I have a batch file that moves files from one server to another, and I'm
calling it from an ASP page using ASPEXEC.  It works when the app pool
identity and the user on the site (or the credentials used for anonymous
access) are admins on all servers.  However, when either the app pool
identity or the site user are not admins, the script will not execute.  And 
I
can find no errors on any of the servers being accessed.

I would like to know when the site and batch file use the credentials of the
app pool and when they use the credentials of the site user (if using window
s
authentication) or the anonymous user.  Any ideas?  Thanks.

[ Post a follow-up to this message ]

This is because:
1. the batch file requires CMD.EXE to execute, so ACLs on it must be
accessible to the NT User token using ASPEXEC (depends on authentication
protocol)
2. CMD.EXE has some new security checks which renders the CreateProcess()
call used by ASPEXEC to fail. I've only found it to work when:
- ProcessIdentity = LocalSystem
- ProcessIdentity = ImpersonatedIdentity

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Hunter" <Hunter@discussions.microsoft.com> wrote in message
news:4FE3B2D0-4537-458A-A24C-EA0AB28DCBFB@microsoft.com...
>I have a batch file that moves files from one server to another, and I'm
> calling it from an ASP page using ASPEXEC.  It works when the app pool
> identity and the user on the site (or the credentials used for anonymous
> access) are admins on all servers.  However, when either the app pool
> identity or the site user are not admins, the script will not execute.
> And I
> can find no errors on any of the servers being accessed.
>
> I would like to know when the site and batch file use the credentials of
> the
> app pool and when they use the credentials of the site user (if using
> windows
> authentication) or the anonymous user.  Any ideas?  Thanks.

[ Post a follow-up to this message ]

I know the site uses the token of the user (if using windows authentication)
or of the account given to the anonymous user to access cmd.exe.  But does
that account have to be an admin account?  I can make the script work if an
admin account is used for the anonymous user, but it does not work if I use 
a
non-admin account and give it permissions it to the cmd.exe file.

"David Wang [Msft]" wrote:

> This is because:
> 1. the batch file requires CMD.EXE to execute, so ACLs on it must be
> accessible to the NT User token using ASPEXEC (depends on authentication
> protocol)
> 2. CMD.EXE has some new security checks which renders the CreateProcess()
> call used by ASPEXEC to fail. I've only found it to work when:
>    - ProcessIdentity = LocalSystem
>    - ProcessIdentity = ImpersonatedIdentity
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> //
>
> "Hunter" <Hunter@discussions.microsoft.com> wrote in message
> news:4FE3B2D0-4537-458A-A24C-EA0AB28DCBFB@microsoft.com... 
>
>
>

[ Post a follow-up to this message ]

No, the account does not have to be admin.

If ProcessIdentity = LocalSystem, it should work for any authenticated user
(admin or non-admin).

This is due to CMD.EXE lockdown on Windows Server 2003.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Hunter" <Hunter@discussions.microsoft.com> wrote in message
news:B20343A1-278A-4C48-8511-2C2EB1F881F7@microsoft.com...[vbcol=seagreen]
>I know the site uses the token of the user (if using windows
>authentication)
> or of the account given to the anonymous user to access cmd.exe.  But does
> that account have to be an admin account?  I can make the script work if
> an
> admin account is used for the anonymous user, but it does not work if I
> use a
> non-admin account and give it permissions it to the cmd.exe file.
>
> "David Wang [Msft]" wrote:
> 

[ Post a follow-up to this message ]

Where and how do I set that ProcessIdentity property?  Is it in the page
calling aspexec or an IIS setting or something else?

Thanks so much for your help with this.

"David Wang [Msft]" wrote:

> No, the account does not have to be admin.
>
> If ProcessIdentity = LocalSystem, it should work for any authenticated use
r
> (admin or non-admin).
>
> This is due to CMD.EXE lockdown on Windows Server 2003.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> //
>
> "Hunter" <Hunter@discussions.microsoft.com> wrote in message
> news:B20343A1-278A-4C48-8511-2C2EB1F881F7@microsoft.com... 
>
>
>

[ Post a follow-up to this message ]

ProcessIdentity can be set in the IIS Manager UI.

1. Identify the Application Pool your app runs in. This can be done by
navigating to the website node which contains your ASP page in question,
right-click properties, and in the "Home Directory" tab, there is a combo
box named "Application pool:". remember that value
2. Navigate to the top level, "Application Pools", and right-click
properties on the name you found from step #1. In the "Identity" tab, change
the Predefined value to "LocalSystem".

This should be the fastest way to get your situation working for arbitrary
number of authenticated users. If you only have anonymous access enabled,
then I suggest configuring the configurable identity to match the anonymous
user. Remember that according to documentation, identities used for
Application Pool needs to be in the IIS_WPG group, and if you customize the
anonymous user, you need to synchronize the username/password yourself.

Here is a tool to synchronize various user accounts used by IIS, assuming
you configured them in reality:
http://blogs.msdn.com/david.wang/ar...als_in_IIS.aspx

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Hunter" <Hunter@discussions.microsoft.com> wrote in message
news:8FAE82F5-6C89-447D-BFA0-F9AA3CE1955F@microsoft.com...[vbcol=seagreen]
> Where and how do I set that ProcessIdentity property?  Is it in the page
> calling aspexec or an IIS setting or something else?
>
> Thanks so much for your help with this.
>
> "David Wang [Msft]" wrote:
> 

[ Post a follow-up to this message ]