Access denied when using Net.Tcp Port Sharing Service - c#

This question is related to Starting processes under specific credentials from a Windows service, but it's a different problem.
I've started a process from a Windows service in the System session (0) under specific credentials, but it is unable to listen to a port sharing URL. It's using a "Worker" domain account on a Windows Server 2008 machine.
My SMSvcHost.exe.config file: http://pastie.org/private/jxed8bdft0eir5uc371pq
I've restarted the services and the machine as well, but it's still giving me this exception:
System.ServiceModel.CommunicationException: The service endpoint failed to listen on the URI 'net.tcp://localhost:5400/Agent/384' because access was denied. Verify that the current user is granted access in the appropriate allowAccounts section of SMSvcHost.exe.config. ---> System.ComponentModel.Win32Exception: Access is denied
at System.ServiceModel.Activation.SharedMemory.Read(String name, String& content)
at System.ServiceModel.Channels.SharedConnectionListener.SharedListenerProxy.ReadEndpoint(String sharedMemoryName, String& listenerEndpoint)
My ProcessHelper code that starts the process: http://pastie.org/private/iytqehsdfujrgil1decda. I'm calling the StartAsUserFromService method.
I suppose the link between the SID in the config and the account the process is running under is somehow not being made. But why?
EDIT:
I've double-checked that the config I'm editing is used by the service. I've tried adding the System account and Everyone explicitly, but it's still giving me an access denied error. It's like it's not looking at that config at all.
How can I find where the missing permission is?
EDIT:
I reinstalled .NET 4.5.1 on the machine and all the Windows updates, still no luck.
EDIT:
Is this the correct way of duplicating a user token to allow it to use port sharing? Specifically the SecurityDescriptor bit?
private static ImpersonationResult ImpersonateUser(string domain, string username, string password)
{
IntPtr token = IntPtr.Zero;
IntPtr primaryToken = IntPtr.Zero;
try
{
// Get token
bool bImpersonated = LogonUser(
username,
domain,
password,
(int)LogonType.NetworkClearText,
(int)LogonProvider.Default,
ref token);
if (!bImpersonated)
{
throw new Exception(string.Format("Failed to impersonate identity. Error code: {0}", Marshal.GetLastWin32Error()));
}
SecurityDescriptor sd = new SecurityDescriptor();
IntPtr ptr = Marshal.AllocCoTaskMem(Marshal.SizeOf(sd));
Marshal.StructureToPtr(sd, ptr, false);
InitializeSecurityDescriptor(ptr, 1);
sd = (SecurityDescriptor)Marshal.PtrToStructure(ptr, typeof(SecurityDescriptor));
// Set up security
bool bDecriptorSet = SetSecurityDescriptorDacl(
ref sd,
true,
IntPtr.Zero,
false);
if (!bDecriptorSet)
{
throw new Exception(string.Format("Failed to set security descriptor. Error code: {0}", Marshal.GetLastWin32Error()));
}
SecurityAttributes processAttributes = new SecurityAttributes();
processAttributes.lpSecurityDescriptor = ptr;
processAttributes.nLength = (uint)Marshal.SizeOf(sd);
processAttributes.bInheritHandle = true;
// Duplicate token
bool bTokenDuplicated = DuplicateTokenEx(
token,
0,
ref processAttributes,
(int)SecurityImpersonationLevel.SecurityImpersonation,
(int)TokenType.TokenPrimary,
ref primaryToken);
if (!bTokenDuplicated)
{
throw new Exception(string.Format("Failed to duplicate identity token. Error code: {0}", Marshal.GetLastWin32Error()));
}
SecurityAttributes threadAttributes = new SecurityAttributes();
threadAttributes.lpSecurityDescriptor = IntPtr.Zero;
threadAttributes.nLength = 0;
threadAttributes.bInheritHandle = false;
// Got the token
return new ImpersonationResult()
{
Token = primaryToken,
ProcessAttributes = processAttributes,
ThreadAttributes = threadAttributes
};
}
finally
{
FreeToken(token);
}
}
private static void FreeToken(IntPtr token)
{
if (token != IntPtr.Zero)
{
CloseHandle(token);
}
}
EDIT:
Here's the app.config bit of my process that enables port sharing: http://pastie.org/private/8ekqeps4d7rmo7hnktsw
Here's an app.config bit of the service that starts the process: http://pastie.org/private/nqqcwz8bvjb5fzp48yavbw. It has no problems using Port Sharing because it's running under the System account.
The Port Sharing service itself is enabled, and I already mentioned that I've restarted the machine several times.
The "Application Server" role is not installed, but when I go to add it, the TCP Port Sharing Role is already ticked and greyed out, so something else must have installed it. Does it come with .NET 4.5.1?

