invoking .NET class library from ASP2.0 (Classic)

RE: invoking .NET class library from ASP2.0 (Classic)

Hello Patrick,

ASP.NET is different from class ASP, it will use the account "ASPNET" or
"network service", not IUser or IWAN in ASP. To run a .NET component, we
need permission on manya folder as you have found, such as windows foler,
temp folder and .NET framework folder.

When you perform the three tests, what is the protection level you set in
IIS?

(An adventruous idea is to upgrade your application to ASP.NET. For most of
cases, we can just rename the .ASP file to .ASPX and then run it under
ASP.NET. )


Luke

Re: invoking .NET class library from ASP2.0 (Classic)

I don't seem to find the minimum set of requirements needed to run .NET
interop class library (after putting it in GAC and regasm /tlb) from ASP
anywhere on the microsoft or MSDN site? Luke could you shed some light as
to
- the minimum set of folder permissions needed for IWAM_MachineNam e
- the minimum set of folder permissions needed for IUSR_MachineNam e
- the minimum set of registry permissions needed for IWAM_MachineNam e
- the minimum set of registry permissions needed for IUSR_MachineNam e
- the minimum set of other permissions required

Considering the large set of ASP files and include files present, and the
amount of regression tests required, porting to ASPX is probably not a good
option for now!

"[MSFT]" <lukezhan@onlin e.microsoft.com > wrote in message
news:FalpABhxEH A.768@cpmsftngx a10.phx.gbl...[color=blue]
> Hello Patrick,
>
> ASP.NET is different from class ASP, it will use the account "ASPNET" or
> "network service", not IUser or IWAN in ASP. To run a .NET component, we
> need permission on manya folder as you have found, such as windows foler,
> temp folder and .NET framework folder.
>
> When you perform the three tests, what is the protection level you set in
> IIS?
>
> (An adventruous idea is to upgrade your application to ASP.NET. For most[/color]
of[color=blue]
> cases, we can just rename the .ASP file to .ASPX and then run it under
> ASP.NET. )
>
>
> Luke
>[/color]

Re: invoking .NET class library from ASP2.0 (Classic)

Furthermore, if within my .NET Class library, I try to write to just the
Application Log of EventViewer using an *Existing* Event Source (I know
more permissions are required to get EventSource created), using the
following very simple code snippet, I get permissions error as stated below.

Note, I have made IUSR_MachineNam e and IWAM_MachineNam e a member of local
administrators group on IIS5.1 on Windows XP Professional SP1 with .NET
Framework 1.1

--------------------------Start of code snippet--------------------------
EventLog objEventLog;
objEventLog = new EventLog();
objEventLog.Log = "Applicatio n";
objEventLog.Sou rce = "ASP.NET 1.1.4322.0";
objEventLog.Wri teEntry("i am here");
--------------------------End of code snippet--------------------------

--------------------------Start of Error--------------------------
System.InvalidO perationExcepti on: Cannot open log for source {0}. You may
not have write access. ---> System.Componen tModel.Win32Exc eption: Access is
denied
--- End of inner exception stack trace ---
at System.Diagnost ics.EventLog.Op enForWrite()
at System.Diagnost ics.EventLog.Wr iteEvent(Int32 eventID, Int16 category,
EventLogEntryTy pe type, String[] strings, Byte[] rawData)
at System.Diagnost ics.EventLog.Wr iteEntry(String message,
EventLogEntryTy pe type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnost ics.EventLog.Wr iteEntry(String message,
EventLogEntryTy pe type, Int32 eventID, Int16 category)
at System.Diagnost ics.EventLog.Wr iteEntry(String message,
EventLogEntryTy pe type, Int32 eventID)
at System.Diagnost ics.EventLog.Wr iteEntry(String message,
EventLogEntryTy pe type)
at System.Diagnost ics.EventLog.Wr iteEntry(String message)
at MyOrg.web.publi cations.Order.U pdateOrderObjec t(SimpleOrderDa ta order)
at MyOrg.web.publi cations.Order.P laceOrder(Simpl eOrderData order)
--------------------------End of Error--------------------------

