How to start process from ASP.NET Web Service (and allow to it to do everything what it wants to do)?

Question

There is a Web Service installed on Amazon Server. Exposed WebMethod should start an executable. But, it seems that process (executable) started by WebMethod has not permissions to finish its job. If a WebMethod is called locally (using IE on Amazon VM) I can trace some events into log file placed on the path: C:\\\\LogFiles . But, if it is called from remote machine, there is no even log files. Locally, on my machine all works fine. The question: is there any way or settings in IIS7 to allow to my WebService to create process that can do everything I want to do? In web.config file I added a line:

<identity impersonate="true" userName="USERNAME" password="password"/>

(userName and password are, of course, written correctly in the file).

Also, I tried to use impersonization as it is explained here , but there is no result. My process can't do its job, it cannot even trace actions into log file. Locally, on my machine, everything works fine.

Any idea how to change settings or whatever into IIS7?

EDIT: In addition to the main question: my WebService is not able even to create log files on the path: C:\\\\LogFiles - although it is able if it started locally, but remotely there is no simple log file that contains some string. How to allow it to create simple text files?

Answer 1

If all else fails, you may start such a process separately and make it wait for a signal. You can supply a signal in many ways — via an IP socket, via a mailslot, via a named pipe. The web service will post requests to the command pipe (or queue), and the 'executor' process will pop commands, execute them, and wait for more commands.

Answer 2

You should avoid trying to start external processes from ASP.NET - if anything, because your application will then be running under the context of the ASP.NET account. (Yes, you could use impersonation to launch into another account, but, lets not go there)

Instead, install a Windows Service which can receive a signal* to launch the executable you wish.

This has the advantage that you can customise what account the service runs under, without putting passwords inside your code.

(*) Signalling could be achieved through a number of means:

• WCF Service Call (using a WCF Service being hosted by the Windows service)
• Monitoring for a filesystem change to a known directory.

Answer 3

If you were using Linux, I would have given you the smartest solution ever , setting SUID flag, which is not possible in Windows.

The problem with impersonation is that it works as soon as you have some control over the server machine, more than having appropriate credentials.

You mentioned Amazon VM: I'm pretty certain that they won't allow, for security reasons, to perfrom impersonation. [Add] Or, better, they won't allow anybody to write in C:\\

Option 1

Switch to Mono/Linux, set SUID bit using chmod from console and rock !!

Option 2

If you can run the executable other way than ASP.NET (ie. you have a Remote Desktop, SSH*) as privileged account (note: privileged doesn't mean Administrator ) then you can redesign your application to have ASP.NET invoke services from your daemon process using WCF, Web Services or Remoting. But, in this case, you have to redesign your executable to be a stand-alone server.

[Add] None of the solution fix if your hosting provider doesn't allow you to write in paths such as C:\\ , but only allows you to write under your home directory.

*It works on Windows too!!!! And I mean the server!!!