Goal:
I periodically upload new .exe file to windows server 2003 via FTP and I want to run it manually by hitting Url of a web site on same server. Exe needs to be run under an Admin account, and not the NETWORK SERVICE account.
What I achieved so far:
I have been able to successfully run applications like notepad under the Admin account on the server via a web request by using any of these:
PsExec,
.net process.Start() with credentials supplied to process.StartInfo and even
by impersonating admin and then using process.Start without credentials (http://www.f4cio.com/programmatically-impersonate-in-csharp)
The problem:
The above methods run my exe but Task Manager, or a call to System.Security.Principal.WindowsIdentity.GetCurrent().Name shows me that it is running under NETWORK SERVICE.
I suspect that this file has added security constraints because it arrived from ftp link. Checking run-as-administrator in properties of file is not an option because file will be replaced periodically and all needs to be automated. Also manual server configuration should be minimal or ideally non-existent. Code-only single-web-page solution is ideal. Editing both that asp.net web page and exe is ok. (I tried something with exe self-restarting).
Not sure about this, but I suspect this has to do with you website running under the NETWORK SERVICE user. Whatever privileges your website-user has, the same are probably granted / passed on as you try to run your executable.
Is this server on an internal network or protected in some other way? (I should hope so!). If so, you might try changing App Pool that the website is running under to an admin account (in IIS, right click the App Pool running the site, select Advanced Settings, and look for the Identity setting). If I'm right, that will allow you to run your executable as an admin too.
Be aware however, that this may increase the security risk of your setup: Allowing your site to run under an admin account means easier access to your entire server if anyone is able to penetrate whatever security measures you have in place. Make sure access to this server is tightly limited, and preferably, that it in turn does not have access to other systems, since that would in turn make them vulnerable by extension.
Related
In a project we have a WCF Service which is hosted in IIS.
Now we need to start a windows application (interactive, hence has a window).
Just to clarify: The application shall run on the server. It is a third party application we have no access to and cannot modify it.
The WCF Service leverages an application pool that runs under a special user account, "load user profile" is checked.
I still get the System.ComponentModel Access violation exception, so I think that I missed something.
Also have seen solutions with the "IIS Admin Services" which can allow desktop interaction, but this seems to belong to IIS 6 only.
Check to make sure that the account you are using can read and write the correct registry keys, and file locations. Make sure that the file you are attempting to execute is in a location on disk that can be accessed by the service account.
I want to run an exe on client system from my c# asp.net website. When I use Process.Start()
it throws an error:
The requested operation requires elevation.
How do I set permissions to run that exe?
You can't spawn processes on the client machine from server-side code.
When you use Process.Start in server-side code, it is attempting to execute the process there, on the server where the website is hosted. If you wanted to create processes on the clients computer then you would need to expose a download for them (and not in employing subterfuge, like malign sites might do to install software - supply it gracefully, and normally (and with permission)), or a Silverlight application or something along those lines.
The bottom line is that the code you want to execute (even if that is just to spawn a process) must reside on the client, and be executed there.
You can't run an application from a web server like that. You will have to have the user download the application by supplying the EXE, a setup file or using ClickOnce.
Or you can develop an ActiveX control that you can have the browser automatically download from a Trusted Internet Zone.
Once downloaded, proper signing with a certificate (signed from the trusted (corporate) root certificate) will avoid the user getting a prompt to ask whether he wishes to allow the ActiveX control to install/be activated -
The ActiveX control can subsequently do anything the interactively logged on user could. This means that to actually install a program you'd need to elevate (UAC on Vista+); But if the goal was just to run a standalone executable, you should be good to go.
This all assumes white-hat purposes in a (larger) corporate setting, because it relies on PKI infrastructure and central browser policies, to name just two.**
This would, really, lead to some excellent questions on serverfault or superuser
I noticed you said you wanted to run an exe file on the client, but you didn't say explicitly that the exe is on the server and you want to push it to the client. Everyone seems to be assuming that is the case.
