Access denied, trying access a named pipe. from inside IIS.

Are you saying that you've been able to reproduce this problem, please
clarify? I am anxious for a solution to the problem of serializing access
to a resource (my db) as I process transactions over the web.

My 1st attempt was to use the named pipe to do the serialization and
transaction as I don't have a high bandwidth problem. I figured this would
be a simply secure situation. IF this will not work, please let me know
asap.

--
Gak -
Finecats


"WenYuan Wang" wrote:

> Hi Gak
>
> we need to perform more research on this issue . We will reply here as soon
> as possible.
> If you have any more concerns on it, please feel free to post here.
>
> Thanks for your understanding!
> Best regards,
> Wen Yuan
>
>
 >> Stay informed about: Access denied, trying access a named pipe. from inside IIS. 

Hi Finecats,

I'm the owner of this IIS queue in MSDN newsgroups. Just need you to
clarify more on this issue, do you mean the named pipe can be properly
accessed between 2 test processes but failed on being executed within ISAPI
extension? If so, is there any detailed error message or code?

Just a rough idea of mine correctly, since you are using IIS 5.1 on XP,
please ensure the site's application protection level is set to Low(IIS
Process) in the site's Home Directory property page before testing.
Otherwise the ISAPI code will probably run in dllhost.exe with
IWAM_<machine> identity instead of inetinfo.exe with System identity.

Merry Christmas!

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 >> Stay informed about: Access denied, trying access a named pipe. from inside IIS. 

I have confirmed that protection is Low(IIS process).

Clarification: I was able to spawn a process from inside iis 5.1 isapi
extension.
The only thing the new process does at this point is to create a pipe , read
from it and write a response.

Once the process is spawned, the extension tries CreateFile() as i indicated
earlier.
The return is system error 00000005 .

Lastly, I did test this with an experimental program and was able to
communicate between the test program and the server just fine.



In the first article of this thread is the client side, (the part that
belongs in isapi).
Here is how I create the pipe in the spawned process.

HANDLE EstablishPipe()
{
WCHAR PipeName[] = L"\\\\.\\pipe\\LicensePipe";
HANDLE hPipe = 0;


hPipe = CreateNamedPipe(
PipeName, // pipe name
PIPE_ACCESS_DUPLEX|FILE_FLAG_WRITE_THROUGH, // read/write
access

PIPE_TYPE_MESSAGE | // message type pipe
PIPE_READMODE_MESSAGE | // message-read mode
PIPE_WAIT, // blocking mode
1, // max. instances
BUFSIZE, // output buffer size
BUFSIZE, // input buffer size
NMPWAIT_USE_DEFAULT_WAIT, // client time-out
NULL); // default security attribute




// Break if the pipe handle is valid.

if (hPipe != INVALID_HANDLE_VALUE)
return hPipe;

cout << " Unable to create pipe" << endl;
cout << "Error: " << GetLastError();

return INVALID_HANDLE_VALUE;
}


Once the pipe is created on the server, it will sit in a loop like this:

for(;

{

ConnectNamedPipe(PipeHandle,NULL);
ReadFile(PipeHandle,&Mess,sizeof(MessageKA),
&BytesRead,0);

cout << "Received Message" << endl;

WriteFile(PipeHandle,Response,3,// sizeof(ResponseKA),
&BytesWritten, 0);

DisconnectNamedPipe(PipeHandle);
}




Gak -
Finecats


""WenJun Zhang[msft]"" wrote:

> Hi Finecats,
>
> I'm the owner of this IIS queue in MSDN newsgroups. Just need you to
> clarify more on this issue, do you mean the named pipe can be properly
> accessed between 2 test processes but failed on being executed within ISAPI
> extension? If so, is there any detailed error message or code?
>
> Just a rough idea of mine correctly, since you are using IIS 5.1 on XP,
> please ensure the site's application protection level is set to Low(IIS
> Process) in the site's Home Directory property page before testing.
> Otherwise the ISAPI code will probably run in dllhost.exe with
> IWAM_<machine> identity instead of inetinfo.exe with System identity.
>
> Merry Christmas!
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
 >> Stay informed about: Access denied, trying access a named pipe. from inside IIS. 

Hi Larry,

00000005 is:

ERROR_ACCESS_DENIED winerror.h
# Access is denied.

It seems like a permission related error. I'd suggest you check the
identity of the spawned process and compare it with your experimental
program. I assume they are under different accounts.

Another point to test is disabling anonymous access on the site and enable
basic authentication only. Then login with your administrator account to
load the application again to test. See if it succeeds this time. Generally
ISAPI extension code is executed with current logon user's identity(i.e
IUSR_<machine> for anonymous access) which should lack for permission to
handle the named pipe generation.

Please feel free to send your sample projects to me at:
wjzhang DeleteThis @online.microsoft.com (remove online.). I will be glad to reproduce
the issue and help on the troubleshooting.

