views:

1367

answers:

4

Hello all,

I have an ASP.NET website (in C#) that takes in user data and then attempts to create a windows scheduled task. Of course, this works great on the DEV machine, but fails to run on the server. I'm trying to figure out what permission(s) are required on the ASPNET user (or anonymous web user) to create tasks.

The error is:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 
Stacktrace: 
    at MyScheduler.NewWorkItem(String TaskName, Guid& rclsid, Guid& riid, Object& obj) 
    at MyScheduler.CreateTask(String name)

I've done some searching, and the suggested resolution is to use the web.config 'impersonate' flag to force the application to run as a user with sufficient permissions, as opposed to the ASPNET account which may not have those permissions.

Example:

<system.web>
    <identity impersonate="true" />
</system.web>

Unfortunately, this does not seem to resolve the issue. From the documentation I read, this should run as the anonymous web user, but it seems that user does not have enough permissions.

I altered the setting to specify a specific domain user that happens to be an administrator on the machine. Example:

<system.web>
    <identity impersonate="true" userName="WindowsDomain\YourUserName" password="YourPassword" />
</system.web>

Doing this allowed the application to successfully create the Windows Scheduled Task. So, obviously, with the correct set of Windows 2003 permissions I can get the app to perform as it does in the development environment. However, I'm not about to place the network or machine administrator account's user credentials in plain text on a Web.config file.

Does anybody happen to know what permissions exactly need to be set in order to get the ASPNET account to behave as desired?

EDIT: The Win32 API is being used to create scheduled tasks.

A: 

Are you writing something to the eventlog ? It is possible that your component (which is hosted in IIS i presume ? ) has no access to the write something in the eventlog.

This is merely a guess ~ a while ago, I've been faced with a similar problem, and I've solved it in this way:

Click

Frederik Gheysels
+1  A: 

Instead of worrying about the ASPNET user permissions, would your internal process allow you to create a machine specific account and supply the credentials there?

Chris Stewart
I agree, creating a dummy account to run the task would be an option. However, that dummy account still needs the correct permissions. At the moment, I realize that placing a user in the Administrators group works, but need to know what specific permissions are required for an account.
Jay S
A: 

I have been able to solve my particular problem, though not completely. I have still not identified the exact rights needed to create and run scheduled tasks, but the following seems to work:

  1. Add the <identity impersonate="true" /> to the Web.config
  2. Add the IUSR user (which is the user the app will run as using impersonate) to the "Backup Operators" group.

This gives the application access to the Scheduled Tasks folder so that they can create and run the task.

We had an additional issue, which was that the tasks were attempting to run as the Local System Account. Unfortunately, only administrators seem to be able to assign the Local System Account as the running user, so we needed to impersonate as an Administrator account, not as a Backup Operator in order to get our code functioning correctly.

Jay S
A: 

Another option is to flash the bios on the server