"Patrick" <patl@reply.new sgroup.msn.com> wrote in message
news:OqTseHkxEH A.1308@TK2MSFTN GP09.phx.gbl...[color=blue]
> I don't seem to find the minimum set of requirements needed to run .NET
> interop class library (after putting it in GAC and regasm /tlb) from ASP
> anywhere on the microsoft or MSDN site? Luke could you shed some light as
> to
> - the minimum set of folder permissions needed for IWAM_MachineNam e
> - the minimum set of folder permissions needed for IUSR_MachineNam e
> - the minimum set of registry permissions needed for IWAM_MachineNam e
> - the minimum set of registry permissions needed for IUSR_MachineNam e
> - the minimum set of other permissions required
>
> Considering the large set of ASP files and include files present, and the
> amount of regression tests required, porting to ASPX is probably not a[/color]
good[color=blue]
> option for now!
>
> "[MSFT]" <lukezhan@onlin e.microsoft.com > wrote in message
> news:FalpABhxEH A.768@cpmsftngx a10.phx.gbl...[color=green]
> > Hello Patrick,
> >
> > ASP.NET is different from class ASP, it will use the account "ASPNET" or
> > "network service", not IUser or IWAN in ASP. To run a .NET component, we
> > need permission on manya folder as you have found, such as windows[/color][/color]
foler,[color=blue][color=green]
> > temp folder and .NET framework folder.
> >
> > When you perform the three tests, what is the protection level you set[/color][/color]
in[color=blue][color=green]
> > IIS?
> >
> > (An adventruous idea is to upgrade your application to ASP.NET. For most[/color]
> of[color=green]
> > cases, we can just rename the .ASP file to .ASPX and then run it under
> > ASP.NET. )
> >
> >
> > Luke
> >[/color]
>
>[/color]

Re: invoking .NET class library from ASP2.0 (Classic)

I didn't found a public document which list this exactly. Following article
may help some:

How to set required NTFS permissions and user rights for an IIS 5.0 Web
server


If you don't want run the ASP application under Low protection level: I
think you may consider creating a COM+ component calling the .NET assembly,
and then call the COM+ Component in ASP. A COM+ application can run within
different process and under different user account. Or you can create a
COM+ application in .NET directly:

HOW TO: Create a Serviced .NET Component in Visual C# .NET


Luke

Re: invoking .NET class library from ASP2.0 (Classic)

The Microsoft Article
http://support.microsoft.com/default...;EN-US;Q271071 does not
state *Specific Minimum* permissions required to run .NET Interop from ASP
or that required to write to the Event Log (using an existing Event Source)

I think I have the following options (please correct me if I am wrong)
1) Run the ASP App Process Protection Level to "Low" + Make IWAM_MachineNam e
and/or IUSR_MachineNam e users Administrators
2) Instead of invoking a .NET class library via interop (regasm /tlb), make
the .NET Class library a COM+ (ActivationOpti on.Server)
3) Instead of invoking a .NET class library via interop (regasm /tlb), make
a VB6 COM+ which invoke the .NET Class library via interop
(ActivationOpti on.Server)

Note the following issues!!!
i) 2 and 3 is not going to work out in my particular scenario because the
class library is actually a .NET Web Service proxy client class library that
inherits from Microsoft.Web.S ervices2.WebSer vicesClientProt ocol

ii) ASPNET, IUSR_MachineNam e and IWAM_MachineNam e are already made
administrators on the IIS server

iii) With IIS Process Protection set to Low, I can get the .NET class
library invoked from ASP, but when I set it to Medium, it doesn't. Using
FileMon and RegMon from http://www.sysinternals.com/ntw2k/utilities.shtml, I
figure out that there are loads of file/folder access is denied errors by
IWAM_MachineNam e (I can't find any MSDN articles which state what
folder/file permissions are required to invoke a .NET class library via .NET
Interop from ASP 2.0 [classic])

iv) With the relaxed permissions (ASPNET, IUSR_MachineNam e and
IWAM_MachineNam e made administrators, low IIS process protection), I still
cannot write to the event viewer from the .NET class library using an
*Existing* Event Source)
e.g.
objEventLog = new EventLog();
objEventLog.Log = "Applicatio n";
objEventLog.Sou rce = "ASP.NET 1.1.4322.0";
objEventLog.Wri teEntry("Test", EventLogEntryTy pe.Information) ;

