and finding an alternative, I never liked it to begin
> with and now I have the breathing room to find a more "elegant" secure
> solution.
>
> *** Sent via Developersdex http://www.codecomments.com ***
> Don't just participate in USENET...get rewarded for it!
>
| |
| David Wang [Msft] 2004-11-06, 2:46 am |
| Hanging does not sound like a permissions problem. If code doesn't have
permissions to do something, it is an immediate "access denied" sort of
failure. The OS isn't going to ponder about it.
It sounds like maybe the Java component has retry logic on failures, so when
it is failing now (possibly due to permissions), it is infinitely
retrying -- thus looking like a hang. Can you figure out if the hang
happens when trying to instantiate the wrapper or when invoking a method (so
that you can narrow down the problem and hopefully you have source code to
this component).
If you wrote this component, I suggest debugging its sources. If this
component comes from someone else, I suggest obtaining support for it. I
have no idea what permissions this component requires, so it is not clear
what needs to be added.
ASP uses the impersonated identity to execute pages, so if you say that your
user identity can make it work from vbscript on this server, then you should
try disabling Anonymous authentication and enabling Basic Authentication on
the vdir containing this ASP page, browse to it using your user identity (so
request should be authenticated using your user identity -- very similar to
when you execute the code from vbscript), and see what happens.
If Basic auth still fails, then I suspect it is because the token obtained
by IIS is not exactly the same token you have -- in particular, your user
token is "Interactive Logon" (i.e. you hit Ctrl-Alt-Del and logged yourself
onto the machine) while the IIS-obtained token is "Network Logon". Some
files on the system are distinguish between these logon types -- maybe they
are causing your issues. For example, CMD.EXE is accessible to "Interactive
Logon" users but NOT "Network Logon" users -- thus it is normally
inaccessible from IIS. This is a by-design security feature on Windows
Server 2003.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Aubrey" <Aubrey@discussions.microsoft.com> wrote in message
news:9768BC6B-39E2-450D-B5B3-DEADE93AD504@microsoft.com...
Hi there,
I'm having the same problem, maybe some else could contribute to a solution.
I'm using ASP pages on Windows 2003, previously on Windows 2000 where i was
instantiating a Java component with an ActiveX wrapper. I have tested this
by
using a vbs script to call the component and it works as expected, but
unfortunately not when called from within the ASP page served by IIS6.
Noting
happens the pages, it just hangs.
If it's a permission setting how will i change it, since the component isn't
registered in COM+? Or do i have to add read and execute to the entire JRE
folder?
Thanks
Aubrey
"GingerNinja" wrote:
>
> Who do you think you are Yoda?!?!?
>
>
> WHAT!!! Why would I ask a question if I didnt want a direct answer its
> not:
> microsoft.public.iwantvagueanswerstomyquestions.nothelpfullsoltuions
>
> Seriously I think this thread is in danger of becomming a slanging
> match... I'm sure your a nice guy David and I'm sure your just trying to
> help, and for what its worth I DO appreciate you responding to my
> thread, afterall you dont have to, right?
>
> But I personally think that if you know the answer to a question you
> should give it, tell them the caveats (if there are any) and let them
> deal with the consequences, its THEIR choice.
>
> For me personally I needed a solution as quickly as possible. For now,
> at least we have a solution and I will be considering removing that
> section completely and finding an alternative, I never liked it to begin
> with and now I have the breathing room to find a more "elegant" secure
> solution.
>
> *** Sent via Developersdex http://www.codecomments.com ***
> Don't just participate in USENET...get rewarded for it!
>
| |
| Joe Milli 2004-11-09, 5:53 pm |
| Waite a minute, I'm having similar problems also and enjoy the banter on this
thread probably because I have little experience W/IIS6.
I am running a simple Java applet hitcounter that works great when browsed
to from the directory, but in IIS6 2003 Server it doesn’t count. I have
opened security as much as I can with no results. I was wondering if it had
something to do with Web Server Extensions. No extensions were listed for
java or class. I'm bewildered.
"David Wang [Msft]" wrote:
> Hanging does not sound like a permissions problem. If code doesn't have
> permissions to do something, it is an immediate "access denied" sort of
> failure. The OS isn't going to ponder about it.
