ASP.NET, IIS 6.0 (Windows Server 2003) and Com permissions...

[Todd Barlow]

I have an ASP.NET application that instantiantes a Win32 C++ Com
object. This object's methods require specific access permissions to
the underlying registry/file structure in order to function properly.

On windows 2000/xp if we enable impersonation in the ASP.NET app's
Web.Config file then access is granted/denied based-upon the logged-in
user.

However, if the same is done in Windows Server 2003 I MUST still grant
"Network Service" account specific permissions in the file-system,
registry, and DCOM!

I have added a call to "CoImpersonateClient()" in the COM method to
ensure that we are running as the proper user, and it is (I print out
the username found in a "GetUserName()" call). I also output the name
in the ASP.NET app by using the System.Environment.UserName property.

Any ideas to ensure that all these COM calls are being made as the
authenticated user and NOT the ASP.NET user (ASPNET or "NETWORK
SERVICE")?

Please assist, thanks.

[bruce barker]

to guarantee that the com call runs on the same thread as asp.net
autheciated thread set AspComp=true. this will have some minor performance
impact.


-- bruce (sqlwork.com)



"Todd Barlow" <todd@lightspeedsystems.com> wrote in message
news:301d14e1.0307070940.589e733c@posting.google.c om...

> I have an ASP.NET application that instantiantes a Win32 C++ Com
> object. This object's methods require specific access permissions to
> the underlying registry/file structure in order to function properly.
>
> On windows 2000/xp if we enable impersonation in the ASP.NET app's
> Web.Config file then access is granted/denied based-upon the logged-in
> user.
>
> However, if the same is done in Windows Server 2003 I MUST still grant
> "Network Service" account specific permissions in the file-system,
> registry, and DCOM!
>
> I have added a call to "CoImpersonateClient()" in the COM method to
> ensure that we are running as the proper user, and it is (I print out
> the username found in a "GetUserName()" call). I also output the name
> in the ASP.NET app by using the System.Environment.UserName property.
>
> Any ideas to ensure that all these COM calls are being made as the
> authenticated user and NOT the ASP.NET user (ASPNET or "NETWORK
> SERVICE")?
>
> Please assist, thanks.

[Todd Barlow]

Thanks guys, I found the MSDN article after posting the question.
However, this still didn't help.

I think the problem is that the COM object that the ASP.NET application
is instantiating then instantiates another COM object again. I think
something is wrong with the way these types of COM proxying works.

In the end, I just granted access where it was needed to the NETWORK
SERVICE account. It's ugly--but it works.


*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!