Can't access web app from the LAN - Web Server *PRO* Questions and Bug Reports

Welcome Guest! To enable all features please Login or Register.

Notification

Error

UltiDev Forum » UltiDev Web Server Pro » Web Server *PRO* Questions and Bug Reports » Can't access web app from the LAN

Can't access web app from the LAN

Options

Previous Topic Next Topic

RobWalker		#1 Posted : Thursday, February 19, 2015 11:41:10 PM(UTC)
Groups: Member Joined: 11/16/2013(UTC) Posts: 10 Location: Canada		I have been using UltiDev for a while on and off and it has worked great. Now I am running into an issue where I can't access a hosted web app from the lan. * Windows Server 2012 R2 * accessing: http://localhost:9001/ works fine * Windows firewall is turned off * no other security software running * accessing by name or IP from the lan gives either error 503 or sometimes 400 netsh http show urlacl gives the following entries: Reserved URL : http://localhost:9001/ User: SKEELCOURT\Administrator Listen: Yes Delegate: No SDDL: D:(A;;GX;;;LA) Reserved URL : http://[::1]:9001/ User: SKEELCOURT\Administrator Listen: Yes Delegate: No SDDL: D:(A;;GX;;;LA) Reserved URL : http://127.0.0.1:9001/ User: SKEELCOURT\Administrator Listen: Yes Delegate: No SDDL: D:(A;;GX;;;LA) This matches what is shown in the UI (see attached screenshot). Are there any ideas on why it is only binding to local interfaces ... I am sure this worked fine last time I checked (been a couple of months on this box) Thanks RobWalker attached the following image(s):
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#2 Posted : Saturday, February 21, 2015 5:52:11 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi, Rob. We've got a couple of things for you to consider. - You appear to run interactive version of the UWS. It makes the app it hosts accessible to external requests only when UWS interactive runs As Administrator (it's not enough to run under Administrator account when UAC is on). Otherwise UWS interactive accepts only requests coming from the loopback address. Exposing web applications to external requests, while running under a powerful interactive account is not a good idea from the security point of view. - Consider registering your app with UWS service using UltiDev Web Server Explorer. That will make the application accessible to external requests, while giving you an option of running it under the relatively restricted Network Service user account. Please let us know if this information has helped. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

Guest		#3 Posted : Saturday, February 21, 2015 6:22:48 PM(UTC)
Groups: Joined: 11/1/2005(UTC) Posts: 278		Thanks for the response. The host app for UWS is running elevated, and the UWS instance is too. But if I register the app with the UWS service then it is accessible from the LAN OK. Running IIS express directly on the directly (elevated) works and is accessible from the outside. I have a separate host process that is currently launching UWS to host this site, and the lifetime of the UWS process is tied to the parent, I don't want it running the whole time. This set up works fine on most boxes, but seems to fail on machines that are part of a Windows domain. The host process is set up to run elevated (via a manifest). Is there anything related to being in a domain that could trigger this problem? Is it possible to programmatically register and control a web app? Thanks!
Back to top

RobWalker		#4 Posted : Saturday, February 21, 2015 6:23:51 PM(UTC)
Groups: Member Joined: 11/16/2013(UTC) Posts: 10 Location: Canada		Sorry, managed to reply without being signed in. Here was the screenshot I meant to include RobWalker attached the following image(s):
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#5 Posted : Monday, February 23, 2015 10:47:30 AM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi, Rob. It looks like when US interactive is started from your host process, it fails to detect that it runs elevated in this case. Let us look into the source of the logic that detects whether UWS runs elevated and see whether it has anything to do with a domain user context. We'll post the result of our research in 24 hours. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

Ultidev Team		#6 Posted : Monday, February 23, 2015 9:55:28 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi! Below is the PInvoke code that determines whether it's running elevated. We can't see any obvious fault with it. You are welcome to try it your host app to see whether it returns desired result. An alternative is to register your application using UWS Configuration API to start hosting it, and unregister it when you host application is exiting. Code: private static bool GetProcessElevated() { IntPtr tokenHandle; if (!OpenProcessToken(Process.GetCurrentProcess().Handle, TOKEN_READ, out tokenHandle)) throw new ApplicationException("Could not get process token. Win32 Error Code: " + Marshal.GetLastWin32Error()); TOKEN_ELEVATION_TYPE elevationResult = TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault; int elevationResultSize = Marshal.SizeOf((int)elevationResult); uint returnedSize = 0; IntPtr elevationTypePtr = Marshal.AllocHGlobal(elevationResultSize); bool success = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenElevationType, elevationTypePtr, (uint)elevationResultSize, out returnedSize); if (!success) throw new ApplicationException("Unable to get process elevation info."); elevationResult = (TOKEN_ELEVATION_TYPE)Marshal.ReadInt32(elevationTypePtr); bool elevated = elevationResult == TOKEN_ELEVATION_TYPE.TokenElevationTypeFull; return elevated; } private static uint STANDARD_RIGHTS_READ = 0x00020000; private static uint TOKEN_QUERY = 0x0008; private static uint TOKEN_READ = (STANDARD_RIGHTS_READ \| TOKEN_QUERY); [DllImport("advapi32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle); [DllImport("advapi32.dll", SetLastError = true)] public static extern bool GetTokenInformation(IntPtr TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, IntPtr TokenInformation, uint TokenInformationLength, out uint ReturnLength); #region Enums public enum TOKEN_INFORMATION_CLASS { TokenUser = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled, TokenIntegrityLevel, TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, MaxTokenInfoClass } public enum TOKEN_ELEVATION_TYPE { TokenElevationTypeDefault = 1, TokenElevationTypeFull, TokenElevationTypeLimited } #endregion Enums Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