Preface: Please use for one question one thread...
PortSharing: WHERE have you enabled port sharing? We cannot see this in your configuration file. For more infos see: How to: Configure a Windows Communication Foundation Service to Use Port Sharing
Have you installed the "Application Server" role on your server? See also: Checklist: Use TCP Port Sharing to Allow Multiple WCF Applications to Use the Same TCP Port
Is port sharing enabled on the system? See: How to: Enable the Net.TCP Port Sharing Service
Also, have you restarted your server? Sometimes this is needed (or at least all services which uses this port), see: http://blogs.msdn.com/b/joncole/archive/2010/06/10/tcp-port-sharing-access-is-denied.aspx
A comprehensive description about port-sharing is: http://blogs.msdn.com/b/andreal/archive/2009/04/05/net-tcp-ip-port-sharing.aspx
Also be aware that you must add some accounts for activation, if this is needed:
Configuring the Net.TCP Port Sharing Service
Are you sure that the SmSvcHost.exe.config allows access from your account, your process is running under?
<configuration>
<system.serviceModel.activation>
<net.tcp listenBacklog="16" <!—16 * # of processors -->
maxPendingAccepts="4"<!— 4 * # of processors -->
maxPendingConnections="100"
receiveTimeout="00:00:30" <!—30 seconds -->
teredoEnabled="false">
<allowAccounts>
<!-- LocalSystem account -->
<add securityIdentifier="S-1-5-18"/>
<!-- LocalService account -->
<add securityIdentifier="S-1-5-19"/>
<!-- Administrators account -->
<add securityIdentifier="S-1-5-20"/>
<!-- Network Service account -->
<add securityIdentifier="S-1-5-32-544" />
<!-- IIS_IUSRS account (Vista only) -->
<add securityIdentifier="S-1-5-32-568"/>
</allowAccounts>
</net.tcp>
</system.serviceModel.activation>

It turns out that the logon type was causing the permissions to not work correctly with the Port Sharing Service. I changed it to LogonType.Batch and it started working.
Full code:
ProcessHelper: http://pastie.org/private/dlkytj8rbigs8ixwtg
TokenImpersonationContext: http://pastie.org/private/nu3pvpghoea6pwwlvjuq

(Just another answer that may help someone)
Turns out that in my case, logged in user did not have Administrative privilege.
Changing the account type to Administrator solved the problem.
I also did not change anything in SmSvcHost.exe.config

Related

Azure - Mapping a virtual directory to file service share in cloud service

Reference to : Mapping an Azure File Service CloudFileShare as a virtual directory on each instance of a cloud service
I encounter an issue when I am trying to create a virtual directory in Azure Cloud Service, and the virtual directory is mapped to Azure file service.
What I have done
1) use <Runtime executionContext="elevated" /> for webrole in in ServiceDefinition.csdef
2) in WebRole.cs
I mount the drive (as described in http://blogs.msdn.com/b/windowsazurestorage/archive/2014/05/27/persisting-connections-to-microsoft-azure-files.aspx for PaaS) I also do it in application start.
public static void MountShare(string shareName,
string driveLetterAndColon,
string username,
string password)
{
if (!String.IsNullOrEmpty(driveLetterAndColon))
{
// Make sure we aren't using this driveLetter for another mapping
WNetCancelConnection2(driveLetterAndColon, 0, true);
}
NETRESOURCE nr = new NETRESOURCE();
nr.dwType = ResourceType.RESOURCETYPE_DISK;
nr.lpRemoteName = shareName;
nr.lpLocalName = driveLetterAndColon;
int result = WNetAddConnection2(nr, password, username, 0);
if (result != 0 || result != 85)
//85 indicates the drive name is already used. in this scenario, it means the drive is already mapped.
{
throw new Exception("WNetAddConnection2 failed with error " + result);
}
}
3) In WebRole.cs, I create the virtual directories by the following,
app.VirtualDirectories.Add("/asset/cms", #"s:\cms");
4) In WebRole.cs, I use the following to make the AppPool run in the admin account I created for remote desktop,
applicationPool.ProcessModel.IdentityType = ProcessModelIdentityType.SpecificUser;
applicationPool.ProcessModel.UserName = appPoolUser;
applicationPool.ProcessModel.Password = appPoolPass;
applicationPool.ProcessModel.LoadUserProfile = true;
Problem:
I am unable to get anything from /asset/cms. It comes back with 500.19 if I try to access the files inside, and it says 'The requested page cannot be accessed because the related configuration data for the page is invalid.', and specifically it points to s:\cms\web.config which does not exist. When I remote to the cloud service instance, and open IIS mgr, I can see the virtual directories are created correctly.
I guess it's a permission problem. But I am not able to edit permission of the virtual directory since it's mapped to a network drive.
How can I solve this problem? -- Now the above problem is solved and the cloud service can access the file service share. But, new problem - is it possible to use the network_service identity to run the AppPool?

