Calling COM Server from ASP.NET WebService - impersonation problem

Discussion in 'ASP .Net Security' started by Gangolf, Sep 28, 2007.

  1. Gangolf

    Gangolf Guest

    Hi,

    I want to call a COM+ server from a webservice. I want to use the client
    credentials so I have set
    <authentication mode="Windows"/>
    <identity impersonate="true"/>
    Calling the webservice is no problem but the COM service fails because it
    still runs under the ASPNET account (I have XP SP2 and IIS 5.1). So
    impersonation fails partly. When I step into the webservice with the debugger
    and check the current User it is the client as it should be. But inside the
    COM server I have output the current user also and that is ASPNET, which has
    insufficient rights to do the job of the COM server (which is querying a
    hierarchical db via a custom API).
    The COM server is actually a Delphi program.

    What can I do? How do I get the COM server called using the clients
    credentials? I thought that would happen automatically since the webmethod is
    running using the clients identity.

    Here a test webservice method, which sends a mail to me showing me the
    credentials used inside the webservice and inside the COM service

    [WebMethod]
    public bool SendAMail(string address, string header, string body)
    {
    try
    {
    // this is a COM server sending smtp mails.
    SendAMailProject.SendAMailClass sendMail =
    new SendAMailProject.SendAMailClass();

    sendMail.SendMail(
    /*array with receivers*/ new string[] { address },
    /* subject */ header + " send from " + User.Identity.Name,
    /* message*/ body);
    return true;
    }
    catch
    {
    return false;
    }
    }

    When I call the webmethod with the parameters
    SendAMail("", "Test", "don't care")
    it returns true.

    Since the COM server uses the current user as sender address I can see it in
    the mail I receive. It is
    ASPNET

    The subject shows the client that has called the webservice and at this
    point it is really the client who called the webservice. Up to this point
    impersonation has worked:
    Test send from mydomain\myaccount

    Thanks in advance,
    Gangolf
     
    Gangolf, Sep 28, 2007
    #1
    1. Advertising

  2. Gangolf

    Gangolf Guest

    I found a relevant knowledge base article in the mean time:
    http://support.microsoft.com/kb/325791/en-us

    It is much more difficult than I thought - my COM server is of STA type and
    it is really complex...

    Thanks, Gangolf

    "Gangolf" wrote:

    > Hi,
    >
    > I want to call a COM+ server from a webservice. I want to use the client
    > credentials so I have set
    > <authentication mode="Windows"/>
    > <identity impersonate="true"/>
    > Calling the webservice is no problem but the COM service fails because it
    > still runs under the ASPNET account (I have XP SP2 and IIS 5.1). So
    > impersonation fails partly. When I step into the webservice with the debugger
    > and check the current User it is the client as it should be. But inside the
    > COM server I have output the current user also and that is ASPNET, which has
    > insufficient rights to do the job of the COM server (which is querying a
    > hierarchical db via a custom API).
    > The COM server is actually a Delphi program.
    >
    > What can I do? How do I get the COM server called using the clients
    > credentials? I thought that would happen automatically since the webmethod is
    > running using the clients identity.
    >
    > Here a test webservice method, which sends a mail to me showing me the
    > credentials used inside the webservice and inside the COM service
    >
    > [WebMethod]
    > public bool SendAMail(string address, string header, string body)
    > {
    > try
    > {
    > // this is a COM server sending smtp mails.
    > SendAMailProject.SendAMailClass sendMail =
    > new SendAMailProject.SendAMailClass();
    >
    > sendMail.SendMail(
    > /*array with receivers*/ new string[] { address },
    > /* subject */ header + " send from " + User.Identity.Name,
    > /* message*/ body);
    > return true;
    > }
    > catch
    > {
    > return false;
    > }
    > }
    >
    > When I call the webmethod with the parameters
    > SendAMail("", "Test", "don't care")
    > it returns true.
    >
    > Since the COM server uses the current user as sender address I can see it in
    > the mail I receive. It is
    > ASPNET
    >
    > The subject shows the client that has called the webservice and at this
    > point it is really the client who called the webservice. Up to this point
    > impersonation has worked:
    > Test send from mydomain\myaccount
    >
    > Thanks in advance,
    > Gangolf
    >
     
    Gangolf, Sep 29, 2007
    #2
    1. Advertising

  3. Gangolf

    Gangolf Guest

    RE: Calling COM Server from ASP.NET WebService - impersonation pro

    Good news. If I add the CoImpersonateClient() call into my COM server (which
    is a COM+ server luckily) it works!

    "Gangolf" wrote:

