accessing remote resources from ASP.NET app

[Gianluca Torta]

Hi all,

I know this issue has already been discussed in several threads of the
newsgroup and I read several of them

However, I would appreciate very much to have suggestions specific to
my particular scenario.

I have an ASP.NET application MYAPP running on machine MYMACH

Such application needs to access a remote database MYDB and a remote
Web Service MYSVC using the credentials of a specific Windows User
MYMACH\MYUSER (i.e. a user local to MYMACH)

The use of <identity impersonate="true"> in the Web.config file seems
to fail for the reasons explained in other threads, i.e. impersonation
only works for accessing resources local to MYMACH

I would like to avoid using delegation and serviced components, since
they seem quite complicated to set up.

Similarly, I would like to avoid calling LogonUser() because it is a
non-managed API and moreover other threads report that many users had
problems using it.

My question is then: how is it possible to get what I want (which
seems very simple) in a simple way?
And, if there is no such "simple way", what is the best way among
delegation, serviced components, LogonUser() etc. etc.?

Many thanks in advance!
-Gianluca

[Joe Kaplan \(MVP - ADSI\)]

You could also disable impersonation and set up your process account to use
an account that access the remote resource. Lots of people do that. The
steps are different between IIS5 and 6, but the basic idea is the same.

If you need impersonation at the same time, you can do some trickery by
p/invoking RevertToSelf and then restoring the impersonated token when you
are done with your remote call.

Otherwise, I think COM+ is good if you don't mind writing a serviced
component and dealing with all the COM stuff. LogonUser is easy on XP and
2003, but has security restrictions on 2000 that make it much less
attractive.

HTH,

Joe K.

"Gianluca Torta" <giatorta@hotmail.com> wrote in message
news:a2d601fc.0501121608.6983da75@posting.google.c om...

> Hi all,
>
> I know this issue has already been discussed in several threads of the
> newsgroup and I read several of them
>
> However, I would appreciate very much to have suggestions specific to
> my particular scenario.
>
> I have an ASP.NET application MYAPP running on machine MYMACH
>
> Such application needs to access a remote database MYDB and a remote
> Web Service MYSVC using the credentials of a specific Windows User
> MYMACH\MYUSER (i.e. a user local to MYMACH)
>
> The use of <identity impersonate="true"> in the Web.config file seems
> to fail for the reasons explained in other threads, i.e. impersonation
> only works for accessing resources local to MYMACH
>
> I would like to avoid using delegation and serviced components, since
> they seem quite complicated to set up.
>
> Similarly, I would like to avoid calling LogonUser() because it is a
> non-managed API and moreover other threads report that many users had
> problems using it.
>
> My question is then: how is it possible to get what I want (which
> seems very simple) in a simple way?
> And, if there is no such "simple way", what is the best way among
> delegation, serviced components, LogonUser() etc. etc.?
>
> Many thanks in advance!
> -Gianluca

[Gianluca Torta]

Joe, thank you very much for your reply

> You could also disable impersonation and set up your process account to use
> an account that access the remote resource. Lots of people do that. The
> steps are different between IIS5 and 6, but the basic idea is the same.

this solution (i.e. AVOID impersonation) would be very attractive PROVIDED I
can run just one specific ASP.NET application as the specified account, and
not ALL the ASP.NET applications on my machine (something that seems to
happen, according to other threads, if you modify Machine.config)

if it is possible to specify the account just for one specific ASP.NET
application, could someone please point me to an article where the details on
how to do it are discussed for both IIS5 and IIS6?

thanks in advance,
-Gianluca


"Joe Kaplan (MVP - ADSI)" wrote:

> You could also disable impersonation and set up your process account to use
> an account that access the remote resource. Lots of people do that. The
> steps are different between IIS5 and 6, but the basic idea is the same.
>
> If you need impersonation at the same time, you can do some trickery by
> p/invoking RevertToSelf and then restoring the impersonated token when you
> are done with your remote call.
>
> Otherwise, I think COM+ is good if you don't mind writing a serviced
> component and dealing with all the COM stuff. LogonUser is easy on XP and
> 2003, but has security restrictions on 2000 that make it much less
> attractive.
>
> HTH,
>
> Joe K.
>
> "Gianluca Torta" <giatorta@hotmail.com> wrote in message
> news:a2d601fc.0501121608.6983da75@posting.google.c om...