Connecting to IBM MQ over SSL via .net client

I am trying to connect to a MQ server queue via a .NET client. I need to use the certificate for secured communication. Here is the code that I have:
MQEnvironment.SSLKeyRepository = "*SYSTEM";
MQEnvironment.ConnectionName = connectionName;
MQEnvironment.Channel = channelName;
MQEnvironment.properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
MQEnvironment.SSLCipherSpec = "TLS_RSA_WITH_AES_256_CBC_SHA";
queueManager = new MQQueueManager(queueManagerName, channelName, connectionName);
queue = queueManager.AccessQueue(SendQueueName,MQC.MQOO_OUTPUT + MQC.MQOO_FAIL_IF_QUIESCING);
queueMessage = new MQMessage();
queueMessage.WriteString(message);
queueMessage.Format = MQC.MQFMT_STRING;
queue.Put(queueMessage, new MQPutMessageOptions());
Every time I try to put the message on the queue, I get this error message
Reason Code: 2059
MQexp.Message: MQRC_Q_MGR_NOT_AVAILABLE
I have checked my variables for the queue manager name, queue name etc and they are correct.
I was also able to connect to a different queue without SSL, I believe that my code is not furnishing enough information to establish a successful connection.
Any help on this would be appreciated.
Thanks,
Kunal
I had the same problem and error message. After enabling tracing I was able to isolate the problem.
I always wondered, how the client is selecting the correct client certificate from the store. The trace output revealed following:
000001B2 15:53:46.828145 20776.10 Created an instance of SSLStreams
000001B3 15:53:46.828145 20776.10 Setting current certificate store as 'Computer'
000001B4 15:53:46.828145 20776.10 Created store object to access certificates
000001B5 15:53:46.834145 20776.10 Opened store
000001B6 15:53:46.834145 20776.10 Accessing certificate - ibmwebspheremqmyusername
000001B7 15:53:46.835145 20776.10 TLS12 supported - True
000001B8 15:53:46.837145 20776.10 Setting SslProtol as Tls
000001B9 15:53:46.837145 20776.10 Starting SSL Authentication
In my case, I had to set the friendly name of the client certificate to ibmwebspheremqmyusername (replace "myusername" with your userid) and set the label in the code aswell:
properties.Add(MQC.MQCA_CERT_LABEL, "ibmwebspheremqmyusername");
To enable tracing, add following to your app.config/web.config where the path points to a location that contains a file named mqtrace.config:
<appSettings>
<add key="MQTRACECONFIGFILEPATH" value="C:\MQTRACECONFIG" />
</appSettings>
Sample content of mqtrace.config (specified directories must exist in advance):
<?xml version="1.0" encoding="utf-8"?>
<traceSettings>
<MQTRACELEVEL>2</MQTRACELEVEL>
<MQTRACEPATH>C:\MQTRACEPATH</MQTRACEPATH>
<MQERRORPATH>C:\MQERRORLOGPATH</MQERRORPATH>
</traceSettings>
Here are some links for more detail:
Tracing:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q123550_.htm
Why label:
http://www-01.ibm.com/support/docview.wss?uid=swg21245474

