Thursday, December 08, 2005

DCOM and ASP.NET permissions…A Microsoft Nightmare

Why anyone would choose a Microsoft IIS server over apache is beyond me but all personal preferences aside, permissions for DCOM objects is a nightmare when they need to access remote data.

I had a bug to solve which ultimately boiled down to a DCOM object calling IFileSourceFilter::Load. Seems simple enough…Load merely takes a file path or url, whichever you prefer (in this case it was a URL). It always failed however with 0×80070002 “The system cannot find the file specified.” After checking all of the obvious things (did the file really exist, was the path properly formed, was I using an unsupported internet protocol) I decided to take this section of code out of the project and stick it in an EXE by itself. Lo and behold it worked just fine! Hmm interesting, it works in an EXE but not in a DCOM.

So now you’re thinking, permissions! So i checked the permissions on the DCOM object and everyone listed had permissions to do just about anything. Then i thought i was missing a user. When the DCOM object is run, it’s spawned by IIS and the owner is “ASPNET.” So i added that user to the DCOM permissions and gave it full permissions. Still no luck.

Finally after adjusting just about every IIS, Windows and .NET Framework security permissions, I began a quest to google just about every possible combination of “ASP.NET permissions, IFileSourceFilter, DCOM, file not found” that i could think of. Eventually I came across this bit of text from Microsoft.

When using , which is the default setting, ASP.NET attempts to delegate the ASPNET local user account. As this account does not possess any network credentials, to the network it appears as the Windows anonymous account (NT AUTHORITY\ANONYMOUS LOGON

Well now we’re getting somewhere. So the webserver (IIS) spawns a process that has no access to the web. Ok then…A bit more searching revealed this. http://www.15seconds.com/issue/030926.htm

So i attempted impersonation on the whole web application.

That did the trick. But who really wants their whole web-app running as a domain user? No one. More googling revealed a C# class that accomplishes impersonation just long enough to spawn the DCOM object and run it with decent permissions. What a nightmare!

1 comment:

  1. Hey Chris,
    Could you please also post the C# class that you googled out? Thank a lot!
    - Dusko

    ReplyDelete