Starting a "cmd.exe" process from ASP.NET permissions problem

I have to start a "cmd.exe" process from ASP.NET application running on the Windows 2003 server, and I have to use the Windows authentication only.

I use the following code:

ProcessStartInfo psi = new ProcessStartInfo("cmd.exe");
psi.UseShellExecute = false;
psi.RedirectStandardInput = true;
psi.RedirectStandardError = true;
psi.RedirectStandardOutput = true;

// Start the process
Process proc = Process.Start(psi);

This code works fine if (and only IF) a user that is accessing the application has Adminidtrators rights on the server.
I have these rights, I it worked fine for me.  But the application should be used by the limited number of other users.

In the web.config file for the application these users are listed in the <authorization> section:
 <allow users="username1,username2,username3,username4" />

In the <authentication> section mode is set to "Windows" /> and  <identity impersonate="true" />

However, if such a user try to run the application, it throws the Win32Exception "Access is denied" at the "Process.Start(psi);" line.   Somehow the application's catch block can't catch this exception (although it catches other exceptions;  I use several catch blocks here: catch (Win32Exception exc) { }, then catch (Exception exc) { }, then empty catch { } ), and the exception is displayed as unhandled.  This is the second problem: why the code does not catch the Process.Start exception.

And the first problem is to allow a limited group of domain users to run the application.
I tried to solve the problem by creating a Power Users group that has these users included.  I gave this group the full rights to all directories that I think are somehow related to the job:  current application directory, Windows and System32 directories, Program Files directory - it did not help.  I even added ASPNET account to this Power Users group - it did not help.

The program works OK on the Windows XP server, but I need it to run on 2003.

What else can I do???

Thank you in advance for your help.
pavelmedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mmarinovCommented:
Hi pavelmed,

have you remove the anonymous access of the virtual directory/web site ?
this can be done by IIS console->Properties on the virtual directory/web site->Directory Security->Edit button within the Authentication and access control-> uncheck the check box for enabling anonimous access

Regards!
B..M
mmarinov
0
pavelmedAuthor Commented:
Hi mmarinov,

Yes, the anonymous access is removed.  Only Integrated Windows Authentication is checked.
Also please note that although this 2003 server has IIS 6.0, it runs in the 5.x isolation mode, so the application pooling is not enabled.
And I can't change the setting because it may interfere with other applications.

My point is: if it runs OK when the user who requests the site has administrators rights to the server, how can I substitute these rights by a custom Power Users group that may have full rights to any directory?  As I wrote, I tried this approach and assigned the Power Users rights to the current application directory, Windows and System32 directories, and Program Files directory, and it did not help.

Almost all code in the application is commented out, only the Process starting code from above is left.

Thank you.
0
pavelmedAuthor Commented:
Because of thorough security restrictions I have decide to abandon the idea of using cmd.exe process and running batch file statements in order to create and use network drive maps.

Instead, I will be using the ideas from the following article: http://dotnetjunkies.com/WebLog/bsblog/archive/2004/09/24/26730.aspx

It works well.

I am asking this question to be closed.

Thank you
0
WesLennonCommented:
Question author has answered his onw problem, this question will now go into PAQ, with points refunded.

Thank you,

Wes Lennon
Director
Experts Exchange
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.