Re: How Bad Is It?

From: Mike Moore [MS] (michmo@online.microsoft.com)
Date: 12/18/02

• Next message: Trevor Lawrence: "Re: Impersonation"
• Previous message: Norm Dotti: "Re: app config file downloading (not) for winform deployment model"
• In reply to: Mike Moore [MS]: "Re: How Bad Is It?"
• Next in thread: Lee Seidel: "How Bad Is It? - Resolved"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: michmo@online.microsoft.com ("Mike Moore [MS]")
Date: Wed, 18 Dec 2002 21:29:37 GMT

Hi all,

Per the previous post, I worked with Lee via e-mail. We found the error
with FileMon. The ASPNET account did not have permissions to multiple files
which were used by the COM object. Here's a summary.

QUESTION
My ASP.NET application calls a COM component. I'm getting an access denied
error. How do I find the source of the error?

ANSWER
Lee used FileMon and RegMon (available free from www.sysinternals.com).

He ran these tools while causing the error. The FileMon log had an entry
with access denied. He then gave permissions to the ASPNET account to
access the file. He still got Access Denied. FileMon showed yet another
file with access denied. Repeating this, he found all the files involved
and added permissions. Then it worked.

---
A few comments about using FileMon/RegMon.
Run them and look for the functions to turn logging on & off, to clear the 
log, and to filter what gets logged. It's best to run tests on a test 
machine as logging production machines can result in very long logs that 
make it hard to pinpoint the error.
The filter can take several types of text entries. You can specify a file 
or registry entry to watch, or a process to watch. In this case, set it to 
watch the asp.net worker process:  aspnet_*.
Then browse your application and get just to the point where you are about 
to cause the error (no sense in logging more then required prior to the 
error). Then stop the log and clear it. When you're ready, in quick 
succession, start the log, cause the error, and stop the log. Again, no 
sense logging more than required after the error occurs.
Next, review the log. You can save it to disk and open it in a spread*** 
program. Scan through looking for "access denied". At first, don't worry 
about other errors. For example, most logs include some attempts to find 
files or registry keys that are not there. It can take a little getting 
used to. Probably, you will see which item(s) are denied. Then use Windows 
Explorer to grant NTFS permissions to the ASPNET account, or use 
regedt32.exe to grant ASPNET permissions to registry keys.
Thank you, Mike Moore
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
>X-Tomcat-ID: 521081469
>References: <05e401c2a2e0$ecc51c30$89f82ecf@TK2MSFTNGXA01> 
<#M8v08UpCHA.1616@TK2MSFTNGP10> <7$Kb69VpCHA.896@cpmsftngxa09> 
<04b601c2a5e7$41712e00$8df82ecf@TK2MSFTNGXA02>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>From: michmo@online.microsoft.com ("Mike Moore [MS]")
>Organization: Microsoft
>Date: Tue, 17 Dec 2002 20:21:02 GMT
>Subject: Re: How Bad Is It?
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>Message-ID: <pFChPngpCHA.2044@cpmsftngxa06>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Lines: 188       
>Path: cpmsftngxa06
>Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:3408
>NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
>
>Hi Lee,
>
>That particular snippet from the RegMon log doesn't help me. All three 
>entries show success and we're looking for an error. So far, we've been 
>assuming that it is the access to the COM object. What happens if you set 
>the machine.config file to user "machine" and also remove the calls to the 
