Re: DCOM calls fails - access denied
From: Arild Bakken (arildb_@hotmail.com)
Date: 11/26/02
- Next message: John: "HELP PLEASE The request failed with HTTP status 401: Access Denied."
- Previous message: nu-k-ar: "Re: integrated security and ie5? (bug??)"
- In reply to: Stefu: "Re: DCOM calls fails - access denied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Arild Bakken" <arildb_@hotmail.com> Date: Tue, 26 Nov 2002 15:38:02 +0100
Sure, the worker thread gets the impersonated token, but this token is not
valid for access to other computers (it cannot be delegated), so when the
app tries to access another computer, the accesstoken used is the one of the
process - not the worker thread. That is why it works when you use a domain
user for the ASP.NET worker process.
Arild
Stefu wrote:
> Hi iulian
>
> Thanks for the answer! That's exactly how I understood the ASP.NET
> security. But why does one configuration work but not the other? The
> only difference ist he processModel tag in machine.config. In both
> cases the worker thread should get the token from IIS (configured
> domain user). That's why I'm confused. In theory both versions should
> work?!
>
> Thanks Steve
>
>
> "iiuga" <iulian.iuga@audicon.net> wrote in message
> news:#kQkX6#iCHA.1960@tkmsftngp08...
>> Hi,
>>
>> It's very important to understand how ASP.NET security works
>> together with IIS security. For that I recommend you to read this
>> article from msdn:
>>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/
authaspdotnet.asp .
>>
>> Now regarding your security settings:
>>
>> 1) In both cases you have in the web.config file the identity tag
>> present with the impersonate attribute set to true. That means the
>> worker thread will use the token it gets from IIS. If you would have
>> the impersonate attribute set to false or the identity tag would be
>> not present in your web.config file, then the worker thread would
>> get the token from the worker process (aspnet_wp.exe). In
>> machine.config file you can set, in context of which user you want
>> to run the worker process using processModel tag. As you can see, in
>> your case, doesn't matter what you set in machine.config it doesn't
>> affect the security context in which your worker thread is running.
>>
>> 2) IIS security configuration. You have set Anonymous access to
>> the web application. That means the IIS will send to the worker
>> thread the token of the user you have set for anonymous access.
>> (Note: Take care about other settings there!!! If you have also
>> Integrated Windows authentication checked, then the IIS will get
>> information about LAN user accessing the application and it will
>> send to the worker thread the token of this user and not anonymous.)
>> Ok, so far you can determine in context of which user the worker
>> thread is running, now we have to see the remote access for this
>> user.
>>
>> 3) DCOM application. You wrote in both configurations that the
>> access and launch permissions are restricted, but without details
>> which are the restrictions . Here you have two situations, depending
>> the user you set as anonymous for IIS. If you set there a domain
>> account, then you have to be sure that this account has at least
>> access permissions (and launch permissions if you want to allow it
>> to start the application) for DCOM application. If you set the IIS
>> anonymous user a local user from the server where IIS is running
>> then again you can have two possibilities, you have a user on the
>> computer where DCOM is running with the same name, then you should
>> have similar passwords for this user on both computers and be sure
>> this user has at least access permissions to DCOM application. Or
>> the second possibility, you don't have the same user to both
>> computers, then the user is resolved as guest (anonymous logon) and
>> be sure you don't have the Guest account disabled and it is allowed
>> to access the DCOM application.
>>
>> I hope you will have a better understanding about what is happening
>> there and then you can adapt the settings to have the system running.
>>
>> Iulian Iuga,
>> http://www7.brinkster/com/iiuga
>>
>>
>>
>>
>>
>>
>> "Stefu" <stefanroth@hotmail.com> wrote in message
>> news:evhi7A#iCHA.2256@tkmsftngp12...
>>> Hi
>>>
>>> I'm a little bit confused by the security features of ASP.NET. In
>>> my web application I have to call several DCOM Servers located on a
>>> remote server. Since not all users have a domain account, I had the
>>> idea to allow only anonymous access on my site. The users will be
>>> authenticated by a custom form and a database. In order to have
>>> access rights to call the DCOM servers I changed the default
>>> account for the web site to a domain user. In the web.config file I
>>> changed the identity tag to <idenity impersonate="true" />. As I
>>> saw in a microsoft .NET Security Guidance, this should lead to a
>>> impersonated call (identity = configured domain user). But all
>>> calls fail - access denied. Only if the processModel tag in
>>> machine.config is chnaged to userName="domain\user"
>>> password="password" the call works. But this isn't exactly the
>>> configuration I'm looking for. I do not want to run the worker
>>> process under a domain account with extended privileges. Is this
>>> possible? What else is necessary?
>>>
>>> Summary
>>>
>>> The following configuration is WORKING
>>>
>>> ASP.NET
>>> web.config
>>> ...
>>> <identity impersonate="true" />
>>> ...
>>>
>>> machine.config
>>> ...
>>> <processModel ... userName="domain\username"
>>> password="password" ... />
>>>
>>> IIS
>>> only anonymous access
>>> dafeault account for my site changed to domain\username
>>>
>>> DCOM
>>> Authentication Level = None
>>> Identity = specific account
>>> Secruity = access and launch permissions restricted
>>>
>>> --------------------------------------------------
>>>
>>> This configuration does NOT WORK
>>>
>>> ASP.NET
>>> web.config
>>> ...
>>> <identity impersonate="true" />
>>> ...
>>>
>>> machine.config
>>> ...
>>> <processModel ... userName="SYSTEM" password="AutoGenerate" ...
>>> /> <---- different
>>>
>>> IIS
>>> only anonymous access
>>> dafeault account for my site changed to domain\username
>>>
>>> DCOM
>>> Authentication Level = None
>>> Identity = specific account
>>> Secruity = access and launch permissions restricted
>>>
>>> Thanks in advance Steve
- Next message: John: "HELP PLEASE The request failed with HTTP status 401: Access Denied."
- Previous message: nu-k-ar: "Re: integrated security and ie5? (bug??)"
- In reply to: Stefu: "Re: DCOM calls fails - access denied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