>
> It sounds like maybe the Java component has retry logic on failures, so when
> it is failing now (possibly due to permissions), it is infinitely
> retrying -- thus looking like a hang. Can you figure out if the hang
> happens when trying to instantiate the wrapper or when invoking a method (so
> that you can narrow down the problem and hopefully you have source code to
> this component).
>
> If you wrote this component, I suggest debugging its sources. If this
> component comes from someone else, I suggest obtaining support for it. I
> have no idea what permissions this component requires, so it is not clear
> what needs to be added.
>
> ASP uses the impersonated identity to execute pages, so if you say that your
> user identity can make it work from vbscript on this server, then you should
> try disabling Anonymous authentication and enabling Basic Authentication on
> the vdir containing this ASP page, browse to it using your user identity (so
> request should be authenticated using your user identity -- very similar to
> when you execute the code from vbscript), and see what happens.
>
> If Basic auth still fails, then I suspect it is because the token obtained
> by IIS is not exactly the same token you have -- in particular, your user
> token is "Interactive Logon" (i.e. you hit Ctrl-Alt-Del and logged yourself
> onto the machine) while the IIS-obtained token is "Network Logon". Some
> files on the system are distinguish between these logon types -- maybe they
> are causing your issues. For example, CMD.EXE is accessible to "Interactive
> Logon" users but NOT "Network Logon" users -- thus it is normally
> inaccessible from IIS. This is a by-design security feature on Windows
> Server 2003.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Aubrey" <Aubrey@discussions.microsoft.com> wrote in message
> news:9768BC6B-39E2-450D-B5B3-DEADE93AD504@microsoft.com...
> Hi there,
>
> I'm having the same problem, maybe some else could contribute to a solution.
>
> I'm using ASP pages on Windows 2003, previously on Windows 2000 where i was
> instantiating a Java component with an ActiveX wrapper. I have tested this
> by
> using a vbs script to call the component and it works as expected, but
> unfortunately not when called from within the ASP page served by IIS6.
> Noting
> happens the pages, it just hangs.
>
> If it's a permission setting how will i change it, since the component isn't
> registered in COM+? Or do i have to add read and execute to the entire JRE
> folder?
>
> Thanks
> Aubrey
>
>
>
> "GingerNinja" wrote:
>
>
>
>
| |
| GingerNinja 2004-11-10, 2:49 am |
| Glad your enjoying the show ;-)
OK I guess the first question would be how are you storing your hits,
perhaps by database or on the file system. I guess I would check all the
folder permissions to see if I had access, perhaps set full access to
everyone, the main thing is to get it working then worry about the
security afterwards.
Have you tried what I ended up doing to solve my problem? You may not
like it as a long term solution but its worth a try to see if it makes a
difference.
Waite a minute, I'm having similar problems also and enjoy the banter
on this
thread probably because I have little experience W/IIS6.
I am running a simple Java applet hitcounter that works great when
browsed
to from the directory, but in IIS6 2003 Server it doesn’t count. I
have
opened security as much as I can with no results. I was wondering if it
had
something to do with Web Server Extensions. No extensions were listed
for
java or class. I'm bewildered.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| David Wang [Msft] 2004-11-11, 2:47 am |
| I suggest you revert all your changes and start troubleshooting your
symptoms/configuration BEFORE making any system changes. It is possible for
your system changes to be insecure or otherwise prevent other software from
functioning in random ways, so -- you have been warned.
Now, is this Java application running on the Web Server or the Web Browser.
In other words, does it run on the server, generate HTML, and send the HTML
back to the client, or does it run on the client and dynamically display
data?
If it is supposed to be running on the Web Server, then you need to
configure a Web Service Extension as well as an Application Scriptmap to
instruct IIS to launch the Java environment to handle the Java requests.
You do the exact same things on all IIS versions, and IIS6 requires the
additional Web Service Extension step.
If it is supposed to be running on the Web Browser, then you need to
configure IIS to allow the files which constitute the Java applet to be
downloadable to the client (i.e. allow .class , .jar files to be
downloadable by adding them to the MIME Type of the website). This is also
exactly the same on all IIS versions, and IIS6 requires the MIME Type step
to allow file download.
Finally, where is the Applet trying to store the hit counters? If it is
storing it in a location it doesn't have access to, then it will fail, and
that is by-design.
My suspicion is that when you browse the applet from the directory, it
launches with your credentials, and it writes its counters SOMEWHERE on the
system (I have no idea where) using your credentials -- and if you run with
administrative privileges, it likely works.
