DCOM calls fails - access denied

From: Stefu (stefanroth@hotmail.com)
Date: 11/14/02 

From: "Stefu" <stefanroth@hotmail.com>
Date: Thu, 14 Nov 2002 14:21:51 +0100

Hi

I'm a little bit confused by the security features of ASP.NET. In my web
application I have to call several DCOM Servers located on a remote server.
Since not all users have a domain account, I had the idea to allow only
anonymous access on my site. The users will be authenticated by a custom
form and a database. In order to have access rights to call the DCOM servers
I changed the default account for the web site to a domain user. In the
web.config file I changed the identity tag to <idenity impersonate="true"
/>. As I saw in a microsoft .NET Security Guidance, this should lead to a
impersonated call (identity = configured domain user). But all calls fail -
access denied. Only if the processModel tag in machine.config is chnaged to
userName="domain\user" password="password" the call works. But this isn't
exactly the configuration I'm looking for. I do not want to run the worker
process under a domain account with extended privileges. Is this possible?
What else is necessary?

Summary

The following configuration is WORKING

ASP.NET
    web.config
        ...
        <identity impersonate="true" />
        ...

    machine.config
    ...
    <processModel ... userName="domain\username" password="password" ... />

IIS
    only anonymous access
    dafeault account for my site changed to domain\username

DCOM
    Authentication Level = None
    Identity = specific account
    Secruity = access and launch permissions restricted

--------------------------------------------------

This configuration does NOT WORK

ASP.NET
    web.config
        ...
        <identity impersonate="true" />
        ...

    machine.config
    ...
    <processModel ... userName="SYSTEM" password="AutoGenerate" ... />
<---- different

IIS
    only anonymous access
    dafeault account for my site changed to domain\username

DCOM
    Authentication Level = None
    Identity = specific account
    Secruity = access and launch permissions restricted

Thanks in advance Steve

Relevant Pages

  • RE: BizTalk 2006 Installation Problem
    ... When you run configuration the account under which configuration.exe is run ... It has to be a domain account, ... We are trying to install BizTalk 2006 Server into a clustered ...
    (microsoft.public.biztalk.server)
  • Re: 4 forests-domains, roaming clients, no trusts, not Internet-Ba
    ... "Windows Server 2003 and Cross Forest Site Communications ... Communications across forests work in Configuration Manager 2007 if the ... Account appears to be for Client to Server communication. ...
    (microsoft.public.sms.setup)
  • Re: Minimizing the number of "setuid root" daemons
    ... >allow me to specify exactly what a particular privileged program can and ... reads system timezone configuration ... local account database ... generic -- maintaining an overall database of allowed actions would be ...
    (comp.os.linux.security)
  • Re: Server Application Unavailable
    ... The configuration is Windows 2000, with .NET 2.0 the default ASP.NET ... password supplied in the processModel section of the config file ... directory allow access to the configured account. ... Read/write rights in the ASP.NET Temporary Files under the framework directory ...
    (microsoft.public.dotnet.framework.aspnet)
  • company.local address mess
    ... I need to solve an email address configuration mess that is causing numerous ... > every Exchange Account has a abccompany.com SMTP address added, ... >delivery' location, and a POP3 account internet mail. ...
    (microsoft.public.exchange.setup)