|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
What account permissions are required for HttpListener.Start()?With least-privilege user account (LUA) HttpListenr.Start() throws an
HttpListenerException with ErrorCode == 5 (ERROR_ACCESS_DENIED). This does not occur when the user is a member of the Administrators group. There's no mention of what privileges the current users requires in order to use this method in the documentation for this method. What permissions must be granted to a user account in order to call this method? In a more general sense, where can we find user account access permission requirements for all .NET framework methods? Hello Peter Ritchie [C# MVP],
Did u try sample from there http://msdn2.microsoft.com/en-us/library/system.net.httplistener.aspx ? Do u use SSL? P> With least-privilege user account (LUA) HttpListenr.Start() throws an P> HttpListenerException with ErrorCode == 5 (ERROR_ACCESS_DENIED). P> This does not occur when the user is a member of the Administrators P> group. P> P> There's no mention of what privileges the current users requires in P> order to use this method in the documentation for this method. P> P> What permissions must be granted to a user account in order to call P> this method? P> P> In a more general sense, where can we find user account access P> permission requirements for all .NET framework methods? P> --- WBR, Michael Nemtsev :: blog: http://spaces.msn.com/laflour "At times one remains faithful to a cause only because its opponents do not cease to be insipid." (c) Friedrich Nietzsche While the HttpListenerContext would ease elevating the privileges for that
particular call (instead of resorting to full-blown impersonation), it doesn't provide detail to create a user account or context with least-privileges. E.g., yes, I can use an administrative account for the context to make the call to HttpListener.Start() work; but that elevates the privileges too high (I'm assuming Start() doesn't need full administrator privileges) and still need to know what the minimum access an account requires in order to use this method Thanks -- Peter. Show quote "Michael Nemtsev" wrote: > Hello Peter Ritchie [C# MVP], > > Did u try sample from there http://msdn2.microsoft.com/en-us/library/system.net.httplistener.aspx > ? > > Do u use SSL? > > P> With least-privilege user account (LUA) HttpListenr.Start() throws an > P> HttpListenerException with ErrorCode == 5 (ERROR_ACCESS_DENIED). > P> This does not occur when the user is a member of the Administrators > P> group. > P> > P> There's no mention of what privileges the current users requires in > P> order to use this method in the documentation for this method. > P> > P> What permissions must be granted to a user account in order to call > P> this method? > P> > P> In a more general sense, where can we find user account access > P> permission requirements for all .NET framework methods? > P> > --- > WBR, > Michael Nemtsev :: blog: http://spaces.msn.com/laflour > > "At times one remains faithful to a cause only because its opponents do not > cease to be insipid." (c) Friedrich Nietzsche > > > Hello Peter,
Thank you for posting. As for the HttpListener's permission issue you mentioned, based on my research, it is caused by the URLACL of the windows xp or windows 2003's HTTP.SYS kernal modulet. By default only SYSTEM or the local Administrators group can listen to http prefixes.If you want to let other custom accounts listening on certain URL prefixes, you need to explicitly grant access to other accounts. For this it is convenient to use the httpcfg.exe tool, for example: httpcfg.exe set urlacl /u http://localhost:80/StevenCheng/ /a D:(A;;GX;;;WD) In the above command, "set urlacl" means we'll add an URLACL configuration entry. And the URLACL's url is specified through /u switch, the security ACL is supplied through the /a switch(use SDDL string). In the above example, "D:(A;;GX;;;WD)" means we grant(A) Generic Execute permission(GX) to everynoe(WD). If we want to grant permission to a specific user, we need to use that user account's SID (to replace the WD here ). There is a tool named "GetSid.exe" in the platform sdk which can help conveniently get sid string of a specific user account. The httpcfg.exe tool can be get through the windows XP sp2 support tools or windows 2003 SP1 support tools(getsid.exe is also included in the tools): #Windows Server 2003 Service Pack 1 32-bit Support Tools http://www.microsoft.com/downloads/details.aspx?FamilyID=6ec50b78-8be1-4e81- b3be-4e7ac4f0912d&DisplayLang=en #Windows XP Service Pack 2 Support Tools http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid= 49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en In addition, I've also noticed that the existing documentation on HttpListener class is far from complete which hasn't mentioned most of the things I listed here. Regarding on this, I've also sent the feedback to our internal dev team so that they can notice this doc problem. Meanwhile, I would also recommend you submit this request and feedback about this in our product feedback center so that our dev team can also hear more about the products and docs from the community. Thanks for your understanding! Sincerely, Steven Cheng Microsoft MSDN Online Support Lead ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi Peter,