> > Hi all,
> >
> > I know this issue has already been discussed in several threads of the
> > newsgroup and I read several of them
> >
> > However, I would appreciate very much to have suggestions specific to
> > my particular scenario.
> >
> > I have an ASP.NET application MYAPP running on machine MYMACH
> >
> > Such application needs to access a remote database MYDB and a remote
> > Web Service MYSVC using the credentials of a specific Windows User
> > MYMACH\MYUSER (i.e. a user local to MYMACH)
> >
> > The use of <identity impersonate="true"> in the Web.config file seems
> > to fail for the reasons explained in other threads, i.e. impersonation
> > only works for accessing resources local to MYMACH
> >
> > I would like to avoid using delegation and serviced components, since
> > they seem quite complicated to set up.
> >
> > Similarly, I would like to avoid calling LogonUser() because it is a
> > non-managed API and moreover other threads report that many users had
> > problems using it.
> >
> > My question is then: how is it possible to get what I want (which
> > seems very simple) in a simple way?
> > And, if there is no such "simple way", what is the best way among
> > delegation, serviced components, LogonUser() etc. etc.?
> >
> > Many thanks in advance!
> > -Gianluca

>
>
>

[Joe Kaplan \(MVP - ADSI\)]

With IIS6, you set up an AppPool with a specific account and then make sure
that only your application runs in that pool. Unfortunately, with IIS5, all
the ASP.NET web apps run in one process (for the most part).

I think a better solution for you in the case would be to create a COM+
serviced component so that you can set it up to run under a specific
identity. That could be installed on IIS5 or IIS6 and do what you want.

Joe K.

"Gianluca Torta" <Gianluca [email]Torta@discussions.microsoft.com[/email]> wrote in message
news:8928F5FD-FE92-4E66-A533-4B55F2B828B8@microsoft.com...

> Joe, thank you very much for your reply
>

>> You could also disable impersonation and set up your process account to
>> use
>> an account that access the remote resource. Lots of people do that. The
>> steps are different between IIS5 and 6, but the basic idea is the same.

>
> this solution (i.e. AVOID impersonation) would be very attractive PROVIDED
> I
> can run just one specific ASP.NET application as the specified account,
> and
> not ALL the ASP.NET applications on my machine (something that seems to
> happen, according to other threads, if you modify Machine.config)
>
> if it is possible to specify the account just for one specific ASP.NET
> application, could someone please point me to an article where the details
> on
> how to do it are discussed for both IIS5 and IIS6?
>
> thanks in advance,
> -Gianluca
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>

>> You could also disable impersonation and set up your process account to
>> use
>> an account that access the remote resource. Lots of people do that. The
>> steps are different between IIS5 and 6, but the basic idea is the same.
>>
>> If you need impersonation at the same time, you can do some trickery by
>> p/invoking RevertToSelf and then restoring the impersonated token when
>> you
>> are done with your remote call.
>>
>> Otherwise, I think COM+ is good if you don't mind writing a serviced
>> component and dealing with all the COM stuff. LogonUser is easy on XP
>> and
>> 2003, but has security restrictions on 2000 that make it much less
>> attractive.
>>
>> HTH,
>>
>> Joe K.
>>
>> "Gianluca Torta" <giatorta@hotmail.com> wrote in message
>> news:a2d601fc.0501121608.6983da75@posting.google.c om...

>> > Hi all,
>> >
>> > I know this issue has already been discussed in several threads of the
>> > newsgroup and I read several of them
>> >
>> > However, I would appreciate very much to have suggestions specific to
>> > my particular scenario.
>> >
>> > I have an ASP.NET application MYAPP running on machine MYMACH
>> >
>> > Such application needs to access a remote database MYDB and a remote
>> > Web Service MYSVC using the credentials of a specific Windows User
>> > MYMACH\MYUSER (i.e. a user local to MYMACH)
>> >
>> > The use of <identity impersonate="true"> in the Web.config file seems
>> > to fail for the reasons explained in other threads, i.e. impersonation
>> > only works for accessing resources local to MYMACH
>> >
>> > I would like to avoid using delegation and serviced components, since
>> > they seem quite complicated to set up.
>> >
>> > Similarly, I would like to avoid calling LogonUser() because it is a
>> > non-managed API and moreover other threads report that many users had
>> > problems using it.
>> >
>> > My question is then: how is it possible to get what I want (which
>> > seems very simple) in a simple way?
>> > And, if there is no such "simple way", what is the best way among
>> > delegation, serviced components, LogonUser() etc. etc.?
>> >
>> > Many thanks in advance!
>> > -Gianluca

>>
>>
>>