NT priveleges from an ASP program

[Matthew Solnit]

Hi Dan, how's it going? =)

I'm working on a project which needs to use Collaboration Data Objects from
an ASP program. Here is the troublesome code...

<%
'...
Set ExchangeSession = CreateObject("MAPI.Session")
ExchangeSession.LogOn "", , , , , , "servername" & Chr(10) & "accountname"
Set TgtCalendar =
ExchangeSession.GetDefaultFolder(CdoDefaultFolderCalendar)
%>

I get a permissions error. Now, I'm sure you're thinking, "This is not my
area of expertise", but give me a tick. The above code works when I run it
on the server machine -- either as a VB program or as a VBS file. It only
fails when I try to run it from a client machine as an ASP page.

ASP code runs on the server, right? So my question is, what are the NT
security differences between an ASP program running on the server and an
"ordinary" program running on the server? If I put this code in an ActiveX
component, and use this component from my ASP program, will I get the
desired results? Maybe it needs to run out-of-process to get full
permissions?

Thanks for taking the time to answer our various questions. And please say
hi to the Desaware staff for me =)

-- Matthew Solnit
msolnit@yahoo.com

P.S. Without knowing what it does, I also tried Server.CreateObject() to
get my session object. Not only did this fail, it messed up the entire web
server and we had to reboot it!!

P.P.S. Hope you're enjoying the weather in Campbell. We just had 40 cm of
snow here in Montreal.

[Dan Appleman]

I thought it was you! The Email address threw me at first.

Actually, this one is now a bit closer to my area of expertise - I've been
doing a lot of security stuff lately. Check
our our site for our latest product "The Desaware NT Service Toolkit". It's too
cool for words.

Anyway, your ASP pages run in the security context specified by IIS - typically
something like IUSR_YOURMACHINENAME (use IIS manager properties to find the
account being used). This is the "anonymous" user context assigned to people
accessing your web site.
Anything not allowed to that user will fail.
You can prove this is the problem by making this user an administrator
temporarily - it should allow things to work.
Of course, you don't want your anonymous users to run as an administrator!

Now, here's where things get tricky. Selectively increasing permission for the
anonymous user to allow them to
perform the operation can take a while (figuring out which directories and
permissions they need access to). Give
them too much permission, and you've opened a nasty window to hackers. Too
little, and it won't work.

One solution might actually be found in our new NT Services toolkit. You create
a service that performs the operation
you want. The service can run in any account you specify - easy to give it the
necessary permission to do what you want.
However, access to the service can be restricted (and opened to the anonymous
account) - since you control what the service is allowed to do, you maintain
strong security against hackers without giving the user any additional
permissions.

I'm less clear on the possibility of arbitrarily running out of process
components in different user accounts. Dcomcnfg lets you specify the account in
which a component will run - but does that apply when the component is launched
on the local system (as would be the case here), or only when launched remotely
via DCOM? That I don't know offhand.

So, when will you be in town again? I gather I missed you on your last visit.
You have to come see my new place (if I ever finish unpacking:-).

Dan



Matthew Solnit wrote:

> Hi Dan, how's it going? =)
>
> I'm working on a project which needs to use Collaboration Data Objects from
> an ASP program. Here is the troublesome code...
>
> <%
> '...
> Set ExchangeSession = CreateObject("MAPI.Session")
> ExchangeSession.LogOn "", , , , , , "servername" & Chr(10) & "accountname"
> Set TgtCalendar =
> ExchangeSession.GetDefaultFolder(CdoDefaultFolderCalendar)
> %>
>
> I get a permissions error. Now, I'm sure you're thinking, "This is not my
> area of expertise", but give me a tick. The above code works when I run it
> on the server machine -- either as a VB program or as a VBS file. It only
> fails when I try to run it from a client machine as an ASP page.
>
> ASP code runs on the server, right? So my question is, what are the NT
> security differences between an ASP program running on the server and an
> "ordinary" program running on the server? If I put this code in an ActiveX
> component, and use this component from my ASP program, will I get the
> desired results? Maybe it needs to run out-of-process to get full
> permissions?
>
> Thanks for taking the time to answer our various questions. And please say
> hi to the Desaware staff for me =)
>
> -- Matthew Solnit
> msolnit@yahoo.com
>
> P.S. Without knowing what it does, I also tried Server.CreateObject() to
> get my session object. Not only did this fail, it messed up the entire web
> server and we had to reboot it!!
>
> P.P.S. Hope you're enjoying the weather in Campbell. We just had 40 cm of
> snow here in Montreal.