Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Can't access web app from the LAN
RobWalker
#1 Posted : Thursday, February 19, 2015 11:41:10 PM(UTC)
Groups: Member
Joined: 11/16/2013(UTC)
Posts: 10
Location: Canada

I have been using UltiDev for a while on and off and it has worked great.

Now I am running into an issue where I can't access a hosted web app from the lan.

* Windows Server 2012 R2
* accessing: http://localhost:9001/ works fine
* Windows firewall is turned off
* no other security software running
* accessing by name or IP from the lan gives either error 503 or sometimes 400

netsh http show urlacl gives the following entries:

Reserved URL : http://localhost:9001/
User: SKEELCOURT\Administrator
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;LA)

Reserved URL : http://[::1]:9001/
User: SKEELCOURT\Administrator
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;LA)

Reserved URL : http://127.0.0.1:9001/
User: SKEELCOURT\Administrator
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;LA)

This matches what is shown in the UI (see attached screenshot).

Are there any ideas on why it is only binding to local interfaces ... I am sure this worked fine last time I checked (been a couple of months on this box)

Thanks
RobWalker attached the following image(s):
RobWalker attached the following image(s): Capture.PNG
Ultidev Team
#2 Posted : Saturday, February 21, 2015 5:52:11 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi, Rob.

We've got a couple of things for you to consider.

- You appear to run interactive version of the UWS. It makes the app it hosts accessible to external requests only when UWS interactive runs As Administrator (it's not enough to run under Administrator account when UAC is on). Otherwise UWS interactive accepts only requests coming from the loopback address. Exposing web applications to external requests, while running under a powerful interactive account is not a good idea from the security point of view.

- Consider registering your app with UWS service using UltiDev Web Server Explorer. That will make the application accessible to external requests, while giving you an option of running it under the relatively restricted Network Service user account.

Please let us know if this information has helped.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Guest
#3 Posted : Saturday, February 21, 2015 6:22:48 PM(UTC)
Groups:
Joined: 11/1/2005(UTC)
Posts: 278

Thanks for the response.

The host app for UWS is running elevated, and the UWS instance is too.

But if I register the app with the UWS service then it is accessible from the LAN OK.

Running IIS express directly on the directly (elevated) works and is accessible from the outside.

I have a separate host process that is currently launching UWS to host this site, and the lifetime of the UWS process is tied to the parent, I don't want it running the whole time.

This set up works fine on most boxes, but seems to fail on machines that are part of a Windows domain. The host process is set up to run elevated (via a manifest). Is there anything related to being in a domain that could trigger this problem?

Is it possible to programmatically register and control a web app?

Thanks!
RobWalker
#4 Posted : Saturday, February 21, 2015 6:23:51 PM(UTC)
Groups: Member
Joined: 11/16/2013(UTC)
Posts: 10
Location: Canada

Sorry, managed to reply without being signed in. Here was the screenshot I meant to include
RobWalker attached the following image(s):
RobWalker attached the following image(s): elevated.PNG
Ultidev Team
#5 Posted : Monday, February 23, 2015 10:47:30 AM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi, Rob.

It looks like when US interactive is started from your host process, it fails to detect that it runs elevated in this case. Let us look into the source of the logic that detects whether UWS runs elevated and see whether it has anything to do with a domain user context. We'll post the result of our research in 24 hours.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Ultidev Team
#6 Posted : Monday, February 23, 2015 9:55:28 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi!

Below is the PInvoke code that determines whether it's running elevated. We can't see any obvious fault with it. You are welcome to try it your host app to see whether it returns desired result.
An alternative is to register your application using UWS Configuration API to start hosting it, and unregister it when you host application is exiting.

Code:

private static bool GetProcessElevated()
{
    IntPtr tokenHandle;
    if (!OpenProcessToken(Process.GetCurrentProcess().Handle, TOKEN_READ, out tokenHandle))
        throw new ApplicationException("Could not get process token. Win32 Error Code: " + Marshal.GetLastWin32Error());

    TOKEN_ELEVATION_TYPE elevationResult = TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault;

    int elevationResultSize = Marshal.SizeOf((int)elevationResult);
    uint returnedSize = 0;
    IntPtr elevationTypePtr = Marshal.AllocHGlobal(elevationResultSize);

    bool success = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenElevationType, elevationTypePtr, (uint)elevationResultSize, out returnedSize);
    if (!success)
        throw new ApplicationException("Unable to get process elevation info.");

    elevationResult = (TOKEN_ELEVATION_TYPE)Marshal.ReadInt32(elevationTypePtr);
    bool elevated = elevationResult == TOKEN_ELEVATION_TYPE.TokenElevationTypeFull;
    return elevated;
}

private static uint STANDARD_RIGHTS_READ = 0x00020000;
private static uint TOKEN_QUERY = 0x0008;
private static uint TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);

[DllImport("advapi32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);

[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool GetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, IntPtr TokenInformation, uint TokenInformationLength, out uint ReturnLength);

#region Enums

public enum TOKEN_INFORMATION_CLASS
{
    TokenUser = 1,
    TokenGroups,
    TokenPrivileges,
    TokenOwner,
    TokenPrimaryGroup,
    TokenDefaultDacl,
    TokenSource,
    TokenType,
    TokenImpersonationLevel,
    TokenStatistics,
    TokenRestrictedSids,
    TokenSessionId,
    TokenGroupsAndPrivileges,
    TokenSessionReference,
    TokenSandBoxInert,
    TokenAuditPolicy,
    TokenOrigin,
    TokenElevationType,
    TokenLinkedToken,
    TokenElevation,
    TokenHasRestrictions,
    TokenAccessInformation,
    TokenVirtualizationAllowed,
    TokenVirtualizationEnabled,
    TokenIntegrityLevel,
    TokenUIAccess,
    TokenMandatoryPolicy,
    TokenLogonSid,
    MaxTokenInfoClass
}

public enum TOKEN_ELEVATION_TYPE
{
    TokenElevationTypeDefault = 1,
    TokenElevationTypeFull,
    TokenElevationTypeLimited
}

#endregion Enums



Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
RobWalker
#7 Posted : Monday, February 23, 2015 10:31:45 PM(UTC)
Groups: Member
Joined: 11/16/2013(UTC)
Posts: 10
Location: Canada

Thank you!

