0

I have to do an IIS module that blocks access to users who don't have a certificate from a certain CA. I did a CTL - certificate trust list. I tested it using netsh http add sslcert ip.... and it works. Now all i have to do is implement the call of netsh in the c# class library. I tryed to use:

        Process pnet = new Process();
        pnet.StartInfo.FileName = "netsh";
        pnet.StartInfo.Arguments = "http delete sslcert ipport=0.0.0.0:443";
        pnet.StartInfo.UseShellExecute = false;
        pnet.StartInfo.CreateNoWindow = true;
        pnet.Start();
        pnet.Close();

This works in a C# console application, but in the C# library class, doesn't start. 

       namespace IISproject
       {
       public class MyModule : IHttpModule
       {
       #region IHttpModule Members
       public void Dispose()
       { 
       }
       public void Init(HttpApplication context)
       {
       context.PreRequestHandlerExecute += new EventHandler(OnPreRequestHandlerExecute);
    }
    #endregion
    public void OnPreRequestHandlerExecute(Object source, EventArgs e)
    {
        HttpApplication app = (HttpApplication)source;
        HttpRequest request = app.Context.Request;
        if (!String.IsNullOrEmpty(request.Headers["Referer"]))
        {
            throw new HttpException(403,
                                                    "Uh-uh!");
        }
        Process pnet = new Process();
        pnet.StartInfo.FileName = "netsh";
        pnet.StartInfo.Arguments = "http delete sslcert ipport=0.0.0.0:443";
        pnet.StartInfo.UseShellExecute = false;
        pnet.StartInfo.CreateNoWindow = true;
        pnet.Start();
        pnet.Close(); 
    }
}

What am i doing wrong?10x

Claudiu Stanciu
  • 1
  • 1
  • "doesn't start": do you get any errors? (see eventlog maybe?). Note that a console application will run under your account, while aspnet runs under a low-privilege account - that might be your problem. – Hans Kesting Apr 13 '11 at 09:08

2 Answers2

1

The first suspect in these kinds of situations in my book, absent details, is some sort of path issue. Try fully qualifying the command path and see if it works any better.

pnet.StartInfo.FileName = Environment.SystemDirectory + @"\netsh.exe"; // or something like that

I would be cautious about the general pattern of invoking an external command this way, though, but since you are providing both the file name and its arguments, it should be a reasonably safe thing to do. If you have the time, and haven't done so already, you might want to look into if there is an API to do what you want. Chances are there is; netsh probably isn't magic.

user
  • 6,897
  • 8
  • 43
  • 79
1

What am i doing wrong?10x

I'd say: you are not caring for security enough. Obviously IIS will not spawn any odd application. You need to run it in an application pool configured to run as a user with permissions to launch that process.

You might get mileage out of windows integrated authentication; that way the user logging into the web-server will implicitely determine the permissions with which the process is launched.

That said, you will be much better of emplying a native API (ADSI, WMI?) to achieve the goal

sehe
  • 374,641
  • 47
  • 450
  • 633
  • 10x for the ideas guys. I found the problem. First I tested a c# console application with the command netsh http show sslcert. For this you don't need admin privilege, but for the delete command you need admin privilege. So thanks sehe. so now i need to find a way to run the CMD.exe in admin mode from c# code. I searched a little and found the runas command. But it doesn't quite suit me, because it will open another cmd.exe window. If you guys have any idea, please let me know. I can't search for another API, this is an assignment that I need to do. 10x again. – Claudiu Stanciu Apr 13 '11 at 14:59
  • Have a look at windows security: `Impersonation`. There is an article with code [on CodeProject](http://www.codeproject.com/KB/cs/zetaimpersonator.aspx) and this [SO Answer](http://stackoverflow.com/questions/559719/windows-impersonation-from-c/559740#559740) reports good links+good results – sehe Apr 13 '11 at 15:06