If this applet is running on the Web Browser, it should behave similarly
(since your credentials will be used to download/retrieve the applet from
the Web Server and launched on the client -- basically the same as the
working situation).
If this applet is running on the Web Server, it will now be running as some
configured identity (unknown, since it depends on configuration), and it
tries to write those counters SOMEWHERE using that credential -- and it
likely fails on IIS6 since it runs as an unprivileged user by default. One
alternative, of course, is to run IIS6 with a very privileged user so that
bad code like your applet works, but realize that you are increasing your
security risk. The other is to change the ACL on the resource such that it
is accessible to a more unprivileged user, and once again, you potentially
increase your security risk, depending on the location of the resource.
Bottom line: IIS6 runs in a secure configuration and require you to make the
correct security decisions to obtain the functionality you want. The user
has a significant responsibility in maintaining their server's security.
Believe it or not, most existing software are not exactly secure, and if
they are not designed with a secured server in mind, it likely fails in
random ways.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Joe Milli" <Joe Milli@discussions.microsoft.com> wrote in message
news:1EF5474E-1584-4FC1-B233-6D008452F61A@microsoft.com...
Waite a minute, I'm having similar problems also and enjoy the banter on
this
thread probably because I have little experience W/IIS6.
I am running a simple Java applet hitcounter that works great when browsed
to from the directory, but in IIS6 2003 Server it doesn't count. I have
opened security as much as I can with no results. I was wondering if it had
something to do with Web Server Extensions. No extensions were listed for
java or class. I'm bewildered.
"David Wang [Msft]" wrote:
> Hanging does not sound like a permissions problem. If code doesn't have
> permissions to do something, it is an immediate "access denied" sort of
> failure. The OS isn't going to ponder about it.
>
> It sounds like maybe the Java component has retry logic on failures, so
when
> it is failing now (possibly due to permissions), it is infinitely
> retrying -- thus looking like a hang. Can you figure out if the hang
> happens when trying to instantiate the wrapper or when invoking a method
(so
> that you can narrow down the problem and hopefully you have source code to
> this component).
>
> If you wrote this component, I suggest debugging its sources. If this
> component comes from someone else, I suggest obtaining support for it. I
> have no idea what permissions this component requires, so it is not clear
> what needs to be added.
>
> ASP uses the impersonated identity to execute pages, so if you say that
your
> user identity can make it work from vbscript on this server, then you
should
> try disabling Anonymous authentication and enabling Basic Authentication
on
> the vdir containing this ASP page, browse to it using your user identity
(so
> request should be authenticated using your user identity -- very similar
to
> when you execute the code from vbscript), and see what happens.
>
> If Basic auth still fails, then I suspect it is because the token obtained
> by IIS is not exactly the same token you have -- in particular, your user
> token is "Interactive Logon" (i.e. you hit Ctrl-Alt-Del and logged
yourself
> onto the machine) while the IIS-obtained token is "Network Logon". Some
> files on the system are distinguish between these logon types -- maybe
they
> are causing your issues. For example, CMD.EXE is accessible to
"Interactive
> Logon" users but NOT "Network Logon" users -- thus it is normally
> inaccessible from IIS. This is a by-design security feature on Windows
> Server 2003.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Aubrey" <Aubrey@discussions.microsoft.com> wrote in message
> news:9768BC6B-39E2-450D-B5B3-DEADE93AD504@microsoft.com...
> Hi there,
>
> I'm having the same problem, maybe some else could contribute to a
solution.
>
> I'm using ASP pages on Windows 2003, previously on Windows 2000 where i
was
> instantiating a Java component with an ActiveX wrapper. I have tested this
> by
> using a vbs script to call the component and it works as expected, but
> unfortunately not when called from within the ASP page served by IIS6.
> Noting
> happens the pages, it just hangs.
>
> If it's a permission setting how will i change it, since the component
isn't
> registered in COM+? Or do i have to add read and execute to the entire JRE
> folder?
