CGI Problem on MS IIS 5.0 - Trying to access files on other machines

• Previous message: Tom Kaminski [MVP]: "Re: Protecting Image Files"
• Next in thread: Pat [MSFT]: "Re: CGI Problem on MS IIS 5.0 - Trying to access files on other machines"
• Reply: Pat [MSFT]: "Re: CGI Problem on MS IIS 5.0 - Trying to access files on other machines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 15 Sep 2005 21:00:33 GMT

Greetings,

I'm working on a CGI program that will run under MS IIS 5.0 and will
browse folders on three other machines, building HTML pages that will
provide links to these folders.

Essentially, the CGI will connect to each machine in turn, doing the
FindFirst/FindNext process based on the current criteria. It will
select certain files/folders, and build an HTML page as it goes.

The premise is fine. If I run the program from the command line, it
seems to work fine and I get my HTML code out. I can copy the code
into a separate file, open it in the browser, and all appears right
with the world.

However, when I try to run the CGI from the browser itself, I get all
kinds of problems. The first one I got was a 1312, "A specified logon
session does not exist. It may have already been terminated." After
doing some searching, I began to investigate impersonation of a logged
on user. This produces a different error: 1314, "A required privilege
is not held by the client."

The code involved and the output I'm getting follows:

---------BEGIN----------
class Impersonate:
    def __init__(self, login, password ):
        self.domain = '4Q9ND21'
        self.login = login
        self.password = password
        self.handel = None
    def logon(self):
        tracelist.append("Impersonate logon step 0")
        win32security.RevertToSelf() # terminates impersonation
        tracelist.append("Impersonate logon step 1")
        self.handel = win32security.LogonUser( self.login, self.domain,
self.password, win32con.LOGON32_LOGON_INTERACTIVE,
win32con.LOGON32_PROVIDER_DEFAULT )
        tracelist.append("Impersonate logon step 2")
        win32security.ImpersonateLoggedOnUser(self.handel)
        tracelist.append("Impersonate logon step complete")
    def logoff(self):
        win32security.RevertToSelf() # terminates impersonation
        if self.handel != None:
            self.handel.Close() # guarantee cleanup
----------END-----------

and I execute this code with the following

---------BEGIN----------
    impersonate = Impersonate( 'PYTHONTEST', 'PYTHONTEST' )
    try:
        tracelist.append("about to attempt the IMPERSONATE")
        impersonate.logon()
        tracelist.append("impersonate did NOT throw exception")
        b=AdjustPrivilege(SE_SYSTEM_PROFILE_NAME)
        b=AdjustPrivilege(SE_TCB_NAME)
        try:
            tracelist.append("win32api.GetUserName = " +
win32api.GetUserName() )
            # print win32api.GetUserName() #show you're someone else
        finally:
            impersonate.logoff() #return to normal
    except:
        a = "Impersonate Logon Error: %s %s" % (sys.exc_type, sys.exc_value)
        tracelist.append(a)
        # print sys.exc_type, sys.exc_value
----------END-----------

When I run this code, my tracelist comes out with

---------BEGIN----------
2005-09-15 16:43:37
about to attempt the IMPERSONATE
Impersonate logon step 0
Impersonate logon step 1
Impersonate Logon Error: pywintypes.error (1314, 'LogonUser', 'A required
privilege is not held by the client.')
----------END-----------

I'm coding this in Python 2.4 and the Windows extensions. I have a
number of other CGI programs in Python running under IIS that work
correctly, but those only do database accesses. This one I'm trying to
put together is the first one to actually do file searches.

I have set the privileges for the logged on account on my IIS box for
SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME and SE_ASSIGNPRIMARYTOKEN_NAME and
rebooted. To no avail. I'm not sure if there are additional
alterations that need to be done to the security policies or not.
Again, I'm not a guru.

If anyone can give me more information/guidance I would greatly
appreciate it. If you need more information from me, I will do my best
to provide it.

TIA,

Paul

• Previous message: Tom Kaminski [MVP]: "Re: Protecting Image Files"
• Next in thread: Pat [MSFT]: "Re: CGI Problem on MS IIS 5.0 - Trying to access files on other machines"
• Reply: Pat [MSFT]: "Re: CGI Problem on MS IIS 5.0 - Trying to access files on other machines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]