Re: DCOM calls fails - access denied

From: Stefu (stefanroth@hotmail.com)
Date: 11/15/02


From: "Stefu" <stefanroth@hotmail.com>
Date: Fri, 15 Nov 2002 10:35:10 +0100


Hi iulian

Thanks for the answer! That's exactly how I understood the ASP.NET security.
But why does one configuration work but not the other? The only difference
ist he processModel tag in machine.config. In both cases the worker thread
should get the token from IIS (configured domain user). That's why I'm
confused. In theory both versions should work?!

Thanks Steve

"iiuga" <iulian.iuga@audicon.net> wrote in message
news:#kQkX6#iCHA.1960@tkmsftngp08...
> Hi,
>
> It's very important to understand how ASP.NET security works together with
> IIS security. For that I recommend you to read this article from msdn:
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/
> authaspdotnet.asp .
>
> Now regarding your security settings:
>
> 1) In both cases you have in the web.config file the identity tag
> present with the impersonate attribute set to true. That means the worker
> thread will use the token it gets from IIS. If you would have the
> impersonate attribute set to false or the identity tag would be not
present
> in your web.config file, then the worker thread would get the token from
the
> worker process (aspnet_wp.exe). In machine.config file you can set, in
> context of which user you want to run the worker process using
processModel
> tag. As you can see, in your case, doesn't matter what you set in
> machine.config it doesn't affect the security context in which your worker
> thread is running.
>
> 2) IIS security configuration. You have set Anonymous access to the
web
> application. That means the IIS will send to the worker thread the token
of
> the user you have set for anonymous access. (Note: Take care about other
> settings there!!! If you have also Integrated Windows authentication
> checked, then the IIS will get information about LAN user accessing the
> application and it will send to the worker thread the token of this user
and
> not anonymous.) Ok, so far you can determine in context of which user the
> worker thread is running, now we have to see the remote access for this
> user.
>
> 3) DCOM application. You wrote in both configurations that the access
> and launch permissions are restricted, but without details which are the
> restrictions . Here you have two situations, depending the user you set as
> anonymous for IIS. If you set there a domain account, then you have to be
> sure that this account has at least access permissions (and launch
> permissions if you want to allow it to start the application) for DCOM
> application. If you set the IIS anonymous user a local user from the
server
> where IIS is running then again you can have two possibilities, you have a
> user on the computer where DCOM is running with the same name, then you
> should have similar passwords for this user on both computers and be sure
> this user has at least access permissions to DCOM application. Or the
second
> possibility, you don't have the same user to both computers, then the user
> is resolved as guest (anonymous logon) and be sure you don't have the
Guest
> account disabled and it is allowed to access the DCOM application.
>
> I hope you will have a better understanding about what is happening there
> and then you can adapt the settings to have the system running.
>
> Iulian Iuga,
> http://www7.brinkster/com/iiuga
>
>
>
>
>
>
> "Stefu" <stefanroth@hotmail.com> wrote in message
> news:evhi7A#iCHA.2256@tkmsftngp12...
> > Hi
> >
> > I'm a little bit confused by the security features of ASP.NET. In my web
> > application I have to call several DCOM Servers located on a remote
> server.
> > Since not all users have a domain account, I had the idea to allow only
> > anonymous access on my site. The users will be authenticated by a custom
> > form and a database. In order to have access rights to call the DCOM
> servers
> > I changed the default account for the web site to a domain user. In the
> > web.config file I changed the identity tag to <idenity
impersonate="true"
> > />. As I saw in a microsoft .NET Security Guidance, this should lead to
a
> > impersonated call (identity = configured domain user). But all calls
> fail -
> > access denied. Only if the processModel tag in machine.config is chnaged
> to
> > userName="domain\user" password="password" the call works. But this
isn't
> > exactly the configuration I'm looking for. I do not want to run the
worker
> > process under a domain account with extended privileges. Is this
possible?
> > What else is necessary?
> >
> > Summary
> >
> > The following configuration is WORKING
> >
> > ASP.NET
> > web.config
> > ...
> > <identity impersonate="true" />
> > ...
> >
> > machine.config
> > ...
> > <processModel ... userName="domain\username" password="password" ...
> />
> >
> > IIS
> > only anonymous access
> > dafeault account for my site changed to domain\username
> >
> > DCOM
> > Authentication Level = None
> > Identity = specific account
> > Secruity = access and launch permissions restricted
> >
> > --------------------------------------------------
> >
> > This configuration does NOT WORK
> >
> > ASP.NET
> > web.config
> > ...
> > <identity impersonate="true" />
> > ...
> >
> > machine.config
> > ...
> > <processModel ... userName="SYSTEM" password="AutoGenerate" ... />
> > <---- different
> >
> > IIS
> > only anonymous access
> > dafeault account for my site changed to domain\username
> >
> > DCOM
> > Authentication Level = None
> > Identity = specific account
> > Secruity = access and launch permissions restricted
> >
> > Thanks in advance Steve
> >
> >
>
>



Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
    ... other account does not. ... It seems to be a bug or problem in one of the CryptoAPI functions. ... In IIS 5.0/6.0 to process the PFX file I use the CryptoAPI function ... The security context token cannot be retrieved ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: DCOM calls fails - access denied
    ... IIS security. ... That means the worker ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to Configure Qmail on Fedora Core 1 Server
    ... Proving that accessing mail from account foo or account root via POP3 ... > Also, be aware that once any security issues are removed, this ... The distro makes assumptions of best use. ... override some of these decisions via configuration and the rest by ...
    (Fedora)
  • RE: WCF on 2 machines
    ... For the "enable Guest Account", I'm not sure what's the exact problem ... However, based on my WCF using experience, ... For WCF security related configuration and schema, ...
    (microsoft.public.vsnet.general)