Debugging an ASP.NET application as a non-admin


The debugger team has gotten many requests to debug ASP.NET applications as a non-admin. In Whidbey, the ASP.NET team did a good job solving this problem. Their solution is much nicer then mine. In the mean time, here is a way that you can get this scenario to work in the 7.1 IDE. I hope this helps. If it doesn’t work for you, you can post a comment, but don’t call PSS. This isn’t supported.


The basic idea is to use the little web server from Web Matrix instead of IIS. The reason that non-admins can’t debug IIS is that it runs as a different user. Debugging other user’s processes is a privileged operation. Hence the restriction. Web Matrix solves this problem by running the web server as the local user. There are a few downsides to this — bugs that are affected by the identity of the worker process will go away, and Web Matrix doesn’t support everything that full IIS does. However, for simple web applications, this should be a good solution.


Note: This setup still uses a web project. This gives you the ability to easily test the application under IIS, and also gives you intelisense. If you don’t want to run the application under IIS at all, then you could do this with far less effort, and improved security.


Anyway, here are the instructions to allow JoeUser (a non-administrator) to debug his ASP.NET application. First an administrator must setup the computer:



  1. Install IIS

  2. Install Visual Studio.NET 2003

  3. Install Web Matrix from http://www.asp.net/webmatrix/

  4. Create a new web application in Visual Studio. You do this as an administrator so that you don’t need to give the normal user the right to configure the metadata in IIS. I called my application ‘WebApplication1’.

  5. Configure directory security.
    CAUTION: By doing this, you are allowing JoeUser to compromise the security of IIS. If this is a problem, I would recommend not using a web project, but instead just use VS as an editor/debugger.


    • Open up explorer

    • Browse to C:\Inetpub\wwwroot

    • Right click on ‘WebApplication1’ (or whatever you called the web application), and open properties

    • Switch to the ‘Security’ tab and give full control to JoeUser (the non-administrator that you want to be allowed to debug)

    • Repeat the steps for the ‘C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files’ folder

  6. Open the administrator tool to manage your computer. Go to ‘Local Users and Groups->Users’ 

  7. Right click on JoeUser, switch to the ‘Member Of’ tab, and add ‘Debugger Users’. ‘Debugger Users’ isn’t a privelged group, so this isn’t scary.

Debug as JoeUser:



  1. Start VS

  2. Open C:\Inetpub\wwwroot\WebApplication1\WebApplication1.csproj (or whatever the project created by the administrator was)

  3. Right click on the project, and open properties

  4. Go to Configuration Properties->Debugging

  5. Change ‘Debug Mode’ to ‘Program’

  6. Set the application to the Web Matrix web server — C:\Program Files\Microsoft ASP.NET Web Matrix\v0.6.812\WebServer.exe (note: I needed to close and reopen the properties Window after changing the debug mode)

  7. Set the ‘Command Line Arguments’ to ‘/port:8080 /path:c:\Inetpub\wwwroot\WebApplication1’

  8. Close properties Window

  9. Set any breakpoints that you want

  10. Hit F5

  11. Open IE

  12. Browse to http://localhost:8080/WebForm1.aspx

Result:
Your breakpoint hit!


Comments (15)

  1. Pavel Lebedinsky says:

    > The reason that non-admins can’t debug IIS is that it runs as a different user. Debugging other user’s processes is a privileged operation.

    I must say that I’ve never tried this, but wouldn’t running the IIS worker process under the user’s account allow ASP.NET debugging for non-admins?

  2. Anil John says:

    There is a way to do this with IIS as well (as Pavel noted above). Documented here @

    http://cyberforge.com/weblog/aniltj/articles/254.aspx

  3. Anil John says:

    Hmm. Just looked at yag’s original post. The config that he was asked about was that the student did not have admin control over the machine to start out with. So your solution is the only option as the student will not have access to the machine.config file.

    But if you do have admin control and you are making a concious decision to run and develop as a non-admin, the solution that I posted above works..

  4. Gregg Miskelly says:

    Changing the process model works. That is a good way to give one specific user debugging rights. However, it doesn’t work if you want to give a lab full of students access. This is because you need to keep switching the user for machine.config (which requires admin access).

    The other problem with that solution is that there is still only 1 worker process, so only one user can debug at a time. Depending on how a school has things setup, this may or may not be a problem.

  5. I have a solution in progress that will allow a remote IIS server to be the development server for non-admin users. This is primarily aimed at university system administrators who need to offer a web hosting solution for asp.net to allow teaching of asp.net or for individuals doing projects.

    I will post the URL to the documentation (it will be on http://www.microsoft.com/uk/academia) on my blog in the next couple of weeks. This is already got a lot of usage at a handful of UK universities.

  6. Keith Brown says:

    I’m not sure why people are so into trying to debug as a non-admin. I’m all for running as non-admin while you write code (heck, I wrote a treatise on it[1]) but I’m just don’t see the benefit here (unless you really aren’t *allowed* to be an admin, but that’s highly unlikely for an application developer).

    Unlike desktop applications, which must run in a multitude of different security configurations, typically servers have a very specific configuration that is mandated by the design/development team. Running under a different identity to debug means changing ACLs, security policy, etc.

    The permissions my normal user account has are not going to be the same as the permissions my web server needs.

    So why not just type "devenv" from your admin command prompt and rock on? Seems to me this is totally appropriate for debugging daemon code.

    Keith

    [1] http://www.pluralsight.com/keith/book/html/lifestyle.html

  7. Gregg Miskelly says:

    I have seen this request several times, due to one of these reasons:

    1. IT Policy requires everyone to run as a normal user

    -or-

    2. A university that wants to teach ASP.NET, but doesn’t want to grant everyone admin rights.