Web service cannot open named pipe - access denied
I have a C ++ service that provides a named pipe to clients with NULL SECURITY_ATTRIBUTES like this:
hPipe = CreateNamedPipe( lpszPipename, PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT,
PIPE_UNLIMITED_INSTANCES, BUFSIZE, BUFSIZE, 0, NULL);
There is a DLL that uses this pipe to get services.
There is a C # GUI that uses the dll and works great.
There is a .net website that also uses this DLL (same thing on the same PC) but always gets permission if it tries to open a channel.
Does anyone know why this might be happening and how to fix it?
Also does anyone know of a good tutorial on SECURITY_ATTRIBUTES because I haven't figured out the msdn information yet.
Thanks Patrick
source to share
The default ACL for named pipes (which is what you get with a null security descriptor) grants write access only to LocalSystem, Administrators, and the owner / creator of the pipe. If your web application is not running under one of these accounts (it won't by default), you won't be able to get write access. (I'm assuming you are asking for read / write.)
There are several options...
-
Ask the web application to run the same account as the service that created this channel.
-
Configure your web application to use impersonation, either by specifying a specific user with write access in the web.config, or by setting it up for use by a user supplied by IIS (and accessing the application from the user account using write access).
-
Manually impersonate a user with writeable access to all channel access (for example, using WindowsIdentity.Impersonate).
-
Use a non-default security descriptor for a channel that grants write access to everyone (or the specific account running the application, although this would be more difficult to configure).
Here's an example of creating a simple security descriptor here ; you should be able to modify it according to your needs.
source to share
Check the authentication type used by the ASP.NET website and the impersonation settings in the web.config file for that site. Chances are, the ASP.NET code is running under an account that prevents named pipes from being created on your machine.
You may be able to fix this by granting more permissions to the account used by the ASP.NET application, or by configuring this web application to use a different (higher priority) account. Having said that, do you really want remote visitors to your website to be able to create named pipes? I will not lecture you, I suppose you have thought about it.
The most accessible and detailed description of SECURITY_ATTRIBUTES I've ever seen is in this book by Keith Brown ... http://www.amazon.co.uk/gp/product/0201604426 .
source to share
Adding a line:
<identity impersonate = "true" / ">
system.web> in the web.config file, access to the channel is allowed. I would not advise others to use this as I am not sure about the security implications, but it fits our requirements right now.
Thanks to both Eric and Martin for giving me pointers in the right direction.
source to share