>
> Thanks
> Aubrey
>
>
>
> "GingerNinja" wrote:
>
>
>
>
| |
| Joe Milli 2004-11-12, 5:50 pm |
| Thank you Dave. I am running a server side applett. Please direct me to a
link where I can find the correct changes to make in IIS6. I think this is
where Im failing as mentioned earlier. Plus, I dont know IIS and am finding
it difficult to locate pertinent information on this subject. I have MS Win
Server 2003 Administrators Companion (book), and looked through many sites
and see only general information. As mentioned earlier I agree, its related
to the Web Sevices Ext and ? App-scrptmap as you pointed out. But what
changes do I need? Also, I think we all can agree that security is of major
inportance.
jm
"David Wang [Msft]" wrote:
> I suggest you revert all your changes and start troubleshooting your
> symptoms/configuration BEFORE making any system changes. It is possible for
> your system changes to be insecure or otherwise prevent other software from
> functioning in random ways, so -- you have been warned.
>
> Now, is this Java application running on the Web Server or the Web Browser.
> In other words, does it run on the server, generate HTML, and send the HTML
> back to the client, or does it run on the client and dynamically display
> data?
>
> If it is supposed to be running on the Web Server, then you need to
> configure a Web Service Extension as well as an Application Scriptmap to
> instruct IIS to launch the Java environment to handle the Java requests.
> You do the exact same things on all IIS versions, and IIS6 requires the
> additional Web Service Extension step.
>
> If it is supposed to be running on the Web Browser, then you need to
> configure IIS to allow the files which constitute the Java applet to be
> downloadable to the client (i.e. allow .class , .jar files to be
> downloadable by adding them to the MIME Type of the website). This is also
> exactly the same on all IIS versions, and IIS6 requires the MIME Type step
> to allow file download.
>
> Finally, where is the Applet trying to store the hit counters? If it is
> storing it in a location it doesn't have access to, then it will fail, and
> that is by-design.
>
>
> My suspicion is that when you browse the applet from the directory, it
> launches with your credentials, and it writes its counters SOMEWHERE on the
> system (I have no idea where) using your credentials -- and if you run with
> administrative privileges, it likely works.
>
> If this applet is running on the Web Browser, it should behave similarly
> (since your credentials will be used to download/retrieve the applet from
> the Web Server and launched on the client -- basically the same as the
> working situation).
>
> If this applet is running on the Web Server, it will now be running as some
> configured identity (unknown, since it depends on configuration), and it
> tries to write those counters SOMEWHERE using that credential -- and it
> likely fails on IIS6 since it runs as an unprivileged user by default. One
> alternative, of course, is to run IIS6 with a very privileged user so that
> bad code like your applet works, but realize that you are increasing your
> security risk. The other is to change the ACL on the resource such that it
> is accessible to a more unprivileged user, and once again, you potentially
> increase your security risk, depending on the location of the resource.
>
>
> Bottom line: IIS6 runs in a secure configuration and require you to make the
> correct security decisions to obtain the functionality you want. The user
> has a significant responsibility in maintaining their server's security.
> Believe it or not, most existing software are not exactly secure, and if
> they are not designed with a secured server in mind, it likely fails in
> random ways.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Joe Milli" <Joe Milli@discussions.microsoft.com> wrote in message
> news:1EF5474E-1584-4FC1-B233-6D008452F61A@microsoft.com...
> Waite a minute, I'm having similar problems also and enjoy the banter on
> this
> thread probably because I have little experience W/IIS6.
> I am running a simple Java applet hitcounter that works great when browsed
> to from the directory, but in IIS6 2003 Server it doesn't count. I have
> opened security as much as I can with no results. I was wondering if it had
> something to do with Web Server Extensions. No extensions were listed for
> Java or class. I'm bewildered.
>
>
> "David Wang [Msft]" wrote:
>
> when
> (so
> your
> should
> on
> (so
> to
> yourself
> they
> "Interactive
> rights.
> solution.
> was
> isn't
>
>
>
| |
| Jeff Cochran 2004-11-12, 5:50 pm |
| On Fri, 12 Nov 2004 11:38:02 -0800, Joe Milli
<JoeMilli@discussions.microsoft.com> wrote:
>Thank you Dave. I am running a server side applett.
A Java applet/servlet?
>Please direct me to a
>link where I can find the correct changes to make in IIS6.
If a Java servlet, no changes in IIS will help you. IIS doesn't run
Java, you need a Java server such as Tomcat to handle the Java
Servlets.
http://jakarta.apache.org/
Tomcat will run with IIS with some configuring.
Jeff
| |
| David Wang [Msft] 2004-11-12, 8:46 pm |
| Java Servlets are executed via Java Servlet Engines, which are extensions
that hook into IIS as Web Service Extensions to help IIS execute Java
programs (which must run in the JVM). You need to install and configure a
Java Servlet Engine on IIS. A free implementation is Apache Tomcat (please
search for the URL), which can both run independently as well as in Apache
or IIS, all having their own configuration instructions to follow. Other
vendors sell their own implementation as well.