>COM object from your code. Does it still get an error?
>
>On your TEST machine, write a new ASP.NET project with one page. This page 
>will have one button. In the code-behind button click event, call the COM 
>object with values that you type directly in the code (so there is nothing 
>extra, such as looking at cookies). Then set the config file to use 
>"machine" and see if it causes the error. If it does cause the error, then 
>use this page for further testing and do the following.
>
>Get RegMon and FileMon logs of the error. Mail them to me at  [remove 
>".online"] michmo@online.microsoft.com. I will post our results so that 
>everyone else can see it.
>
>NOTE:  If I can't solve the problem with these logs, we may soon reach the 
>point where I cannot go further in the context of a newsgroup issue. If 
>this occurs, I will post a note saying that we've reached that point and 
>list some options for you to contact Microsoft support for one no one 
>assistance. Meanwhile, please send me the files.
>
>Thank you, Mike Moore
>Microsoft, ASP.NET
>
>This posting is provided "AS IS", with no warranties, and confers no 
rights.
>
>--------------------
>>Content-Class: urn:content-classes:message
>>From: "Lee Seidel" <lee.seidel@capbuecross.com>
>>Sender: "Lee Seidel" <lee.seidel@capbuecross.com>
>>References: <05e401c2a2e0$ecc51c30$89f82ecf@TK2MSFTNGXA01> 
><#M8v08UpCHA.1616@TK2MSFTNGP10> <7$Kb69VpCHA.896@cpmsftngxa09>
>>Subject: Re: How Bad Is It?
>>Date: Tue, 17 Dec 2002 08:13:37 -0800
>>Lines: 160
>>Message-ID: <04b601c2a5e7$41712e00$8df82ecf@TK2MSFTNGXA02>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>>	charset="iso-8859-1"
>>Content-Transfer-Encoding: 7bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>>Thread-Index: AcKl50FxzPugQYwJQAq8CA865leUbg==
>>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>>NNTP-Posting-Host: TK2MSFTNGXA02 10.40.1.51
>>Path: cpmsftngxa06!cpmsftngxa10!cpmsftngxa09
>>Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:3402
>>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>>
>>Thank...using these tools was a huge help and enabled us 
>>to see what is working in Test (where we have the 
>>machine.config) set to SYSTEM vs. what is happening in 
>>Production were it reamins as machine.
>>
>>The first two hits are identicle in Test and Prod.  It 
>>accessec the COM object.
>>
>>That is as far as Prod gets.  We are getting an object 
>>error.
>>
>>In Test this is what occurs:
>>16.08561758	aspnet_wp.exe:3724	OpenKey
>>	HKLM\Software\Microsoft\COM3	SUCCESS	Key: 
>>0xE2828DA0	
>>16.08566191	aspnet_wp.exe:3724	QueryValue
>>	HKLM\Software\Microsoft\COM3\REGDBVersion
>>	SUCCESS	E7 00 00 00 00 00 00 00 	
>>16.08570082	aspnet_wp.exe:3724	CloseKey
>>	HKLM\Software\Microsoft\COM3	SUCCESS	Key: 
>>0xE2828DA0
>>
>>I am assuming that Test has access to COM#...whatever that 
>>is.  Can you shed any light? 
>>>-----Original Message-----
>>>Hi Lee
>>>
>>>I think Larry and Patrik have given you some very good 
>>information. I would 
>>>use FileMon and RegMon rather than Process Explorer (all 
>>of these are free 
>>>downloads from www.sysinternals.com). To optimize your 
>>use of these tools:
>>>
>>>Run them and look for the functions to turn logging on & 
>>off, to clear the 
>>>log, and to filter what gets logged. It's best to run 
>>tests on a test 
>>>machine as logging production machines can result in very 
>>long logs that 
>>>make it hard to pinpoint the error.
>>>
>>>The filter can take several types of text entries. You 
>>can specify a file 
>>>or registry entry to watch, or a process to watch. In 
>>this case, set it to 
>>>watch the asp.net worker process:  aspnet_*.
>>>