    > I found a relevant knowledge base article in the mean time:
    > http://support.microsoft.com/kb/325791/en-us
    >
    > It is much more difficult than I thought - my COM server is of STA type and
    > it is really complex...
    >
    > Thanks, Gangolf
    >
    > "Gangolf" wrote:
    >
    > > Hi,
    > >
    > > I want to call a COM+ server from a webservice. I want to use the client
    > > credentials so I have set
    > > <authentication mode="Windows"/>
    > > <identity impersonate="true"/>
    > > Calling the webservice is no problem but the COM service fails because it
    > > still runs under the ASPNET account (I have XP SP2 and IIS 5.1). So
    > > impersonation fails partly. When I step into the webservice with the debugger
    > > and check the current User it is the client as it should be. But inside the
    > > COM server I have output the current user also and that is ASPNET, which has
    > > insufficient rights to do the job of the COM server (which is querying a
    > > hierarchical db via a custom API).
    > > The COM server is actually a Delphi program.
    > >
    > > What can I do? How do I get the COM server called using the clients
    > > credentials? I thought that would happen automatically since the webmethod is
    > > running using the clients identity.
    > >
    > > Here a test webservice method, which sends a mail to me showing me the
    > > credentials used inside the webservice and inside the COM service
    > >
    > > [WebMethod]
    > > public bool SendAMail(string address, string header, string body)
    > > {
    > > try
    > > {
    > > // this is a COM server sending smtp mails.
    > > SendAMailProject.SendAMailClass sendMail =
    > > new SendAMailProject.SendAMailClass();
    > >
    > > sendMail.SendMail(
    > > /*array with receivers*/ new string[] { address },
    > > /* subject */ header + " send from " + User.Identity.Name,
    > > /* message*/ body);
    > > return true;
    > > }
    > > catch
    > > {
    > > return false;
    > > }
    > > }
    > >
    > > When I call the webmethod with the parameters
    > > SendAMail("", "Test", "don't care")
    > > it returns true.
    > >
    > > Since the COM server uses the current user as sender address I can see it in
    > > the mail I receive. It is
    > > ASPNET
    > >
    > > The subject shows the client that has called the webservice and at this
    > > point it is really the client who called the webservice. Up to this point
    > > impersonation has worked:
    > > Test send from mydomain\myaccount
    > >
    > > Thanks in advance,
    > > Gangolf
    > >
     
    Gangolf, Sep 29, 2007
    #3
  4. Gangolf

    Pom Guest

    RE: Calling COM Server from ASP.NET WebService - impersonation pro

    another way around this, is if you can't change the code, the way we did it
    at our end was to change the identity of the COM+. we made it the same
    username+password as the application pool that was running our application
    and it works

    "Gangolf" wrote:

    > Good news. If I add the CoImpersonateClient() call into my COM server (which
    > is a COM+ server luckily) it works!
    >
    > "Gangolf" wrote:
    >
    > > I found a relevant knowledge base article in the mean time:
    > > http://support.microsoft.com/kb/325791/en-us
    > >
    > > It is much more difficult than I thought - my COM server is of STA type and
    > > it is really complex...
    > >
    > > Thanks, Gangolf
    > >
    > > "Gangolf" wrote:
    > >
    > > > Hi,
    > > >
    > > > I want to call a COM+ server from a webservice. I want to use the client
    > > > credentials so I have set
    > > > <authentication mode="Windows"/>
    > > > <identity impersonate="true"/>
    > > > Calling the webservice is no problem but the COM service fails because it
    > > > still runs under the ASPNET account (I have XP SP2 and IIS 5.1). So
    > > > impersonation fails partly. When I step into the webservice with the debugger
    > > > and check the current User it is the client as it should be. But inside the
    > > > COM server I have output the current user also and that is ASPNET, which has
    > > > insufficient rights to do the job of the COM server (which is querying a
    > > > hierarchical db via a custom API).
    > > > The COM server is actually a Delphi program.
    > > >
    > > > What can I do? How do I get the COM server called using the clients
    > > > credentials? I thought that would happen automatically since the webmethod is
    > > > running using the clients identity.
    > > >
    > > > Here a test webservice method, which sends a mail to me showing me the
    > > > credentials used inside the webservice and inside the COM service
    > > >
    > > > [WebMethod]
    > > > public bool SendAMail(string address, string header, string body)
    > > > {
    > > > try
    > > > {
    > > > // this is a COM server sending smtp mails.
    > > > SendAMailProject.SendAMailClass sendMail =
    > > > new SendAMailProject.SendAMailClass();
    > > >
    > > > sendMail.SendMail(
    > > > /*array with receivers*/ new string[] { address },
    > > > /* subject */ header + " send from " + User.Identity.Name,
    > > > /* message*/ body);
    > > > return true;
    > > > }
    > > > catch
    > > > {
    > > > return false;
    > > > }
    > > > }
    > > >
    > > > When I call the webmethod with the parameters
    > > > SendAMail("", "Test", "don't care")
    > > > it returns true.
    > > >
    > > > Since the COM server uses the current user as sender address I can see it in
    > > > the mail I receive. It is
    > > > ASPNET
    > > >
    > > > The subject shows the client that has called the webservice and at this
    > > > point it is really the client who called the webservice. Up to this point
    > > > impersonation has worked:
    > > > Test send from mydomain\myaccount
    > > >
    > > > Thanks in advance,
    > > > Gangolf
    > > >
     
    Pom, Nov 5, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. batista
    Replies:
    1
    Views:
    960
    Laurent Bugnion
    Jan 26, 2006
  2. batista
    Replies:
    0
    Views:
    585
    batista
    Jan 26, 2006
  3. Jarred Sargent

    Asp.Net and Webservice using Impersonation/App Pools

    Jarred Sargent, Jul 7, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    145
    Jarred Sargent
    Jul 7, 2004
  4. Peter Nordström

    Webservice calling a webservice.....Error

    Peter Nordström, Oct 21, 2003, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    188
    Peter Nordström
    Oct 21, 2003
  5. batista
    Replies:
    0
    Views:
    272
    batista
    Jan 26, 2006
Loading...

Share This Page