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 >> Stay informed about: Access denied, trying access a named pipe. from inside IIS. 

What exactly do you mean by "identity" ? How do I check for this?

I was using admin privledges for my stuff and all my testing!

When does IIS , and Isapi load? I would assume as a service it runs without
waiting for any user login?



--
Gak -
Finecats


""WenJun Zhang[msft]"" wrote:

> Hi Larry,
>
> 00000005 is:
>
> ERROR_ACCESS_DENIED winerror.h
> # Access is denied.
>
> It seems like a permission related error. I'd suggest you check the
> identity of the spawned process and compare it with your experimental
> program. I assume they are under different accounts.
>
> Another point to test is disabling anonymous access on the site and enable
> basic authentication only. Then login with your administrator account to
> load the application again to test. See if it succeeds this time. Generally
> ISAPI extension code is executed with current logon user's identity(i.e
> IUSR_<machine> for anonymous access) which should lack for permission to
> handle the named pipe generation.
>
> Please feel free to send your sample projects to me at:
> wjzhang RemoveThis @online.microsoft.com (remove online.). I will be glad to reproduce
> the issue and help on the troubleshooting.
>
> Thanks.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
 >> Stay informed about: Access denied, trying access a named pipe. from inside IIS. 

Hi Larry,

I meant the process's running account. You can check it with task manager.

ISAPI application's running context is particular. As you know, the
inetinfo.exe is running under System account(process identity). However
when am incoming ISAPI request, for example an ASP page request, IIS
establishes a thread to handle it and this thread's running context should
be the request user's logon account(e.g anonymous account IUSR_<machine>)
but not System. Therefore when enabling Basic authentication only and login
with your administrator account, the ISAPI code's thread will run with this
admin account. If the code works at this time, it means the problem is most
likely anonymous account does have permission to process the named pipe.

Have you tested with basic authentication yet?

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 >> Stay informed about: Access denied, trying access a named pipe. from inside IIS. 

OK, I think I'm starting to get it.

Do I spawn the process with some kind of special permissions set or do I
create the pipe with appropriate permission?

In either case, do you have a sample that would show the appropriate
creation of the object?


--
Gak -
Finecats


""WenJun Zhang[msft]"" wrote:

> Hi Larry,
>
> I meant the process's running account. You can check it with task manager.
>
> ISAPI application's running context is particular. As you know, the
> inetinfo.exe is running under System account(process identity). However
> when am incoming ISAPI request, for example an ASP page request, IIS
> establishes a thread to handle it and this thread's running context should
> be the request user's logon account(e.g anonymous account IUSR_<machine>)
> but not System. Therefore when enabling Basic authentication only and login
> with your administrator account, the ISAPI code's thread will run with this
> admin account. If the code works at this time, it means the problem is most
> likely anonymous account does have permission to process the named pipe.
>
> Have you tested with basic authentication yet?
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
 >> Stay informed about: Access denied, trying access a named pipe. from inside IIS. 

Hi Larry,

All the best to you in the new year!

"Do I spawn the process with some kind of special permissions set or do I
create the pipe with appropriate permission?"

[WenJun]
You can verify this via some debug utilities like Process Explorer.
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExp
lorer.mspx

To check:

1. Open Process Explorer.
2. Locate to your spawned process.
3. In the below Object list, named pipes will be displayed as File type
objects and generally with a name like \Device\NamedPipe\<Pipe Name>
4. Find the pipe you created and double-click it to check the permission
set of it in Security tab.

"In either case, do you have a sample that would show the appropriate
creation of the object?"

[WenJun]
No, I don't have a specific sample which applies to your scenario in hand.
However if you are willing to send your problematic project to me, I will
be glad to try reproducing the problem and assist on the test &
troubleshooting.

To clarify more of the issue, my understanding of the problem is:

1) Spawning an process from your ISAPI extension code which is executed by
IIS.
2) The spawned process creates a name pipe in it.
3) Try to connect to the named pipe from another external process(get an
Access Denied error).

Also if the process in step #2 isn't spawned by ISAPI, the step #3 will
succeed.

Could you please confirm if this above catches the issue exactly? If so, as
I mentioned before, the first key point is to check the process in step #1
is spawned with which account. Is it the anonymous IUSR_<machinename>
account (IUSR's permission is very weak and limited)? Please check this in
Task Manager(or by adding User Name column in Process Explorer view).

Also I wonder the result when disabling anonymous access and launching the
ISAPI extension with Basic authenticaiton(login with your administrator
account). Or you can temporarily add IUSR_<machinename> account to local
Administrators group to test.

If the process does run with IUSR account and the code can work with Basic
auth (or granting IUSR with admin permission), we can narrow down the issue
is due to IUSR lacks for some particluar permission.

Named Pipe Security and Access Rights
http://msdn2.microsoft.com/en-gb/library/aa365600.aspx

Look forward to your update.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 >> Stay informed about: Access denied, trying access a named pipe. from inside IIS.