Re: Issue with ASP.NET client, COM Interop, and Identity impersonation

From: Anil Krishnamurthy (akrishnamurthy_at_nospam.air-worldwide.com)
Date: 10/04/04 

Date: Mon, 4 Oct 2004 14:24:15 -0400

I was trying to use that diagram to describe the problem and looks like
there was some problem formatting it properly.

This is what the web.config looks like

<identity impersonate="true" userName="Domain\UserName"
password="password'/>

When I print the identities on ASP.NET side and COM object side, this is
what I get.

[ASP.NET]
Domain\UserName

[COM]
Machine\IUSR_Machine

When I switch off impersonation, the identity on COM side is

[COM]
Machine\ASPNET

Hope I have made it clear now ;) So, either way, the code in COM object runs
under a local machine account and thus, cannot access network resource.

Thanks
Anil

"Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
news:emzER8hqEHA.1164@TK2MSFTNGP10.phx.gbl...
> ASPNET, that means that your config file is not like you said in your
> original post.
> / snip
> ASP.NET
> {Web app} -------------Interop --------------->{COM Library}
> (Domain\NetworkUser)
> (LocalHost\IUSR_MachineName)
> /end snip
>
> Here you say that asp.net runs as (Domain\NetworkUser), but this is not
the
> case. So please change your web.config file to run the worker process as
> Domain\NetworkUser.
>
> Willy.
>
>
> "Anil Krishnamurthy" <akrishnamurthy@nospam.air-worldwide.com> wrote in
> message news:%23udstyhqEHA.4008@TK2MSFTNGP14.phx.gbl...
> >
> > "Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
> > news:e1wifEGqEHA.376@TK2MSFTNGP14.phx.gbl...
> >> With impersonation turned off, all threads in the asp.net worker
process
> >> use the process token when accessing remote resources, and because your
> >> in-proc COM object runs in the same security context of the caller (the
> >> executing thread) it will use the same token, problem solved.
> >
> > When impersonation is turned off, the identity is ASPNET and since that
is
> > a
> > local account, how can you access remote resources?
> >
> >> About your "aspcompat" remark. If your COM object is a threadingmodel =
> >> apartment type object (STA) you better run in "aspcompat" mode.
> >> If you don't, your object will run on the default STA thread provided
by
> > the
> >> asp.net worker process, this will negatively impact the performance as
> >> all
> >> calls have to get marshaled.
> >> Just curious, why can't you set aspcompat=true?
> >
> > Actually, the web application team informed me that they have switched
to
> > AspCompat mode and it does not help much. The problem is that the call
to
> > COM object comes from Java script and identity impersonation does not
work
> > in this case. I mentioned that AspCompat flag could not used because
there
> > is another application, a web service, that uses the same set of COM
> > objects.
> >
> > Anil
> >
> >>
> >> "Anil Krishnamurthy" <akrishnamurthy@nospam.air-worldwide.com> wrote in
> >> message news:O07jprAqEHA.3760@TK2MSFTNGP09.phx.gbl...
> >> >
> >> > "Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
> >> > news:eYcNdGAqEHA.1816@TK2MSFTNGP09.phx.gbl...
> >> >>
> >> >> How is that possible? if asp.net is running in a domain identity
> > context
> >> > AND
> >> >> you don't have impersonation enabled, the in-proc COM object should
> >> >> run
> >> > with
> >> >> the same domain user's credentials, where else would the local
account
> >> >> identity come from?
> >> >>
> >> >
> >> > Impersonation is enabled in Web.config and it is set to use a domain
> >> > account. But on COM object side, when I try to get the user name, it
is
> >> > IUSR_MachineName and that is not what I want. Also, I cannot use
> >> > AspCompat="true".
> >> >
> >> > Anil
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Relevant Pages

  • Re: Windows authentication for web service client??
    ... I have a web service that make a webDav request to Exchange. ... I have impersonation on but when I use the defaultCredentials in the web ... credentials have rights to make this request and I'm at my wits end trying ... >>> The ASPNET account is a local account, so the other machine or domain ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Issue with ASP.NET client, COM Interop, and Identity impersonation
    ... When I switch off impersonation, the identity on COM side is ... under a local machine account and thus, ... >> AspCompat mode and it does not help much. ... >> is another application, a web service, that uses the same set of COM ...
    (microsoft.public.dotnet.languages.vc)
  • Re: Issue with ASP.NET client, COM Interop, and Identity impersonation
    ... When I switch off impersonation, the identity on COM side is ... under a local machine account and thus, ... >> AspCompat mode and it does not help much. ... >> is another application, a web service, that uses the same set of COM ...
    (microsoft.public.dotnet.framework)
  • Re: Issue with ASP.NET client, COM Interop, and Identity impersonation
    ... When I switch off impersonation, the identity on COM side is ... under a local machine account and thus, ... >> AspCompat mode and it does not help much. ... >> is another application, a web service, that uses the same set of COM ...
    (microsoft.public.dotnet.framework.interop)
  • Re: SetPassword access denied
    ... safely invoke SetPassword etc..... ... impersonation or using the process token without impersonation) is NOT ... account that is used for performing remote activities in the directory. ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.windows.server.active_directory)