INFO: Difficulties Using Net APIs in ISAPI and ASP COM ObjectsID: Q217144
|
Network APIs (such as NetUserAdd) may fail with the error 86 when called from an ISAPI Extension DLL or COM object instantiated on an Active Server Pages (ASP) page.
The specified network password is not correct
W3SVC (Inetinfo.exe) runs under the Local System security context. ASP COM
objects and ISAPI DLLs are loaded in the thread that impersonates either
the IUSR_machinename user for anonymous requests, or the user whose
credentials were submitted with the HTTP request. For OOP applications,
the surrogate process, Mtx.exe, runs under the IWAM_machinename. However,
individual threads still impersonate the IUSR_machinename, or the user
whose credentials were submitted with the HTTP request.
If a thread runs in the security context of the user (say, user JoeB) who
has administrator or account operator permission in the domain, then it's
possible to call Net API, such as NetUserAdd, from an ISAPI extension DLL
or from a COM object created in an ASP page.
When network APIs are called the first time after Internet Information
Server (IIS) is started, an authenticated named pipe is opened to the SAM
database on the Primary Domain Controller in the security context of the
authenticated user JoeB. You can see the pipe in the list of open files
and pipes opened on the PDC by issuing the "net files" command. The pipe
will be displayed as \PIPE\samr on the PDC machine.
For performance reasons the Windows NT operating system holds this named
pipe open as long as the IIS process (Inetinfo.exe) is running. This poses
a problem when subsequent requests submitted in the security context of a
different user (say, JaneB) call the Network APIs again. The user JaneB
cannot access a named pipe open for user JoeB. Therefore, NetUserAdd will
fail as mentioned for the user JaneB.
hToken1 = OpenThreadToken(GetCurrentThread(), TOKEN_READ |
TOKEN_IMPERSONATE, TRUE,...); // Get current security token
hToken2 = LogonUser(); // Obtain security token for some user
ImpersonateLoggedOnUser(hToken2, ...);
NetUserAdd();<BR/> // At this point NetAPI is alway called in the same
security context
ImpersonateLoggedOnUser(hToken1, ...);
CloseHandle (hToken1);
CloseHandle (hToken2);
...
For more information, see the following articles in the Microsoft
Knowledge Base:
Q155601 Understanding SAM
Active Contexts Under Windows NT
Q158229 Security Ramifications
for IIS Applications
Q172925 Security Issues with
Objects in ASP and ISAPI Extensions
Q207671 Accessing Network
Files from IIS Applications
Win32 Platform SDK documentation
© Microsoft Corporation 1999, All Rights Reserved.
Contributions by Leon Braginski, Microsoft Corporation
Additional query words: Net 86 \pipe\samr
Keywords :
Version : winnt:3.0,4.0
Platform : winnt
Issue type : kbinfo
Last Reviewed: March 30, 1999