I think that provides the answer. Checking for a result of TokenEvelationTypeFull is not always sufficient, they are some cases where the user is elevated by default so this call returns TokenEvelationTypeDefault

These appear to be (1) if UAC is disabled or (2) if the signed in user is the default Administrator rather than another user with administrator priveleges. There are some more details at https://candritzky.wordp...-administrator-account/

I think the following code will fix the problem:

Code:

        private static bool GetProcessElevated()
        {
            IntPtr tokenHandle;
            if (!OpenProcessToken(Process.GetCurrentProcess().Handle, TOKEN_READ, out tokenHandle))
                throw new ApplicationException("Could not get process token. Win32 Error Code: " + Marshal.GetLastWin32Error());

            // check via TokenElevationType
            {
                TOKEN_ELEVATION_TYPE elevationResult = TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault;

                int elevationResultSize = Marshal.SizeOf((int)elevationResult);

                uint returnedSize = 0;
                IntPtr elevationTypePtr = Marshal.AllocHGlobal(elevationResultSize);

                bool success = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenElevationType, elevationTypePtr, (uint)elevationResultSize, out returnedSize);
                if (!success)
                    throw new ApplicationException("Unable to get process elevation info.");

                elevationResult = (TOKEN_ELEVATION_TYPE)Marshal.ReadInt32(elevationTypePtr);
                bool elevated = elevationResult == TOKEN_ELEVATION_TYPE.TokenElevationTypeFull;

                Marshal.FreeHGlobal(elevationTypePtr);

                if (elevated)
                {
                    return true;
                }
            }

            // check via TokenElevation
            {
                int elevationResult = 0;

                int elevationResultSize = Marshal.SizeOf((int)elevationResult);

                uint returnedSize = 0;
                IntPtr resultPtr = Marshal.AllocHGlobal(elevationResultSize);

                bool success = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenElevation, resultPtr, (uint)elevationResultSize, out returnedSize);
                if (!success)
                    throw new ApplicationException("Unable to get process elevation info.");

                bool elevated = (int)Marshal.ReadInt32(resultPtr) != 0;

                Marshal.FreeHGlobal(resultPtr);

                if (elevated)
                {
                    return true;
                }
            }

            return false;
        }


In my case I was running as Administrator (bad habit I know).

There was also a slight memory leak on the allocated result :)

Any chance this could be rolled into the next release?
Ultidev Team
#8 Posted : Tuesday, February 24, 2015 12:38:56 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi, Rob.

We actually do check for UAC on/off and whether user is a member of the Admin group, but in a slightly different way, before the IsElelveate() is called. So maybe we have a problem there. We'll try to ensure we have tighter logic in the next release, and plug the memory leak as well, but next release could be months away, unfortunately. We will review our UAC and IsAdmin logic later today and see if there is a user-level work-around there.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
RobWalker
#9 Posted : Wednesday, February 25, 2015 8:15:40 AM(UTC)
Groups: Member
Joined: 11/16/2013(UTC)
Posts: 10
Location: Canada

Thanks -- I think as a work around running as a non-Administrator user will work for now.
Ultidev Team
#10 Posted : Wednesday, February 25, 2015 9:32:23 AM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Thanks, Rob.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Ultidev Team
#11 Posted : Wednesday, March 4, 2015 9:33:13 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Hi, Rob.

We may release next build UWS rather soon, in a week or two, as we found and fixed another bug that may affect significant number of users. Therefore, we'll incorporate your elevation check bug fix too. Do you mind if we use the code you have posted for the fix?

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
RobWalker
#12 Posted : Thursday, March 5, 2015 8:36:51 AM(UTC)
Groups: Member
Joined: 11/16/2013(UTC)
Posts: 10
Location: Canada

That's great -- absolutely feel free to use the code snippet if it helps!
Ultidev Team
#13 Posted : Friday, March 6, 2015 12:10:52 AM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Thanks, Rob.

We can send you a new build a few days ahead of the general availability so you could check if we took care of the problem you have found. Please let us know if you would like to get the new build before the GA. And thank you for letting us use your code.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
RobWalker
#14 Posted : Saturday, March 7, 2015 12:22:03 PM(UTC)
Groups: Member
Joined: 11/16/2013(UTC)
Posts: 10
Location: Canada

That would be great -- let me know when you have something and I can try it out.

Thanks.
Ultidev Team
#15 Posted : Tuesday, March 10, 2015 12:30:22 PM(UTC)
Ultidev Team

Groups: Administration
Joined: 11/3/2005(UTC)
Posts: 2,253

Thanks: 28 times
Was thanked: 60 time(s) in 59 post(s)
Rob,
We've sent you a link with the pre-release build 21. Please let us know if you got it.

Best regards,
UltiDev Team.
Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Rss Feed  Atom Feed
Users browsing this topic
Guest (4)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You can vote in polls in this forum.