WCF Data Service Update returns 401- Unauthorized: Access is denied due to invalid credentials

I have a WCF data service and I am trying to use the UpdateObject method on the DataServiceContext client. When I call the SaveChanges method, I get the following error page:
Unauthorized: Access is denied due to invalid credentials
You do not have permission to view this directory or page using the credentials that you supplied.
Does anyone have any ideas of how I can fix this? I found this, which would theoretically fix the problem, but setting this disk access is not a realistic solution for a production service. Keep in mind, when running this WCF Data service on my local machine, it works just fine. The C# code for my call is below:
public override void SetPropertyValues(SettingsContext context, SettingsPropertyValueCollection collection)
{
var userName = ( string ) context[ "UserName" ];
var isAuthenticated = ( bool ) context[ "IsAuthenticated" ];
if (userName != null && userName.Length >= 1 && collection.Count >= 1)
{
var allNames = string.Empty;
var allValues = string.Empty;
byte[] buf = null;
PrepareDataForSaving( ref allNames, ref allValues, ref buf, true, collection, isAuthenticated );
if (allNames.Length != 0)
{
var client = GetDataContext( );
var profile = client.ProfileViews.Where(p => p.UserName == userName).FirstOrDefault();
if (profile == null)
{
profile = new ProfileView() { UserName = userName };
client.AddToProfileViews(profile);
}
profile.PropertyNames = allNames;
profile.PropertyValuesString = allValues;
profile.PropertyValuesBinary = buf;
profile.LastUpdateDate = DateTime.UtcNow;
client.UpdateObject(profile);
client.SaveChanges( );
}
}
}
I had a similiar issue with a Silverlight application that was using WCF Data Services. The users could view data in the application---SELECTS from the database were functioning---but they were receiving the same "401 - Unauthorized: Access is denied du to invalid credentials." you are describing when they attempted to save changes to the database (i.e., at the point when SaveChanges was executed in code). The underlying problem ended up being a permissions issue with the IIS application folder itself. To fix, we had to grant the Application Pool being used by the WCF service Write permissions to the folder.
Go to IIS and right click on the virtual directory containing the WCF service and choose Manage Application -> Advanced Settings.... Make note of the Application Pool name.
Within same right-click menu, choose Edit Permissions..... On Security tab, check group and user names.
If the name of the Application Pool is missing. Add it using the name format "IIS APPPOOL\MyApplicationPoolName". See this helpful link: http://www.bluevalleytech.com/techtalk/blog/assigning-ntfs-folder-permission-to-iis7-application-pools/
Make sure MyApplicationPoolName has Write permissions (we actually gave it Full control)
In my case I had Windows authentication with impersonation using kerberos (useAppPoolCredentials=true) on a WCF Data Service hosted on IIS 7.5. The weird thing was that I could successfully select and insert data, but when I tried to update I got a 401.3 access denied error. The solution was to give the AD group specified in the web config (myRole):
<authorization>
<allow roles="myRole"/>
<deny users="*" />
</authorization>
Read and write access to the application folder like Dan Sabin said . The error message was:
Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access

Change Windows Service user programmatically

I need to change Logon user for a Windows service programmatically. And I am using the following code to do that:
string objPath = string.Format("Win32_Service.Name='{0}'", ServiceName);
using (ManagementObject service = new ManagementObject(new ManagementPath(objPath)))
{
object[] wmiParams = new object[11];
if (PredefinedAccount)
{
wmiParams[6] = "LocalSystem";
wmiParams[7] = "";
}
else
{
wmiParams[6] = ServiceUsername; // provided by user
wmiParams[7] = ServicePassword; // provided by user
}
object invokeResult = service.InvokeMethod("Change", wmiParams);
// handle invokeResult - no error up to this point
}
This code works in 90% of situations, but in some situations service cannot be started due to logon failure. There is usually no error on InvokeMetod but when we try to start the service we get the following error:
System.InvalidOperationException: Cannot start service X on computer
'.'. --> System.ComponentModel.Win32Exception: The service did not
start due to a logon failure.
The workaround solution is simple, we just need to enter the same credentials via Windows interface and problem is solved.
So my question is, has anybody experienced the similar problem with ManagementObject because it seems that in some situation it does not relate Username and password to windows service?
It's because the account has no "Log On as service" privilege. You need to use LsaAddAccountRights to add such privilege to the account.
Do you notice any patterns amongst those failures? Same machine? Same OS? Same user? Does the user have "logon as service" or "logon interactively" rights? Personally, I am not familiar with this method of specifying the user for a service. I would have thought you would have to restart the service, but I guess not if it works 90% of the time.

