CoImpersonateClient - Cross Domain Problem

From: MarkLarz (Mark.Larzelere@nospamsiemens.com)
Date: 03/07/03 

From: "MarkLarz" <Mark.Larzelere@nospamsiemens.com>
Date: Fri, 7 Mar 2003 16:57:33 -0500

We have a problem that has left us baffled and could use some expertise.

The environment having the problem is complicated so I will try to minimize
it in my explanation. The problem is manifested when downstream processing
seems to suffer permission problems when a file or directory is accessed.
For this explanation, assume that the downstream processing is just trying
to read a file from a COM+ application running on a different domain than
the upstream processing. Now the upstream processing needs an explanation.

There is a bit of code on an application server running on a domain, Domain
1, that is part of a domain farm (i.e., Domain 1 is under Domain 2). This
code runs in an NT service and basically looks for work to be done. When it
finds something to do, it invokes a COM+ transaction to talk to COM+ code on
a server in a different domain, Domain 3, that is not in the same domain
farm. There is a trust relationship between Domain 3 and Domain 1 and 2.
The code on Domain 3 tries to read a file in a directory.

This processing always works if all the servers are in the same domain. It
always works in this multidomain scenario if we use the security credentials
of the NT service (under a user account instead of the system account).
However, we need to use the credentials of another user depending on the
type of work that must be done. In this scenario it always fails when the
code in Domain 1 calls:

CoImpersonateClient();
// Spawn work on the other server
. . .

hr = CoRevertToSelf();

We are sure that this code is causing the permission problems, but do not
know why. If we directly run some code that does the same work and under
this other user account, we never have a permission problem on the other
server.

I am thinking that there is a bug in Microsoft code, and will pursue this
with Microsoft, but I wanted to see if someone else experienced similar
problems and found a solution. I left out a lot of detail that could be
supplied, if you need it to help with this problem.

Thanks in advance for any help,
Mark

Relevant Pages

  • Re: Login Failures
    ... What is the user account "msmith"? ... please check the SBS Server and the client computer from ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Testing email
    ... Internet Connection wizard -> Connect to the internet) to configure mail ... Click Start, click Server Management. ... pop3 server information, user account, mailbox type and so on. ... the issue and send the log files to me: ...
    (microsoft.public.exchange.admin)
  • Re: Access Shared Printer??
    ... shares) on other domain member computers (centralized user account ... defined as a local printer that is shared is called the server. ... at the client computer with the username and password that is common to ... This command will use the ServerUserName to do an "authentication" on the ...
    (microsoft.public.win2000.printing)
  • Re: Integrated Windows Authentication authenticating the wrong user
    ... How exactly are you seeing the wrong user account? ... Windows as the troubled user to create a fresh new Windows profile and see ... If this hasn't been done already, I would check the web server logs, run a ... > The application in question is Serena's TeamTrack. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Testing email
    ... Internet Connection wizard -> Connect to the internet) to configure mail ... Click Start, click Server Management. ... pop3 server information, user account, mailbox type and so on. ... the issue and send the log files to me: ...
    (microsoft.public.exchange.admin)