Impersonation with DCOM server

[Ivan Samuelson]

I have an ASP.NET application that accesses a DCOM object
on a remote server. I am using Windows Authentication to
allow users to have access to my ASP.NET application.
Then, the ASP.NET application will attempt to connect to
the DCOM object. However, connections to the DCOM object
will only be allowed to users whose NT Domain account
have been granted access to it. I have the web.config file set up as follows

<authentication mode="Windows" /><identity impersonate="true" /

I assumed that this would me that requests to the DCOM server should go out as the authenticated user. However, that doesn't seem to be the case as I keep getting a Access is Denied error whenever I attemp
to access the DCOM object. If I then change the identity element to include a valid domain account and password, it works

<identity impersonate="true" userName="somedomain\someuserid" password="password" /

I really do not want to hardcode a username and password into the web.config file. How can I make my ASP.NET application "pass off" the authenticated user to the DCOM server rather than attempting to access it as the ASPNET account? Is that even possible? I've tried even wrapping the call to the DCOM object inside code that is supposed to turn impersonation and that still results in an Access is Denied error

Any help would be appreciated

Thanks

 

[Joe Kaplan \(MVP - ADSI\)]

I believe I answered your question previously in the dotnet.security group.

The reason it works when you specify a username and password is that a
primary token is created for that user and it is used to impersonate.
Primary tokens can make one hop to another machine on the network.

When you just use impersonation and integrated windows authentication, you
get an impersonation token on the IIS server. Impersonation tokens don't
hop to other servers unless Kerberos delegation is enabled and working.

There are helpful tech notes on Kerberos delegation in the Knowledge Base.

Joe K.

I have an ASP.NET application that accesses a DCOM object
on a remote server. I am using Windows Authentication to
allow users to have access to my ASP.NET application.
Then, the ASP.NET application will attempt to connect to
the DCOM object. However, connections to the DCOM object
will only be allowed to users whose NT Domain account
have been granted access to it. I have the web.config file set up as follows:

<authentication mode="Windows" /><identity impersonate="true" />

I assumed that this would me that requests to the DCOM server should go

out as the authenticated user. However, that doesn't seem to be the case as
I keep getting a Access is Denied error whenever I attempt

to access the DCOM object. If I then change the identity element to

include a valid domain account and password, it works:

<identity impersonate="true" userName="somedomain\someuserid" password="password" />

I really do not want to hardcode a username and password into the

web.config file. How can I make my ASP.NET application "pass off" the
authenticated user to the DCOM server rather than attempting to access it as
the ASPNET account? Is that even possible? I've tried even wrapping the call
to the DCOM object inside code that is supposed to turn impersonation and
that still results in an Access is Denied error.