I doubt this sort of stuff would be in any MS documentation -- you are
talking about 3rd party integration, and there's literally millions of such
possibilities -- so this is the sort of thing you'd search the web/community
to find how people use IIS to do various things.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Joe Milli" <JoeMilli@discussions.microsoft.com> wrote in message
news:12F512DA-DB86-4FF6-A90B-5BD3EBD090ED@microsoft.com...
Thank you Dave. I am running a server side applett. Please direct me to a
link where I can find the correct changes to make in IIS6. I think this is
where Im failing as mentioned earlier. Plus, I dont know IIS and am finding
it difficult to locate pertinent information on this subject. I have MS Win
Server 2003 Administrators Companion (book), and looked through many sites
and see only general information. As mentioned earlier I agree, its related
to the Web Sevices Ext and ? App-scrptmap as you pointed out. But what
changes do I need? Also, I think we all can agree that security is of major
inportance.
jm
"David Wang [Msft]" wrote:
> I suggest you revert all your changes and start troubleshooting your
> symptoms/configuration BEFORE making any system changes. It is possible
for
> your system changes to be insecure or otherwise prevent other software
from
> functioning in random ways, so -- you have been warned.
>
> Now, is this Java application running on the Web Server or the Web
Browser.
> In other words, does it run on the server, generate HTML, and send the
HTML
> back to the client, or does it run on the client and dynamically display
> data?
>
> If it is supposed to be running on the Web Server, then you need to
> configure a Web Service Extension as well as an Application Scriptmap to
> instruct IIS to launch the Java environment to handle the Java requests.
> You do the exact same things on all IIS versions, and IIS6 requires the
> additional Web Service Extension step.
>
> If it is supposed to be running on the Web Browser, then you need to
> configure IIS to allow the files which constitute the Java applet to be
> downloadable to the client (i.e. allow .class , .jar files to be
> downloadable by adding them to the MIME Type of the website). This is
also
> exactly the same on all IIS versions, and IIS6 requires the MIME Type step
> to allow file download.
>
> Finally, where is the Applet trying to store the hit counters? If it is
> storing it in a location it doesn't have access to, then it will fail, and
> that is by-design.
>
>
> My suspicion is that when you browse the applet from the directory, it
> launches with your credentials, and it writes its counters SOMEWHERE on
the
> system (I have no idea where) using your credentials -- and if you run
with
> administrative privileges, it likely works.
>
> If this applet is running on the Web Browser, it should behave similarly
> (since your credentials will be used to download/retrieve the applet from
> the Web Server and launched on the client -- basically the same as the
> working situation).
>
> If this applet is running on the Web Server, it will now be running as
some
> configured identity (unknown, since it depends on configuration), and it
> tries to write those counters SOMEWHERE using that credential -- and it
> likely fails on IIS6 since it runs as an unprivileged user by default.
One
> alternative, of course, is to run IIS6 with a very privileged user so that
> bad code like your applet works, but realize that you are increasing your
> security risk. The other is to change the ACL on the resource such that it
> is accessible to a more unprivileged user, and once again, you potentially
> increase your security risk, depending on the location of the resource.
>
>
> Bottom line: IIS6 runs in a secure configuration and require you to make
the
> correct security decisions to obtain the functionality you want. The user
> has a significant responsibility in maintaining their server's security.
> Believe it or not, most existing software are not exactly secure, and if
> they are not designed with a secured server in mind, it likely fails in
> random ways.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Joe Milli" <Joe Milli@discussions.microsoft.com> wrote in message
> news:1EF5474E-1584-4FC1-B233-6D008452F61A@microsoft.com...
> Waite a minute, I'm having similar problems also and enjoy the banter on
> this
> thread probably because I have little experience W/IIS6.
> I am running a simple Java applet hitcounter that works great when
browsed
> to from the directory, but in IIS6 2003 Server it doesn't count. I have
> opened security as much as I can with no results. I was wondering if it
had
> something to do with Web Server Extensions. No extensions were listed for
> Java or class. I'm bewildered.
