ASPNet Process Token flowing with Impersonated Identity

• Previous message: Mary Chipman: "Re: security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 22 Jun 2004 06:59:18 -0700

I have a problem with a service-oriented application that is using
impersonation.

MachineA (Web Server) - Hosts webservices
MachineB (App Server) - Talks to multiple types of resources (SQL,
WMI, HTTP).

MachineA remotes to MachineB (remoting is hosted via IIS).

MachineA and MachineB have IIS using Anonymous w/ a service account
(MyUser1). The web.config for both MachineA and MachineB are using
<identity impersonate="true" />.

The ASPNet account uses default settings (MACHINE / AUTOGENERATE).

When I call a web service on MachineA communication with MachineB
occurs correctly. When MachineB calls a remote resource (say WMI on
MachineC), the call occurs correctly and I get a valid response. On
first glance everything looks wonderful.

After a short number of requests, the ASPNet account on MachineC will
become locked out. When I look at the security audit logs on
MachineC, I see the logon from the expected identity (MyUser1), BUT I
also see a failed logon attempt from MachineB/ASPNet.

It looks like for some reason, MachineB is still flowing it's own
ASPNet process identity (in addition to the impersonated user) and is
unable to authenticate (MachineB/ASPNet will not have the same
password as MachineC/ASPNet).

Why would this happen? MachineB communicates with MachineC using a
variety of different mechanisms (SQL via ADO.Net, WMI, and HTTP).
When making the SQL or WMI calls I see this behavior, with the HTTP I
don't.

Any ideas? It seems like I'm missing something really simple here.

- Ben

• Previous message: Mary Chipman: "Re: security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]