RobWalker		#7 Posted : Monday, February 23, 2015 10:31:45 PM(UTC)
Groups: Member Joined: 11/16/2013(UTC) Posts: 10 Location: Canada		Thank you! I think that provides the answer. Checking for a result of TokenEvelationTypeFull is not always sufficient, they are some cases where the user is elevated by default so this call returns TokenEvelationTypeDefault These appear to be (1) if UAC is disabled or (2) if the signed in user is the default Administrator rather than another user with administrator priveleges. There are some more details at https://candritzky.wordp...-administrator-account/ I think the following code will fix the problem: Code: private static bool GetProcessElevated() { IntPtr tokenHandle; if (!OpenProcessToken(Process.GetCurrentProcess().Handle, TOKEN_READ, out tokenHandle)) throw new ApplicationException("Could not get process token. Win32 Error Code: " + Marshal.GetLastWin32Error()); // check via TokenElevationType { TOKEN_ELEVATION_TYPE elevationResult = TOKEN_ELEVATION_TYPE.TokenElevationTypeDefault; int elevationResultSize = Marshal.SizeOf((int)elevationResult); uint returnedSize = 0; IntPtr elevationTypePtr = Marshal.AllocHGlobal(elevationResultSize); bool success = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenElevationType, elevationTypePtr, (uint)elevationResultSize, out returnedSize); if (!success) throw new ApplicationException("Unable to get process elevation info."); elevationResult = (TOKEN_ELEVATION_TYPE)Marshal.ReadInt32(elevationTypePtr); bool elevated = elevationResult == TOKEN_ELEVATION_TYPE.TokenElevationTypeFull; Marshal.FreeHGlobal(elevationTypePtr); if (elevated) { return true; } } // check via TokenElevation { int elevationResult = 0; int elevationResultSize = Marshal.SizeOf((int)elevationResult); uint returnedSize = 0; IntPtr resultPtr = Marshal.AllocHGlobal(elevationResultSize); bool success = GetTokenInformation(tokenHandle, TOKEN_INFORMATION_CLASS.TokenElevation, resultPtr, (uint)elevationResultSize, out returnedSize); if (!success) throw new ApplicationException("Unable to get process elevation info."); bool elevated = (int)Marshal.ReadInt32(resultPtr) != 0; Marshal.FreeHGlobal(resultPtr); if (elevated) { return true; } } return false; } In my case I was running as Administrator (bad habit I know). There was also a slight memory leak on the allocated result :) Any chance this could be rolled into the next release?
Back to top		\| Edit by moderator

User Profile View All Posts by User View Thanks

Ultidev Team		#8 Posted : Tuesday, February 24, 2015 12:38:56 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi, Rob. We actually do check for UAC on/off and whether user is a member of the Admin group, but in a slightly different way, before the IsElelveate() is called. So maybe we have a problem there. We'll try to ensure we have tighter logic in the next release, and plug the memory leak as well, but next release could be months away, unfortunately. We will review our UAC and IsAdmin logic later today and see if there is a user-level work-around there. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

RobWalker		#9 Posted : Wednesday, February 25, 2015 8:15:40 AM(UTC)
Groups: Member Joined: 11/16/2013(UTC) Posts: 10 Location: Canada		Thanks -- I think as a work around running as a non-Administrator user will work for now.
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#10 Posted : Wednesday, February 25, 2015 9:32:23 AM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Thanks, Rob. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

Ultidev Team		#11 Posted : Wednesday, March 4, 2015 9:33:13 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Hi, Rob. We may release next build UWS rather soon, in a week or two, as we found and fixed another bug that may affect significant number of users. Therefore, we'll incorporate your elevation check bug fix too. Do you mind if we use the code you have posted for the fix? Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW \| Edit by user

User Profile View All Posts by User View Thanks

RobWalker		#12 Posted : Thursday, March 5, 2015 8:36:51 AM(UTC)
Groups: Member Joined: 11/16/2013(UTC) Posts: 10 Location: Canada		That's great -- absolutely feel free to use the code snippet if it helps!
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#13 Posted : Friday, March 6, 2015 12:10:52 AM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Thanks, Rob. We can send you a new build a few days ahead of the general availability so you could check if we took care of the problem you have found. Please let us know if you would like to get the new build before the GA. And thank you for letting us use your code. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

RobWalker		#14 Posted : Saturday, March 7, 2015 12:22:03 PM(UTC)
Groups: Member Joined: 11/16/2013(UTC) Posts: 10 Location: Canada		That would be great -- let me know when you have something and I can try it out. Thanks.
Back to top

User Profile View All Posts by User View Thanks

Ultidev Team		#15 Posted : Tuesday, March 10, 2015 12:30:22 PM(UTC)
Groups: Administration Joined: 11/3/2005(UTC) Posts: 2,253 Thanks: 28 times Was thanked: 60 time(s) in 59 post(s)		Rob, We've sent you a link with the pre-release build 21. Please let us know if you got it. Best regards, UltiDev Team. Please donate at http://www.ultidev.com/products/Donate.aspx to help us improve our products.
Back to top		WWW

User Profile View All Posts by User View Thanks

Rss Feed

Atom Feed

Users browsing this topic
Guest (2)

UltiDev Forum » UltiDev Web Server Pro » Web Server *PRO* Questions and Bug Reports » Can't access web app from the LAN

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You can vote in polls in this forum.