Python CGI in IIS: issue with urandom function

Question

I’m having a very strange issue with running a python CGI script in IIS.

The script is running in a custom application pool which uses a user account from the domain for identity. Impersonation is disabled for the site and Kerberos is used for authentication.

• When the account is member of the “Domain Admins” group, everything works like a charm
• When the account is not member of “Domain Admins”, I get an error on the very first line in the script: “import cgi”. It seems like that import eventually leads to a random number being generated and it’s the call to _urandom() which fails with a “WindowsError: [Error 5] Access is denied”.
• If I run the same script from the command prompt, when logged in with the same user as the one from the application pool, everything works as a charm.

When searching the web I have found out that the _urandom on windows is backed by the CryptGenRandom function in the operating system. Somehow it seems like my python CGI script does not have access to that function when running from the IIS, while it has access to that function when run from a command prompt.

To complicate things further, when logging in as the account running the application pool and then invoking the CGI-script from the web browser it works. It turns out I have to be logged in with the same user as the application pool for it to work. As I previously stated, impersonation is disabled, but somehow it seems like the identity is somehow passed along to the security functions in windows.

If I modify the random.py file that calls the _urandom() function to just return a fixed number, everything works fine, but then I have probably broken a lot of the security functions in python.

So have anyone experienced anything like this? Any ideas of what is going on?

Answer 1

I've solved the _urandom() error by changing IIS 7.5 settings to Impersonate User = yes. I'm not a Windows admin so I cannot elaborate.

Afterwards import cgi inside python script worked just fine.