Impersonation with DCOM server

Discussion in 'ASP .Net Security' started by Ivan Samuelson, Jan 14, 2004.

  1. I have an ASP.NET application that accesses a DCOM object
    on a remote server. I am using Windows Authentication to
    allow users to have access to my ASP.NET application.
    Then, the ASP.NET application will attempt to connect to
    the DCOM object. However, connections to the DCOM object
    will only be allowed to users whose NT Domain account
    have been granted access to it. I have the web.config file set up as follows

    <authentication mode="Windows" /><identity impersonate="true" /

    I assumed that this would me that requests to the DCOM server should go out as the authenticated user. However, that doesn't seem to be the case as I keep getting a Access is Denied error whenever I attemp
    to access the DCOM object. If I then change the identity element to include a valid domain account and password, it works

    <identity impersonate="true" userName="somedomain\someuserid" password="password" /

    I really do not want to hardcode a username and password into the web.config file. How can I make my ASP.NET application "pass off" the authenticated user to the DCOM server rather than attempting to access it as the ASPNET account? Is that even possible? I've tried even wrapping the call to the DCOM object inside code that is supposed to turn impersonation and that still results in an Access is Denied error

    Any help would be appreciated

    Thanks
    Ivan Samuelson, Jan 14, 2004
    #1
    1. Advertising

  2. I believe I answered your question previously in the dotnet.security group.

    The reason it works when you specify a username and password is that a
    primary token is created for that user and it is used to impersonate.
    Primary tokens can make one hop to another machine on the network.

    When you just use impersonation and integrated windows authentication, you
    get an impersonation token on the IIS server. Impersonation tokens don't
    hop to other servers unless Kerberos delegation is enabled and working.

    There are helpful tech notes on Kerberos delegation in the Knowledge Base.

    Joe K.

    "Ivan Samuelson" <> wrote in message
    news:...
    > I have an ASP.NET application that accesses a DCOM object
    > on a remote server. I am using Windows Authentication to
    > allow users to have access to my ASP.NET application.
    > Then, the ASP.NET application will attempt to connect to
    > the DCOM object. However, connections to the DCOM object
    > will only be allowed to users whose NT Domain account
    > have been granted access to it. I have the web.config file set up as

    follows:
    >
    > <authentication mode="Windows" /><identity impersonate="true" />
    >
    > I assumed that this would me that requests to the DCOM server should go

    out as the authenticated user. However, that doesn't seem to be the case as
    I keep getting a Access is Denied error whenever I attempt
    > to access the DCOM object. If I then change the identity element to

    include a valid domain account and password, it works:
    >
    > <identity impersonate="true" userName="somedomain\someuserid"

    password="password" />
    >
    > I really do not want to hardcode a username and password into the

    web.config file. How can I make my ASP.NET application "pass off" the
    authenticated user to the DCOM server rather than attempting to access it as
    the ASPNET account? Is that even possible? I've tried even wrapping the call
    to the DCOM object inside code that is supposed to turn impersonation and
    that still results in an Access is Denied error.
    >
    > Any help would be appreciated.
    >
    > Thanks!
    >
    Joe Kaplan \(MVP - ADSI\), Jan 14, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex
    Replies:
    3
    Views:
    1,468
    Alvin Bruney
    Dec 2, 2003
  2. bri

    access denied...dcom server

    bri, Dec 2, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    2,477
  3. Replies:
    2
    Views:
    3,979
  4. Replies:
    0
    Views:
    10,164
  5. Achim Domma (Procoders)

    access problem with DCOM server written in python

    Achim Domma (Procoders), Feb 5, 2005, in forum: Python
    Replies:
    0
    Views:
    314
    Achim Domma (Procoders)
    Feb 5, 2005
Loading...

Share This Page