>
>
> "David Wang [Msft]" wrote:
>
> when
> (so
to[vbcol=seagreen]
I[vbcol=seagreen]
clear[vbcol=seagreen]
> your
> should
> on
> (so
> to
obtained[vbcol=seagreen]
user[vbcol=seagreen]
> yourself
> they
> "Interactive
> rights.
> solution.
> was
this[vbcol=seagreen]
> isn't
JRE[vbcol=seagreen]
to[vbcol=seagreen]
begin[vbcol=seagreen]
>
>
>
| |
|
| Hi everyone
I've got the same problem as some of the guys above:
429: ActiveX component can't create object
This component should be created using server.createobject in ASP, but
I'm thinking the asp worker process don't have enough rights to create
the object. Using vbscript code on the box running under my credentials
(administrator) the code works, object gets created and functions
properly.
I'd like to know where I should begin looking at the permissions.
1. The credentials under which the website runs in IIS ?
2. The credentials under which the application pool that this site
belongs to runs ?
3. The credentials under which the component runs in component services
?
Specifically my question is: Which objects need their permissions
altered to make provision for creating components in the server
process/thread under which a website runs ?
Seems like a simple enough question, and I hope there is someone that's
written the steps down by now, because any website administrator has at
least a few sites that use COM objects.
Thanks in advance.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| David Wang [Msft] 2004-11-28, 7:48 am |
| Your question is worded very simply, but it is actually a very hard and open
ended question. The correct answer is -- It DEPENDS on your object.
Theoretically, you are supposed to know the answer already when you start
using this object. If you install and use an object without knowing its
dependencies, you will inevitably run into problems like this no matter the
platform.
Thus, there aren't any cookbook ways to troubleshoot this. The easiest
solution is probably "run as LocalSystem", but we all know that is a
security hazard that should be avoided. This is one of the reasons that
IIS6 runs with lower privileges by default.
Regarding your questions:
> I'd like to know where I should begin looking at the permissions.
> 1. The credentials under which the website runs in IIS ?
> 2. The credentials under which the application pool that
> this site belongs to runs ?
> 3. The credentials under which the component runs in
> component services
> ?
Once again, the answer is "it depends".
Basic concept: Windows supports the concept of impersonation, which allows a
process running as one identity to "impersonate" one of its threads to run
as another identity. The reverse of this operation is "RevertToSelf" which
allows the thread to run as the process identity.
Normally, IIS runs code using impersonation, where that identity is obtained
through authentication. Thus, anonymous authentication causes IIS to log in
the configured AnonymousUserName account, while any other authentication
protocol is handled as-is to ultimately produce a user token for IIS to
impersonate. Static files, ISAPI, CGI, and ASP pages all run in this
manner -- so identity really depends on the authentication protocol
configured and in-use between the client and server for that request.
Now, IIS can run arbitrary code, like ISAPI, CGI, and ASP pages can call COM
objects, which are also arbitrary code. IIS obviously cannot control
whether such code calls "RevertToSelf" to use process identity or
re-impersonate any other identity.
Thus, it really depends on the component as to whether your operation is
using impersonated or process identity.
Putting it together to answer your three questions:
1. Authentication controls impersonated identity. Component controls
whether using process or impersonated
2. App Pool Identity controls the process identity. Ditto as #1
3. Component Services controls the process identity. Ditto as #2
My suspicion is that your component is trying to instantiate UI-components,
which will fail on IIS6 due to systemwide security lockdown. You really
want to fix such server-side components to NOT use UI because that will
eventually cause many problems.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"ashr" <spamme@andwasteyourbandwidth.com> wrote in message
news:O2dC3Q60EHA.2196@TK2MSFTNGP14.phx.gbl...
Hi everyone
I've got the same problem as some of the guys above:
429: ActiveX component can't create object
This component should be created using server.createobject in ASP, but
I'm thinking the asp worker process don't have enough rights to create
the object. Using vbscript code on the box running under my credentials
(administrator) the code works, object gets created and functions
properly.
I'd like to know where I should begin looking at the permissions.
1. The credentials under which the website runs in IIS ?
2. The credentials under which the application pool that this site
belongs to runs ?
3. The credentials under which the component runs in component services
?
Specifically my question is: Which objects need their permissions
altered to make provision for creating components in the server
process/thread under which a website runs ?
Seems like a simple enough question, and I hope there is someone that's
written the steps down by now, because any website administrator has at
least a few sites that use COM objects.
Thanks in advance.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
|
|
|
|
|