>>>Then browse your application and get just to the point 
>>where you are about 
>>>to cause the error (no sense in logging more then 
>>required prior to the 
>>>error). Then stop the log and clear it. When you're 
>>ready, in quick 
>>>succession, start the log, cause the error, and stop the 
>>log. Again, no 
>>>sense logging more than required after the error occurs.
>>>
>>>Next, review the log. You can save it to disk and open it 
>>in a spread*** 
>>>program. Scan through looking for "access denied". At 
>>first, don't worry 
>>>about other errors. For example, most logs include some 
>>attempts to find 
>>>files or registry keys that are not there. It can take a 
>>little getting 
>>>used to. Probably, you will see which item(s) are denied. 
>>Then use Windows 
>>>Explorer to grant NTFS permissions to the ASPNET account, 
>>or use 
>>>regedt32.exe to grant ASPNET permissions to registry keys.
>>>
>>>If the above fails, then there are other things you can 
>>try. I would start 
>>>by making a new web application with just a very few 
>>lines of code which 
>>>access this COM component. If this fails, then you have a 
>>much smaller 
>>>reproducible sample. If it works, then you need to look 
>>at what is 
>>>different between your minimal sample and your larger 
>>application.
>>>
>>>Please repost with your results.
>>>
>>>Thank you, Mike Moore
>>>Microsoft, ASP.NET
>>>
>>>This posting is provided "AS IS", with no warranties, and 
>>confers no rights.
>>>
>>>--------------------
>>>>From: "th" <th@rmsexxxcf.remove-xxx-and-this.cxxxom>
>>>>References: <05e401c2a2e0$ecc51c30
>>$89f82ecf@TK2MSFTNGXA01>
>>>>Subject: Re: How Bad Is It?
>>>>Date: Mon, 16 Dec 2002 23:14:04 +0100
>>>>Lines: 31
>>>>X-Priority: 3
>>>>X-MSMail-Priority: Normal
>>>>X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>>>>Message-ID: <#M8v08UpCHA.1616@TK2MSFTNGP10>
>>>>Newsgroups: 
>>microsoft.public.dotnet.framework.aspnet.security
>>>>NNTP-Posting-Host: c213-100-95-180.swipnet.se 
>>213.100.95.180
>>>>Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP10
>>>>Xref: cpmsftngxa09 
>>microsoft.public.dotnet.framework.aspnet.security:3402
>>>>X-Tomcat-NG: 
>>microsoft.public.dotnet.framework.aspnet.security
>>>>
>>>>Here are some reading about ASP.NET security.
>>>>
>>>>(http://msdn.microsoft.com/library/default.asp?
>>url=/library/en-us/dnnetsec/
>>>h
>>>>tml/secnetlpMSDN.asp?frame=true)
>>>>
>>>>
>>(http://msdn.microsoft.com/msdnmag/issues/01/11/security/de
>>fault.aspx)
>>>>
>>>>(http://msdn.microsoft.com/library/default.asp?
>>url=/msdnmag/issues/02/04/AS
>>>P
>>>>Sec/toc.asp?frame=true)
>>>>
>>>>(http://msdn.microsoft.com/library/default.asp?
>>url=/msdnmag/issues/02/05/as
>>>p
>>>>sec2/toc.asp?frame=true)
>>>>
>>>>The first one is a MUST READ....
>>>>
>>>>/Patrik
>>>>
>>>>"Lee Seidel" <lee.seidel@capbluecross.com> wrote in 
>>message
>>>>news:05e401c2a2e0$ecc51c30$89f82ecf@TK2MSFTNGXA01...
>>>>> How bad is it to switch the user in the machine.config
>>>>> file from "machine" to "SYSTEM"?  We were able to 
>>overcome
>>>>> insufficient security for ASPNET id via this method.  
>>We
>>>>> resorted to this after giving ASPNET administrator 
>>rights
>>>>> on the box did not resolve the dreaded Insufficient
>>>>> Access .NET error.
>>>>>
>>>>> Please share your thoughts on this.
>>>>>
>>>>> Thanks.
>>>>
>>>>
>>>>
>>>
>>>.
>>>
>>
>
>

---

• Next message: Trevor Lawrence: "Re: Impersonation"
• Previous message: Norm Dotti: "Re: app config file downloading (not) for winform deployment model"
• In reply to: Mike Moore [MS]: "Re: How Bad Is It?"
• Next in thread: Lee Seidel: "How Bad Is It? - Resolved"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)