Yes i eventually realised that in order to do this kind of action, you
must impersonate LocalSystem in you c# custom action.
But in order to do that, you must have a priviledge called:
"Act as part of the operating system" OR "SE_TCB_NAME".
LocalSystem has this priviledge, but no users, and it's a security risk
to give it to a user account, since with this priviledge you can do almost
everything on the local machine. Plus barely anyone that will be using
the installers will have this priviledge, thus again not being able to
impersonate LocalSystem.
So it's better to not breach any security "walls", and insdead notify
the user that in the senario i described in the previous post of this
thread, the installer will not be able to verify the connectionstring.
Rob Mensching wrote:
> Forget installation for a moment. How would you do this in any program?
>
> On Wed, Jul 14, 2010 at 2:24 PM, Stelios Kyprou <
> stelios.kyp...@formicary.net> wrote:
>
>
>> That would not help in my case though, since i am aiming to validate any
>> user defined values entered in the UI sequence.
>> So in the case where the user chooses to run the "service to be
>> installed" as LocalSystem, and the connectionstring uses integrated
>> security, i want to make sure that the connectionstring is correct, by
>> connecting and disconnecting to the database.
>> If the action does not succeed, i would like to prevent the user from
>> going to the next dialog, until i'm sure that all values are correct.
>>
>> Now in the case where integrated security is true but the service
>> account is a user account, i could go around it by impersonating that
>> user and the doing the DB connect attempt.
>>
>> Not sure if it would be good practice to try and impersonate the local
>> system account though.
>>
>> So there is no way around this?
>> That would mean that i would provide an "incomplete" Installer since i
>> can validate ALL user defined values except the case where:
>> connectionstring uses Instegrated Security and the account that will be
>> used based on that configuration is LocalSystem.
>>
>> So that is one senario where the installation completes, i run the
>> installed service, but it doesn't work as excpected because the service
>> can't access the DB(either because LocalSystem has no access to it, or
>> the connectionstring is wrong, and i couldn't detect that error during
>> installation, which i want to)...
>>
>> Any opinions?
>>
>> Blair wrote:
>>
>>> The custom actions used in the WixSQLExtension do not have the
>>> "no-impersonate" bit set, so they never run as LocalSystem (except in the
>>> rare instance that the installation were being performed by a service
>>> running as LocalSystem). Thus, if you are using the WiX-supplied SQL
>>>
>> support
>>
>>> you must launch the installation itself from an account with the desired
>>> access.
>>>
>>> The only ways to run a custom action as LocalSystem are to run it
>>>
>> deferred
>>
>>> with the Impersonate attribute set to "no" in the CustomAction element in
>>> your authoring where the Execute attribute is set to some in-script type
>>> ("deferred", "rollback", or "commit"), which cannot be run from the UI
>>>
>> since
>>
>>> they must be between InstallInitialize and InstallFinalize in the
>>> InstallExecuteSequence table.
>>>
>>> -----Original Message-----
>>> From: Stelios Kyprou [mailto:stelios.kyp...@formicary.net]
>>> Sent: Wednesday, July 14, 2010 12:57 PM
>>> To: General discussion for Windows Installer XML toolset.
>>> Subject: [WiX-users] Using Integrated security for connectionstring in
>>> CustomAction
>>>
>>> Hello all!
>>>
>>> Let's say that i am using a C# custom action, to validate the database
>>> connectionstring that a user has entered in a dialog.
>>> If the user has selected to use Integrated Security, and the account of
>>> the Windows Service that will be running the application is "Local
>>> System",
>>> that would mean that when the service is running, when connecting to the
>>> database it would use the "Local System" to try and access it(which is
>>> what i want).
>>>
>>> In my c# custom action, when i try and connect to the db using Integrated
>>> Security, would it use the "local system" account to connect(which i
>>>
>> think
>>
>>> is the account the installer is running as)? or will it use the account
>>>
>> of
>>
>>> the user that is logged in the machine(which will fail to connect)?
>>>
>>> In the latter case, any ideas on how to make it run as local system?
>>>
>>> Thanks in advance,
>>> Stelios
>>>
>>>
>>>
>> --
>> Stelios Kyprou
>> Systems Engineer
>> Formicary - delivering quality financial technology solutions(TM)
>> www.formicary.net
>>
>>
>>
>> ----------------------------------------------------------------------------
>> This message is confidential and may be privileged. It is intended solely
>> for
>> the named addressee. If you are not the intended recipient, please inform
>> us.
>> Any unauthorised dissemination, distribution or copying hereof is
>> prohibited.
>>
>> Formicary Limited registered office in England and Wales, address 1 Taillar
>> Road, Hedon, East Yorkshire HU12 8GU, registration number 3894343, VAT
>> number
>> 747644304, does not guarantee that the integrity of this communication has
>> been
>> maintained nor that this communication is free of viruses, interceptions or
>> interference.
>>
>> ----------------------------------------------------------------------------
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Sprint
>> What will you do first with EVO, the first 4G phone?
>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
>> _______________________________________________
>> WiX-users mailing list
>> WiX-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/wix-users
>>
>>
>>
>
>
>
--
Stelios Kyprou
Systems Engineer
Formicary - delivering quality financial technology solutions(TM)
www.formicary.net
----------------------------------------------------------------------------
This message is confidential and may be privileged. It is intended solely for
the named addressee. If you are not the intended recipient, please inform us.
Any unauthorised dissemination, distribution or copying hereof is prohibited.
Formicary Limited registered office in England and Wales, address 1 Taillar
Road, Hedon, East Yorkshire HU12 8GU, registration number 3894343, VAT number
747644304, does not guarantee that the integrity of this communication has been
maintained nor that this communication is free of viruses, interceptions or
interference.
----------------------------------------------------------------------------
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
