I'm trying to use IIS 7 management API but stuck with a security issue. My application is regular ASP.NET site running on .NET 4 (integrated pipeline). The machine is Windows 7 x64 (the app pool is default, running under ApplicationPoolIdentity, x64). The site uses the following settings:
<identity impersonate="true" /> <authentication mode="Windows" /> <customErrors mode="Off" /> <authorization> <deny users="?" /> </authorization>
My site tries to read other site's details via IIS management API (at localhost). I'm logged in as a member of local Administrators. In IE i try to open my page but get this:
Site 'mysite' at 'myhost' is unknown.System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.Web.Administration.Interop.IAppHostProperty.get_Value() at Microsoft.Web.Administration.ConfigurationElement.GetPropertyValue(IAppHostProperty property) at Microsoft.Web.Administration.Site.get_State()
I don't understand why. I'm damn sure the code runs in impersonation context of my account (can see this is debugger watching
System.Threading.Thread.CurrentPrincipal). What am i doing wrong?
UAC is on, but i believe that's not important. Checked NTFS permissions on C:\Windows\system32\inetsrv\config folder - full access for Administrators.
UAC is indeed the root of all evil. Impersonation behavior is broken when it's on. Something is really over-complicated here :(
When UAC is enabled and the current security context is impersonated, the principal reports he's not a member of local Administrators group. But he is. It has something to do with interactive/non-interactive sessions.
User contributions licensed under CC BY-SA 3.0