You CAN accomplish this fairly easily with a small JavaScript if you have a few prerequisites:
The executable is already present on the client machine.
All of your clients are running IE
You can enforce a policy to put your site in the Intranet or Trusted
Sites zone.
So basically this means it's a corporate intranet application. I am assuming this is probably the case since, well, if you were expecting to do this with a public app, I would be surprised.
For the script to accomplish this, please see my answer to this question:
How can I get a program on a client machine to run from an ASP.NET page?
When I start a process that starts a BAT file with arguments locally all is working fine. I uploaded this site to a windows server and then a process failed running this process. It is just executing the code and nothing happened.
I tried UseShellExecute = false and running it with cmd and without...
What else can I check?
Start with dependencies. For example:
Do you have cygwin or something similar on the server that will actually run a bash shell?
Does the user executing the process actually have rights to start the bash shell?
Does the user executing the process have rights to perform the actions within the bash script?
Are their file path or environment variable dependencies? Do those paths and variables exist?
One way to test would be to log onto that server under the user account used to execute the script to see if you can run it yourself.
It's entirely likely the bash script is failing and hanging trying to prompt the user for input. It's also possible UAC is on and the script needs elevated permissions to perform the actions. Without seeing the script it's hard to tell.
You are almost certainly having a security/permission issue. Check your server's event log (especially the security event log). Also, if you can, running SysInternals Process Monitor (procmon) on the server will also probably help if nothing else will.
Unless you have set up your web site to use impersonation, it will be running using a local, limited account. For Windows Server 2008, the DefaultAppPool will use the local IIS APPPOOL\DefaultAppPool identity, which almost certainly doesn't have permissions to invoke bash.
It probably works on your local development machine because Visual Studio will be impersonating you (probably a local administrator) in order to debug your application.
To solve this, you'll need to either grant permissions to the identity being used for the application pool for your site to execute bash, or (and this is probably easier) change the identity of the application pool to a domain user (or a local user, at least).
I created a windows service that's basically a file watcher that wont run unless a user is logged into the machine its on.
The service is running on a Windows Server 2003 machine. It is designed to listen for excel files in a folder. When there is a excel file, it starts to send some information to a web service. When it's done, it copies the processed file to a archive folder.
Can anyone help me?
Best regards
Baris
Run it as a user that has rights to log on as service on the machine. Make sure this user has an access to the directory you watch.
What i always do in a scenario like that is give the user logon as batch job and logon as a service rights. 1 of these 2 will most likely fix your problem.
You can configure this in the local group policy editor as described here
Be aware though that if your computer is in a domain it is possible that the group policy gets pushed to the server every 15 mins so you might have to talk to a system admin to get things sorted.
When you actually only want to run when someone is logged in, do not use a service but an autostart application in that case.
If you have to be a service because of account privileges, the service may detect the current logins itself, but you may combine a service with a client (autostart) application that connects to the service. That way, you can also show tray incos, status informations and enable the user to control your service using the client application.
Using Win7 and higher, services themselves (running in session 0) can no longer display UI interactions on the user's desktop.
Keep in mind that there may be multiple users logged in on current operating systems...
I have an executable file that works fine by hand locally. It converts a file to another new file by some parameters. I'm using ASP.Net and that executable installed win2003 server
sp2. I can use it from local but, I can't execute the program from a web browser using system.diagnosting.process. When I use that, I can see the process in task manager with user name "NETWORK SERVICE", and it won't dissappear without ending process by hand and won't work.
I tried impersonation, try as a web service, edited local policies, apply all privilages, etc...
Is there any suggestions about this problem?
How about creating an app pool in IIS. Assign it the local account ('by hand locally') . Assign the application to this newly created app pool and see if it works.
You can also use procmom to see why the original process hung under "NETWORK SERVICE", probably registry access or something else.