'access denied' calling remote DCOM NT service from ASP

[Sergey V]

Having following problem

1. Client: ASP application with anonymous access to be running as
DOMAIN\my_user on WinXP
2. Server: DCOM NT Service runs on remote host (W2K Server) under the same
account DOMAIN\my_user
security within server is initialized using
hr = CoInitializeSecurity(&appid, -1, NULL, NULL, 0, 0, 0, EOAC_APPID,
NULL);

when trying to access the application from ASP - gettting
DCOM got error "General access denied error " from the computer MY_SERVER
when attempting to activate the server:
in System event log. Granting "everyone" on target system resolves the
problem, but I would like to have limited user access.

When running the same client scenario from test C++ application running
under DOMAIN\my_user interactive account - everything works with no problem.

The question is what could be wrong with configuration of security under
IIS?

Thanks in advance.

 

[Jeff Fink]

when trying to access the application from ASP - gettting
DCOM got error "General access denied error " from the computer MY_SERVER
when attempting to activate the server:
in System event log. Granting "everyone" on target system resolves the
problem, but I would like to have limited user access.

When running the same client scenario from test C++ application running
under DOMAIN\my_user interactive account - everything works with no problem.

The question is what could be wrong with configuration of security under
IIS?

Are you logging on via the web page or running anonymous? Does the
anonymous user have access via DCOM?

 

[Sergey V]

Are you logging on via the web page or running anonymous? Does the
anonymous user have access via DCOM?

IIS Virtual Directory security is set to anonymous, but "Account used for
anonymous access" is DOMAIN\my_user. And I suppose it should be used to both
access file system and make RPC calls. Isn't it? Did not found references on
that topic in documentation.

 

[Sergey V]

Just found the solution, the trick is to :



1.. Set IIS Virtual Dir "Application Protection" to High (Isloated), now
we'll get COM+ application registered


2.. Go to Control Panel -> Administrative Tools -> Component service

and find the application under Component Services -> My Computer -> COM+
Applications :

and specify the user on Identity tab

 

[Jeff Fink]

IIS Virtual Directory security is set to anonymous, but "Account used for
anonymous access" is DOMAIN\my_user. And I suppose it should be used to both
access file system and make RPC calls. Isn't it? Did not found references on
that topic in documentation.

Saw that you found your solution, but I thought I would comment on your
question. Several years ago, I worked at MS in Redmond and was given the
task of setting up a prototype web personalization system using existing MS
products so we could do performance measurements of the different
components. The idea being that we would use the best parts and build
better ones for the places where performance was a problem.

So I put the system together and used an early ADSI build to query a DS from
an ASP web page (IIS 4). I found dramatically different results when
querying via ASP versus an identical VBS script run from the command line.
So different in fact, that you could only query ADSI 64 times via ASP
(didn't matter if it was 64 times on one page or 64 pages with 1 query)
before the Windows LDAP client would lock up and stop issuing queries. The
VBS script had no such limitations.

They got me a fix, but I never really understood what the problem was. The
only difference between my ASP and VBS code was the function I called to
output the results. So there was something in IIS that greatly affected the
way the objects were called and run. I would suspect that in some ways
there still is.

-Jeff

 

[Brian Muth]

This really has nothing to do with the OP's problem.

The reason Sergey hit an access denied, is that by default, an ASP
application runs as IWAN_<computer>.

Brian