Sorry to forget the feedback site link in my last reply, here it is: #Visual Studio and .NET Framework Feedback http://connect.microsoft.com/feedback/default.aspx?SiteID=210 If you have anything unclear in my last reply, please feel free to let me know. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. Thanks Stephen, that sounds like it should answer the question. I'll try and
echo that information on the MSDN Wiki for HttpListen so others can get it until the documentation has been updated. I'll post a reply if I need further clarification. Thanks -- Peter -- Show quoteBrowse http://connect.microsoft.com/VisualStudio/feedback/ and vote. http://www.peterRitchie.com/blog/ Microsoft MVP, Visual Developer - Visual C# "Steven Cheng[MSFT]" wrote: > Hello Peter, > > Thank you for posting. > > As for the HttpListener's permission issue you mentioned, based on my > research, it is caused by the URLACL of the windows xp or windows 2003's > HTTP.SYS kernal modulet. By default only SYSTEM or the local Administrators > group can listen to http prefixes.If you want to let other custom accounts > listening on certain URL prefixes, you need to explicitly grant access to > other accounts. > > For this it is convenient to use the httpcfg.exe tool, for example: > > httpcfg.exe set urlacl /u http://localhost:80/StevenCheng/ /a > D:(A;;GX;;;WD) > > In the above command, "set urlacl" means we'll add an URLACL configuration > entry. And the URLACL's url is specified through /u switch, the security > ACL is supplied through the /a switch(use SDDL string). > > In the above example, "D:(A;;GX;;;WD)" means we grant(A) Generic Execute > permission(GX) to everynoe(WD). If we want to grant permission to a > specific user, we need to use that user account's SID (to replace the WD > here ). > > There is a tool named "GetSid.exe" in the platform sdk which can help > conveniently get sid string of a specific user account. > > The httpcfg.exe tool can be get through the windows XP sp2 support tools or > windows 2003 SP1 support tools(getsid.exe is also included in the tools): > > #Windows Server 2003 Service Pack 1 32-bit Support Tools > http://www.microsoft.com/downloads/details.aspx?FamilyID=6ec50b78-8be1-4e81- > b3be-4e7ac4f0912d&DisplayLang=en > > #Windows XP Service Pack 2 Support Tools > http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid= > 49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en > > In addition, I've also noticed that the existing documentation on > HttpListener class is far from complete which hasn't mentioned most of the > things I listed here. Regarding on this, I've also sent the feedback to our > internal dev team so that they can notice this doc problem. Meanwhile, I > would also recommend you submit this request and feedback about this in our > product feedback center so that our dev team can also hear more about the > products and docs from the community. > > Thanks for your understanding! > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > > ================================================== > > Get notification to my posts through email? Please refer to > > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial > > response from the community or a Microsoft Support Engineer within 1 > business day is > > acceptable. Please note that each follow up response may take approximately > 2 business days > > as the support professional working with you may need further investigation > to reach the > > most efficient resolution. The offering is not appropriate for situations > that require > > urgent, real-time or phone-based interactions or complex project analysis > and dump analysis > > issues. Issues of this nature are best handled working with a dedicated > Microsoft Support > > Engineer by contacting Microsoft Customer Support Services (CSS) at > > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > Thanks for your response Peter,
No prob! If you meet any further problem or anything else need clarification, please feel free to post here. BTW, actually I also plan to write a blog entry against this issue :-). Good luck! Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. "Peter Ritchie [C# MVP]"
You only used the .NET documents try the real docs too! :) HTTP Server API Start Page [HTTP] Version 1.0 http://msdn.microsoft.com/library/en-us/http/http/http_api_start_page.asp HTTP Server API Version 2.0 Reference [HTTP] http://msdn.microsoft.com/library/en-us/http/http/http_server_api_version_2_0_reference.asp MSDN Search http://search.msdn.microsoft.com/search/default.aspx?siteId=0&tab=0&query=httpcfg HttpCfg ACL Helper http://www.leastprivilege.com/HttpCfgACLHelper.aspx MSN Search http://search.msn.com/results.aspx?q=%2BHttpCfg And the creators of Http.sys Windows Network Development platforms, technologies and APIs such as Winsock, WSK, WinINet, Http.sys, WinHttp, QoS and System.Net Windows Network Development http://blogs.msdn.com/wndp/ ..NET Framework Networking and Communication http://forums.microsoft.com/msdn/showforum.aspx?forumid=40&siteid=1 Be aware IIS6 thinks they own http.sys themselves - and almost all doc writers believe so too! IIS7 and Http.sys play a lot better with other http.sys processes! IIS.net : Vista Editions and IIS 7 Features : Microsoft Internet Information Services http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=1100 Enjoy!  |
|||||||||||||||||||||||
Other interesting topics