I get the following exceptions
--------------------------Start of Error--------------------------
System.InvalidO perationExcepti on: Cannot open log for source {0}. You may
not have write access. ---> System.Componen tModel.Win32Exc eption: Access is
denied
--- End of inner exception stack trace ---
at System.Diagnost ics.EventLog.Op enForWrite()
at System.Diagnost ics.EventLog.Wr iteEvent(Int32 eventID, Int16 category,
EventLogEntryTy pe type, String[] strings, Byte[] rawData)
at System.Diagnost ics.EventLog.Wr iteEntry(String message,
EventLogEntryTy pe type, Int32 eventID, Int16 category, Byte[] rawData)
at System.Diagnost ics.EventLog.Wr iteEntry(String message,
EventLogEntryTy pe type, Int32 eventID, Int16 category)
at System.Diagnost ics.EventLog.Wr iteEntry(String message,
EventLogEntryTy pe type, Int32 eventID)
at System.Diagnost ics.EventLog.Wr iteEntry(String message,
EventLogEntryTy pe type)
at System.Diagnost ics.EventLog.Wr iteEntry(String message)
at MyOrg.web.publi cations.Order.U pdateOrderObjec t(SimpleOrderDa ta order)
at MyOrg.web.publi cations.Order.P laceOrder(Simpl eOrderData order)
--------------------------End of Error--------------------------

v) I can confirm that with a simple ASPX page as follows without
impersonation:
------------------------------Start of
eventLogTest.as px------------------------------
<%@Import Namespace="Syst em.Diagnostics" %>
<%@Import Namespace="Syst em.Web" %>
<%@ Page language="c#" AutoEventWireup ="true" EnableSessionSt ate="False" %>
<HTML>
<HEAD>
<title>event log test</title>

</HEAD>
<body>
<%
try
{
EventLog objEventLog;

objEventLog = new EventLog();
objEventLog.Sou rce = "Applicatio n";

objEventLog.Wri teEntry("Test message",EventL ogEntryType.Inf ormation);

}
catch (Exception e)
{
%>
<%= e.ToString()%>
<%
} //end try%>
</body>
</html>
------------------------------end of
eventLogTest.as px------------------------------

SO, the ultimate questions are
1) How could I get a .NET class library to write to the event log using an e
xisting event source when the class library is invoked from ASP 2.0
(classic)
2) What is the simplest and most secure way of allow a .NET class library to
be invoked from ASP 2.0 (Classic)?


"[MSFT]" <lukezhan@onlin e.microsoft.com > wrote in message
news:T2gidivxEH A.3388@cpmsftng xa10.phx.gbl...[color=blue]
> I didn't found a public document which list this exactly. Following[/color]
article[color=blue]
> may help some:
>
> How to set required NTFS permissions and user rights for an IIS 5.0 Web
> server
> http://support.microsoft.com/default...;EN-US;Q271071
>
> If you don't want run the ASP application under Low protection level: I
> think you may consider creating a COM+ component calling the .NET[/color]
assembly,[color=blue]
> and then call the COM+ Component in ASP. A COM+ application can run within
> different process and under different user account. Or you can create a
> COM+ application in .NET directly:
>
> HOW TO: Create a Serviced .NET Component in Visual C# .NET
> http://support.microsoft.com/default...;EN-US;Q306296
>
> Luke
>[/color]

Re: invoking .NET class library from ASP2.0 (Classic)

Hi Patrick,

AS I know, to write system event log, the account should have full control
with following:

/Windows/System32
System temp folder

And, you must change the registry value
HKEY_LOCAL_MACH INE\SYSTEM\Curr entControlSet\S ervices\Eventlo g\Application\R e
strictGuestAcce ss from a 1 to a 0. You must reboot for the change to take
effect.

However, if you use .NET component to access the eventlog, the account aslo
should have permissioen on .NET and framework's folder.

Can you let me know why you don't want leave the application protection
level as "low"? If "low" is impossible, you may set it to "high". And then,
open Administrative tools/component services/Computers/My Computer/COm+
applications, you will notice a COM+ application has been create for the
virtual folder. Right click it, select Properties/Identity, you can specify
a powerful account here. When the application protection level is set to
high, it will use this account. You may add this account to adminitrators
group to test again.

Luke