IIS Permission issue with ASPs

[jmiturbe]

Hello,

I recently started working with windows (I usually work as UNIX sysadmin), so excuse my low knowledge and by the way my poor english.

We are running an IIS website with Integrated Windows Authentication on a Windows 2000 server. We want to run an asp that calls a dll using server.createobject.

When simple users call this asp from their PCs, the dll doesn't work, but if we add these users to the administrators group, it works perfectly. I tried giving full control permissions to everyone for the content folder without sucess, so I think that it's not a file permission issue. Logically, we cannot include all the users on the admin group.

Can you help me?

Thanks in advance,

jmiturbe

 

[Tarwn]

The issueis your DLL. lonce it has been registered on the server it is placed in System32 (someone call me on this, I may be off). That DLL is what you need to give additional permissions to in order for the web application to use it. Basically when you use integrated security the web application runs under the users permissions that connected to the server. So any outside calls for DLLs, network shares, local file writing, etc are executed under that users permissions.
In this case I am pretty sure it is the registered DLL that windows so helpfully move for you that is causingthe issue.

-T

 

[Sheco]

So it "doesn't work" ... can you be more specific? Is there an error message?

If a DLL is a custom one only used for the web application then I prefer to put it somewhere in the folder structure of the web app rather than in System32. It doesn't really matter where it is as long as the it is recorded properly in the windows registry.

Also your DLL might reference a second DLL so that while the user has permissions on the first DLL called by ASP, they do not have permission on the second DLL called by the first.

 

[jmiturbe]

Hello,

Thanks for answering so fast! I think that it's a custom dll and i checked that it's located in the web application folder. Tomorrow I'll check if it's also in system32, but I think it's not. The people who installed this dll said that it's an encrypted dll or something similar, so it can't be easily debuged. They smell that the problem can be related with permissions, but the do not have the knowledge to trace it. Neither do I.

The dll is suposed to "paint" a form depending on the user's role on the application. If a user with the correct application rights is not on the server's admin group, the invoking of the dll doesn't paint the form but I can't see any kind of error, just a blank web page. If we add this user to the server's admin group without modifying user's role at application level, it does the job it's supposed to do. From this I got two conclusions, but they could be wrong:

1.- The dll is registered, because it can be invoked, even if it only works when the user is one of the server's admin. Is this true? Or do the windows administrators have any kind of special permissíon that allows them to "call" unregistered dlls?

2.- Functionally, it's working, because it does it's job.

Any ideas about the problem or how to debug it?

Yours,

jmiturbe

 

[Sheco]

yes if it never worked then perhaps it could be a registration issue.... but since it works in some circumstances then the registry is not the problem.

What sort of error do you see when a non-administrator attempts to use the DLL? Perhaps on just this one page you could use a specific administrator account in place of anonymous for all web users rather than using integrated windows authentication.

 

[jmiturbe]

Hi,

I think that we can't do what you say, because the application has it's own permission management, based on the identity of the user. The "entreprise" choose using Integrated Windows Authentication to get a Single Sign On easily. So in my opinion we can't use the administrator account for all the accesses, because it's an "anonymous" acount, even if it has many privileges.

I forgot to say that it's working on development environment, so the system can work.

Any ideas?

Thanks again. Yours,

jmiturbe

 

[ChrisHirst]

Does the single sign on user account have "Execute" permissions to the folder or the dll directly?

does the application dll need to read/write to the registry? If so does the account have permissions to the appropriate node or key?

Chris.

Indifference will be the downfall of mankind, but who cares?
Woo Hoo! the cobblers kids get new shoes.
People Counting Systems

So long, and thanks for all the fish.

 

[a6m1n0]

I am unsure about your app, but I use the method below to control access to various commercial dll's on a shared hosting server for my company's clients...

I would try creating a user group called 'DllAccessGroup' (or whatever) and put the users that you want to access this dll in that group.

On the dll file, add the DllAccessGroup to the NTFS Access Control List with read/execute permissions. (This will ease administrative duites later by giving more users access to the dll by just adding them to the user group.)

Also, when you regsrv32 the dll, it does not have to be in %systemroot%\system32. You can put the dll wherever you want and just specify the appropiate path of the dll file when you register it, then apply the proper NTFS permissions for the user group.

Hope this helps.

-a6m1n0

Curiosity only kills cats.

 

[jmiturbe]

Hi,

I followed your instructions, and just for testing purposes I gave full control access for everyone to the dll and the folder containing it (it's located on a custom folder, not system32).

It doesn't work, so I think it can't be a NTFS file permission problem.

More ideas?

Thanks in advance,

jmiturbe

 

[Sheco]

It is possible that the code inside the DLL is attempting to access something that requires elevated security credentials.

What is the exact error message?

 

[jmiturbe]

Hi Sheco,

I can't see any error message. Sure I'm not looking at the right place (i don't know too much about windows).

On the browser's window it just doesn't output the form like it should. But it doesn't display any kind of error.

Is there any way to trace a dll to see what is trying to do?

Yours,

jmiturbe

 

[a6m1n0]

There are several logs available when running a site in IIS to help troubleshoot problems.

There is the Server Event Logs ( Application, Security, & System Logs ). Right-click My Computer->Manage->Event Viewer

There is also the Http Error Log file in %systemroot%\system32\LogFiles\HTTPERR

What I typicaly do when I have a problem tracking down an error is to save & clear the events in the Event Log, then copy/paste the httperr1.log to a new filename, stop IIS, delete httperr1.log, start IIS, then attempt to run the appliction again. Immediately afterwards check your log files for errors.

See if this gives you something a little more concrete to work with.

-a6m1n0

Curiosity only kills cats.