I have a very strange problem running a CGI python script in IIS.
The script runs in a custom application pool that uses a domain user account to authenticate. Impersonation is disabled for the site, and Kerberos is used for authentication.
- When an account is a member of the
"Domain Admins" group, everything works like a charm - When the account is not a member of
"Domain Admins" , I get an error in the very first line in the script: "import cgi" . It seems that the import ultimately leads to the generation of a random number and its call to _urandom() , which does not work with "WindowsError: [Error 5] Access is denied" . - If I run the same script from the command line, when I log in with the same user as the application pool, everything works like a charm.
When searching the Internet, I found that _urandom on windows is supported by the CryptGenRandom function in the operating system. Somehow it seems that my python CGI script does not have access to this function when starting from IIS, while it has access to this function when starting from the command line.
To complicate the situation, when you log in as an account that launches the application pool, and then calling a CGI-script from a web browser, it works. It turns out I have to log in with the same user as the application pool in order for it to work. As I said, the impersonation is disabled, but somehow it seems that the person is somehow transferred to the security function in the windows.
If I random.py file that calls the _urandom() function to just return a fixed number, everything works fine, but then I probably violated many of the security features in python.
So has anyone experienced anything like this? Any ideas on what's going on?
source share