Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ADSI access to IIS://localhost/w3svc failed with "access denied"

330 views
Skip to first unread message

Ingo Beyer

unread,
Dec 29, 2004, 12:29:44 PM12/29/04
to
I've the following situation:

A .NET-ISAPI-Extension (C#). This creates another C# class where I
create a object "iis://localhost/w3svc" as DirectoryEntry.

Here ist the code:

private ArrayList EnumWebs()
{
try
{
ArrayList ret = new ArrayList();
DirectoryEntry ds = new DirectoryEntry("IIS://LocalHost/W3SVC");
DirectoryEntry di;

if( ds != null )
{
/*1*/ IEnumerator x = ds.Children.GetEnumerator();
x.Reset();
while( x.MoveNext() )
{
di = (DirectoryEntry)x.Current;
if( di.SchemaClassName == "IIsWebServer" )
ret.Add(di.Path);
};
};

return ret;
}
catch( Exception ex )
{
/*2*/ System.Diagnostics.Debug.WriteLine(ex.Message);
};
}

When I debug the code I get a exception on /*1*/ with the message
"Access Denied" on /*2*/.

The webserver where the ISAPI belongs to is running as "isolated".
The COM+ application runs under IWAM_computername account.

I created a VBS script with the same function. I run the script as
IWAM... by using "runas" in the command line.

There the script worked for me!!!

Any ideas???

Thank you very much!

Ingo

Kristofer Gafvert

unread,
Dec 29, 2004, 3:43:27 PM12/29/04
to
Hello,

As far as i know, you need administrator privilegies to write to the
metabase.

Try to run FileMon[1] and see what access it fails on.

[1] http://www.sysinternals.com/ntw2k/source/filemon.shtml

--
Regards,
Kristofer Gafvert
www.ilopia.com

Ingo Beyer wrote:

> I've the following situation:
>
> A .NET-ISAPI-Extension (C#). This creates another C# class where I
> create a object "iis://localhost/w3svc" as DirectoryEntry.
>
> Here ist the code:
>
> private ArrayList EnumWebs()
> {
> try
> {
> ArrayList ret = new ArrayList();
> DirectoryEntry ds = new
> DirectoryEntry("IIS://LocalHost/W3SVC"); DirectoryEntry di;
>
> if( ds != null )
> {
> /*1*/ IEnumerator x = ds.Children.GetEnumerator();
> x.Reset();
> while( x.MoveNext() )
> {
> di = (DirectoryEntry)x.Current;
> if( di.SchemaClassName == "IIsWebServer" )
> ret.Add(di.Path);
> };
> };
>
> return ret;
> }
> catch( Exception ex )
> {
> /*2*/ System.Diagnostics.Debug.WriteLine(ex.Message);
> };
> }
>

> When I debug the code I get a exception on 1 with the message "Access
> Denied" on 2.

Ingo Beyer

unread,
Dec 30, 2004, 8:34:02 AM12/30/04
to
Hi!

There are no error in FileMon!

The code again:

private ArrayList EnumWebs()
{
try
{
ArrayList ret = new ArrayList();

/*3*/ DirectoryEntry ds = new DirectoryEntry("IIS://LocalHost/W3SVC");
DirectoryEntry di;

if( ds != null )
{
/*1*/ IEnumerator x = ds.Children.GetEnumerator();
x.Reset();
while( x.MoveNext() )
{
di = (DirectoryEntry)x.Current;
if( di.SchemaClassName == "IIsWebServer" )
ret.Add(di.Path);
};
};

return ret;
}
catch( Exception ex )
{
/*2*/ System.Diagnostics.Debug.WriteLine(ex.Message);
};
}

I changed line /*3*/ to
DirectoryEntry ds = new DirectoryEntry("IIS://localhost/w3svc",
"administrator, "...", AuthentificationTypes.Secure)
(where "..." is my admin password.)

This also fails in Line /*1*/ with exception "Access Denied" (/*2*/)

Any further ideas???

Ingo

Kristofer Gafvert

unread,
Dec 30, 2004, 11:06:33 AM12/30/04
to
Hello,

I ran your code here as an application, as different users. And for
both IUSR and IWAM it failes, with "Permission is denied". If i run it
as a user with administrator privilegies, it works.

I still think that your user that is used to run your application does
not have the necessary permissions.

What i cannot understand is how you managed to write an ISAPI extension
using C#, because it cannot export the functions required (so it should
be impossible, it may however work with C++.NET).

So i'm not really sure what you are trying to do. Can you put in a code
snippet in your code to find out what user is used? Because i think
that is the problem, whatever user you are using does not have
permissions to access the metabase.

--
Regards,
Kristofer Gafvert
www.ilopia.com

Ingo Beyer wrote:

> Hi!
>
> There are no error in FileMon!
>
> The code again:
>
> private ArrayList EnumWebs()
> {
> try
> {
> ArrayList ret = new ArrayList();
> /*3*/ DirectoryEntry ds = new
> DirectoryEntry("IIS://LocalHost/W3SVC"); DirectoryEntry di;
>
> if( ds != null )
> {
> /*1*/ IEnumerator x = ds.Children.GetEnumerator();
> x.Reset();
> while( x.MoveNext() )
> {
> di = (DirectoryEntry)x.Current;
> if( di.SchemaClassName == "IIsWebServer" )
> ret.Add(di.Path);
> };
> };
>
> return ret;
> }
> catch( Exception ex )
> {
> /*2*/ System.Diagnostics.Debug.WriteLine(ex.Message);
> };
> }
>

> I changed line 3 to


> DirectoryEntry ds = new DirectoryEntry("IIS://localhost/w3svc",
> "administrator, "...", AuthentificationTypes.Secure)
> (where "..." is my admin password.)
>

> This also fails in Line 1 with exception "Access Denied" (/*2*/)

Ingo Beyer

unread,
Dec 30, 2004, 12:03:10 PM12/30/04
to
Hi Kristofer,

you are right! I'm logged on as I_WAM. - When I try to set the user to
local Admin (in COM+) then I get an "Internal Server Error". This is
another bad, bad problem.
I tried to use "GetUserNameEX"-API-Function, but it tells me "Cannot
load library (Secur32.dll)".

But: when I start a command line under IWAM_... account and run a
VB-Script with the same ADSI-call then it work!

Any other ideas?

Thank you!
Ingo

Kristofer Gafvert wrote:

> Hello,
>

0 new messages