|
Home > Archive > IIS Server Security > January 2007 > .net application cannot access metabase.xml iis6
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
.net application cannot access metabase.xml iis6
|
|
|
| Hi,
I have to modify an existing .net windows application that directly edits
the IIS6 metabase.
(I don't have the option of deciding to use ADSI/WMI in a Script because
it's an existing application).
It's been working fine for a long time up to now on our test servers and our
customers' servers (Windows 2003), but now when I've been testing recently
it I get the error
"Could not find file 'C:\WINDOWS\system32\inetsrv\MetaBase.xml'" when the
application tries to read from or write to the metabase.
I have checked - the file is present in the expected location, the Enable
edit while running flag is on in IIS manager,
the ntfs permissions on the file are for Administrators and SYSTEM to have
full control to metabase.xml, and I am running our .net application while
logged in to the server via remote desktop as an administrator, so I would
expect the application to be running with administrative privileges and
therefore be able to read/write to metabase.xml.
Why is this happening and what do I need to do to fix it?
Thanks for any help
Tessa
| |
|
| Hi,
Thanks for the response,
However, this is an existing .net Windows application that is editing the
metabase.xml, it's not an asp.net application.
I have checked by getting it to write to a log file at runtime the value of
System.Environment.UserDomainName: OURDOMAIN
System.Environment.UserDomainNameUserName: Administrator
so from this I'm concluding that it is running as an administrator (ie. it's
running as the domain admin, which is a member of the administrators group
on the server)
For a windows app, how would you tell if it is actually running with any
lesser privileges than the account specified in system.environment?
I'm not sure how you would see if it's impersonating something else.
It is a 64-bit machine, but it is not configured to run in 32-bit mode as
far as I can tell
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsut
il.vbs SET
W3SVC/AppPools/Enable32bitAppOnWin64 0
has been run on it so according to http://support.microsoft.com/kb/894435 it
ought to be in 64-bit mode ?
How can you tell (e.g. in IIS manager) if IIS is configured to run as
32-bit? In any case, it's not an asp.net application that's trying to edit
metabase.xml , so would that still be significant ?
Thanks for any ideas
Tessa
"David Wang" <w3.4you@gmail.com> wrote in message
news:1170029920.696634.123910@a34g2000cwb.googlegroups.com...
>
> Incorrect assumption that the .net application is running with
> administrative privileges.
>
> Only IF you know that the application is either:
> 1. directly impersonating a user with administrative privileges, OR
> 2. if the .Net application is keeping the impersonated Windows user
> identity AND IIS is authenticating
>
> Then you know that a user token with administrative privileges is used
> by the application.
>
>
> My other question -- is this on a 64bit machine and if so, is the
> worker process configured to run as 32bit? Because a 32bit ASP.Net
> application is not allowed to touch "C:\WINDOWS\system32\inetsrv
> \MetaBase.xml" on a 64bit machine. Search my blog for "WOW64" or
> "64bit" reference to understand more about the expected behavior and
> how to work with it.
>
>
> My recommendation is to not rely on editing metabase.xml to configure
> IIS because it is not supported as a "programmatic interface". You
> will see on IIS7 that metabase.xml is deprecated already.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Jan 28, 2:22 pm, "Tessa" <nospam> wrote:
>
|
|
|
|
|