Hi,

I need to run/execute a small VFP 9 EXE program from a ASP.NET page (from code behind). But I don't want to use Process class. Process class executes the VFP 9 EXE in the same workspace (or whatever the term is) as the ASP.NET itself. I want the VFP 9 EXE program to run as if it was executed from a command line or somehow "outside" the ASP.NET. The VFP 9 program has just a couple of lines: it determines the username and stores it in a text file.

TIA

You can create a COM object and invoke that from ASP.NET.

If you create an EXE COM server you can set DCOM permissions on it that allow you to set the identify of the process when it runs which can be different of the process that is invoking it.

That said this is a terrible idea - changing security context in an application's flow is fraught with problems as you are likely to forget that this is configured and potentially opens vulnerabilities.

It's better to run your Web process under the appropriate account that has exactly the rights that are needed - you can configure the Application Pool identity for your ASP.NET application as needed and I would add the permissions to that identity that are needed to execute your process which then allows you to use Process.Start().

+++ Rick ---

Thank you.

If you don't mind, a follow up question.

I have Windows authentication set in the web.config as follows: <authentication mode="Windows" />

Why do I never get the value of HttpContext.Current.Request.IsAuthenticated to be True? Always, no matter where, I get False.

Because you need to force authentication in order to get an authenticated user. It doesn't happen automatically. You can force authentication if you disable Anonymous Authentication for the site/virtual.

+++ Rick ---

You can force authentication if you disable Anonymous Authentication for the site/virtual.

When I disable Anonymous Authentication, I get error "HTTP Error 401.2 - Unauthorized"

Then I read in the web.config (standard language):

"Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to its settings for the application.

My question, please, when IIS performs authentication, how do you set up Basic, Digest, or Integrated Windows? Where in IIS you set it up and how?

Thanks.

You need to enable Windows and/or Basic authentication in IIS on the Web site in order for Windows authentication to work.

See here:

• Web Connection IIS Configuration

Then make sure you either:

• Remove Anonymous Access (everybody will be authenticated always)
• Remove users IUSR_ permissions from a specific folder

Both of those should automatically trigger authentication to fire with a login dialog.

+++ Rick ---

Thank you very much.

I will follow your suggestions.

By setting the Anonymous Authentication to Disable and Windows Authentication to True, I - finally - get the User.Identity.IsAuthenticated as True.

But. It only works if I run the page under localhost. That is, this URL: http://localhost/test.aspx'/ Works. That is this page shows the folliwing: User.Identity.Name: DOMAINNAME/MyIserName (that is the username in AD). Correct. Request.LogonUserIdentity.Name: DOMAINNAME/MyIserName (that is the username in AD). Correct. Environment.UserName: ServerName$

But most important, if try to load the page from the server name, I am prompted to enter the Windows username and password. That is, this URL: http://servername/test.aspx/ Asks for the username and password.

Why it works in the localhost but not in the servername?

TIA

That's the behavior you should see.

You don't have to log in on localhost because the local machine can authenticate you based on your Windows credentials. That's not the case with a remote machine.

Relying solely on Windows AUthentication is not a good idea anyway - too many issues with that, but even if you use Windows Auth, in an application it usually needs to be supplemented by an internal tracking mechanism for users and cookie based authentication. With Cookie Auth you can then cache authentication information - which is not possible with Windows Authentication.

+++ Rick ---

Thank you for your prompt reply.

The reason I was looking for being able to have the asp.net page Windows authenticated is as follows: The clients wants to have my ASP.NET page - automatically - determine the person/client's Active Directory/Windows username. So far, I cannot figure how. And I thought that if I run the page in the Windows Authenticated mode (which works with the localhost) the page can "see" the user AD/Windows username.

And keep in mind that I am running this test.asp on the VM server. So, theoretically (and I may be wrong), localhost should have the same credentials that the server name does. But I am probably not seeing everything. I will keep trying.

Again, thank you for your help.

You can do that with windows authentication, yes, but it won't set the global user that the application runs under. That will never change (unless you explicitly change it).

But you can retrieve the user's active login via the User Identity.

It'll be in (off the top of my head - so check exact location):

// This never changes - Application Pool Identity 
string applicationUsername = Environment.UserName;

// This is the authenticated user or an empty user (you can check .IsAuthenticated)
string loggedOnUsername = Context.User.Identity?.Username;

+++ Rick ---

Yes, this is what my test.aspx shows.

The value of <User.Identity.Name/> and <HTTPContext.Current.User.Identity.Name/> returns the person's AD username who is logged in the PC.
But so far it only works when I run the page on the server with localhost. And when I run the page, on the same server, but with the servername (instead of the localhost), the page prompts me to log in.

I will need to figure out (if possible) how to make it work with the servername in the URL (and not localhost). Because when the client loads the page in their browser, localhost is not the same as the one on the server.

Sorry, One more question, please (I have taken already a lot of your time).

I am running this test page on my computer (Windows 7). The ASP.NET is in my IIS.

But I can only bring up the page with localhost. Example, http://localhost/test.aspx

How do I replace the "localhost" with my computer name?