Updating Active Directory from Web Application Error

I am receiving an error a web based application that allows corporate intranet users to update their active directory details (phone numbers, etc).
The web application is hosted on IIS6 running Windows Server 2003 (SP1). The IIS website is using NTLM Authentication and the website has integrated security enabled. The IIS application pool runs using the “Network Service” account.
The web.config contains the following elements
<LdapConfigurations server="xxx.internal" root="OU=Staff Accounts,DC=xxx,DC=internal" domain="xxx" />
<identify impersonate=”true” />
Active Directory delegation is not needed as the following C# (.NET 3.5) code should pass on the correct impersonation details (including security token) onto Active Directory.
public void UpdateData(string bus, string bus2, string fax, string home, string home2, string mob, string pager, string notes)
{
WindowsIdentity windId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
ctx = windId.Impersonate();
DirectorySearcher ds = new DirectorySearcher();
DirectoryEntry de = new DirectoryEntry();
ds.Filter = m_LdapUserFilter;
// i think this is the line causing the error
de.Path = ds.FindOne().Path;
this.AssignPropertyValue(bus, ADProperties.Business, ref de);
this.AssignPropertyValue(bus2, ADProperties.Business2, ref de);
this.AssignPropertyValue(fax, ADProperties.Fax, ref de);
this.AssignPropertyValue(home, ADProperties.Home, ref de);
this.AssignPropertyValue(home2, ADProperties.Home2, ref de);
this.AssignPropertyValue(mob, ADProperties.Mobile, ref de);
this.AssignPropertyValue(pager, ADProperties.Pager, ref de);
this.AssignPropertyValue(notes, ADProperties.Notes, ref de);
// this may also be causing the error?
de.CommitChanges();
}
finally
{
if (ctx != null)
{
ctx.Undo();
}
}
}
private void AssignPropertyValue(string number, string propertyName, ref DirectoryEntry de)
{
if (number.Length == 0 && de.Properties[propertyName].Value != null)
{
de.Properties[propertyName].Remove(de.Properties[propertyName].Value);
}
else if (number.Length != 0)
{
de.Properties[propertyName].Value = number;
}
}
User details can be retrieved from Active Directory without a problem however the issue arises when updating the users AD details. The following exception message is displayed.
System.Runtime.InteropServices.COMException (0x80072020): An operations error occurred.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindOne()
at xxx.UpdateData(String bus, String bus2, String fax, String home, String home2, String mob, String pager, String notes)
at xxx._Default.btnUpdate_Click(Object sender, EventArgs e)
The code works fine in our development domain but not in our production domain. Can anyone please assist in helping resolving this problem?
This is more than likely a permissions problem - there are numerous articles regards impersonation and delegation and the vagaries thereof here: http://support.microsoft.com/default.aspx?scid=kb;en-us;329986 and here: http://support.microsoft.com/default.aspx?scid=kb;en-us;810572.
It sounds like you might have a duplicate SPN issue?
This is why I think it might be a problem:
It works in your dev enviroment (assuming it is also using network service, and on the same domain)
You have impersonate on, in your web config.
When there is a duplicate SPN, it invalidates the security token, so even though you have created it correctly in code, AD does not "trust" that server to impersonate, so the server that receives the request to make a change to AD (on of your DC's) receives the request but then discards it because Delagation permission has not been applied on the machine account in AD, or SPN issue (either duplicate or incorrect machine name / domain name)
Or at least in my expereince that is 9 out of 10 times the problem.
I guess the problem is that it works on the development environment because when you're launching your webapp there, you run it with your personal account which probably has the rights to write to AD.
On the production environment, you have to assure that the process running your webapp (Network Service Account) has also the rights to update the AD. It sounds to me like that could be the problem since I had a similar issue once.
The problem wasn't with the code but how the server was setup on the domain. For some reason the network administrator did not select the "Trust Computer for Delegation" option in active directory.
Happily the problem was not a "double-hop" issue :)

Categories