On the customer servers I can simply replace the "localhost" with the server name and it works. For example, http//servername/test.aspx

But on my computer when I replace the localhost with my computer name (example: http//dell2018:8080/test.aspx the error message: This page can't be displayed.

What I am trying to do is emulate how the page will behave on the customer VM.

Thank you.

If I may jump in here...

Dmitry, I think you're pursuing a hopeless cause. A remote web client (i.e. one not running on localhost) would never have access to domain & username detail because this would be a huge security risk - it'd be giving away potentially very-sensitive detail to the server about a visitor to the site, without their permission. On a corporate domain, this could provide a big clue to the visitors email address.

Let's say they're logged into their local machine as MyDomainName.com\Forename.Surname - it's not a huge leap to assume that their email address may be Forename.Surname@MyDomainName.com. I believe this sort of detail may have been available in VERY early versions of browsers (15+ years ago) but then the browser development teams realised their mistake & switched it off. (From the looks of some of the named fields, it used to be possible to determine the machine name too...!)

Your best bet would probably be an approach which I've seen used by a site which one of my clients uses, which is to send an email to the "authorised" users with a unique hyperlink in it, back to the webserver in question, which in turn then creates a long-lived cookie. The cookie would preserve the unique identifier, that could subsequently be requested by the server as soon as the user tries to access the page, and the server could then look this up in a table, figure out which user it applied to, and then proceed from there. The cookies would be stored in the local user's private web cache so would be unique to that Windows login, so if someone else were to log in on that machine, they would need to be authorised separately.

Hope this helps.

Keith

Keith,

Thank you very much for the detailed message. It all makes sense.

I actually changed the way this project works. Now a user has to enter his/her username and then the information is pulled from Active Directory.

Dmitry

Yeah that's a much better way to do this because Windows auth is unreliable across browsers and has all sorts of security implications.

@Keith - For Windows Auth, the remote client doesn't have to have access to the domain in order to be able to authenticate against the Web server. You can authenticate just fine with Windows auth over the Internet from any computer.

What won't work is automatically logging you in if you're not on the same domain and not using the same account. For example, I notice I can log into my Web server with Windows auth without having to explicitly login. The user name is the same, but the Web Server is not directly network accessible from my local machine (except over TCP ports like 80/443). Not quite sure how that works, but somehow I suspect Edge is caching the Windows credentials. This doesn't work the same in Firefox (but also seems to work in Chrome) so likely this is browser specific.

Regardless though - I wholeheartedly agree that using Windows Authentication for application level code is a bad idea and robs you of control (and some level of security). It's always better to explicitly use Cookie based security. Even for federated security like Google/Microsoft/FB/Twitter login, the way that's usually handled is to log in using the oAuth provider and then managing the actual local login via cookie auth until it expires.

+++ Rick ---

Hi,

A customer sent me a photo showing the "message" in the VFP 9 program. The message says:

"The action cannot be completed because the other program is busy. Choose 'Switch to' to activate the busy program and correct the problem"

The buttons on this message box are: "Switch To" "Retry"

Can the following line create the above messagebox/issue?

DO wwSmtp && load libraries

Should the above line to be enclosed with TRY-CATCH?

TIA

do wwSmtp only loads libraries (ie. SET PROCEDURE TO commands). Nothing that can lock.

+++ Rick ---

Thank you for your reply.

But you can certainly lock up when you send an email and the email server is not responding or hanging on the server end...

+++ Rick ---

But you can certainly lock up when you send an email and the email server is not responding or >>hanging on the server end...

Would you say that the following like is where the server hanging would manifest?

lSuccess = loSmtp.SendMail() 

And if above is true, how do you suggest to get around the issue I described?

Thank you.

Yes that would be the place where it hangs - trying to make a connection. You can tweak the connection timeout to minimize how long it waits for connection. By keeping it short you can try to keep the 'hang' shorter.

But ultimately you have to ensure your mail server and connection settings are set up correctly. If you hang there is ultimately some problem that needs to be fixed and hanging in that scenario is just a symptom not the cause of the problem.

+++ Rick ---

Thank you.

This problem happens only in rare cases. But when it does, the customer is pissed; thinking that it is my problem. I do have the TRY CATCH around the

lSuccess = loSmtp.SendMail() 

But it does not seem to help. If I can set up a time-out of the SendMail() of your tool, please let me know. Then, I may just set this time-out and the Catch will allow the program to close gracefully.

Well this is a problem with FoxPro because it's a single threaded environment - so you can't run the operation in the background and you have to wait for the process to complete - if it can't connect due to a network problem you're stuck waiting. As I said you can avoid the worst of this by using a short connection timeout of a few seconds or so. If the connection is up and working these days connections are very fast and if it doesn't well then you hang for a few seconds at most. I think the default Windows socket timeout is 20 seconds which is quite long.

If you don't care about the result you can use SendMailAsync() which sends asynchronously and lets your FoxPro code go on, but when you do that you won't know the result of the send operation whether it worked or not - it's just send and forget.

+++ Rick ---

Thank you very much for the explanation!

If you don't care about the result you can use SendMailAsync() which sends asynchronously and >>lets your FoxPro code go on, but when you do that you won't know the result of the send >>operation whether it worked or not - it's just send and forget.

Something to consider.

Again, thank you.