473,785 Members | 2,641 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

COM object creation fails when impersonation is done [PSC]

I have a web application with impersonate=” true” in Web.config and on my own logon page I allow the user to either

- specify a userid/password for the app to impersonate when calling legacy COM objects
- or, just use the interactive user

If they choose to use the interactive option, the impersonate="tr ue" means that the process runs under the interactiv
user (which I've confirmed works correctly). If they specify a userid/password, I impersonate that user in code via th
LogonUser/ImpersonateLogg edOnUser API's. This too works

When using the interactive option the COM object is correctly instantiated under the interactive user and can be called

BUT, if a user is specifically impersonated (even the same one as was available as interactive), object instantiation fails on "Type.GetTypeFr omProgID(sObj, true)" with an “invalid class string” exception. The class string is the same one tha
succeeded previously

Note the following

- setting AspCompat=“tr ue” on the page doing the impersonation and COM object creation as per the “ASP.Ne
MTA calling STA COM object access denied” problem doesn't alter behaviour

- doesn’t matter if the COM object is in a COM+ package under a particular userid/password or outside of COM+

- using different API's (LogonUser/DuplicateToken/WindowsIdentity .Impersonate) to perform impersonatio
doesn’t affect the problem. In all cases impersonation succeeds

- doesn’t matter if the ASPNET user is admin on the machine or is set to ‘Act as part of OS’ via Local Policy (whic
isn’t required on WinXP anyway)

- doesn’t matter if impersonation and COM object creation is attempted in Page_ events or not

Finally, changing to impersonate=“ false” in Web.config allows COM object creation to succeed when impersonation i
requested (as opposed to above). It also works in interactive mode, however the user in this case stays as ASPNE
which is not much good for the purposes of this particular application

IS there any other reason that COM object creation is still failing when impersonate="tr ue" and I try to impersonat
another userid/password in code? Are there workarounds for the situation? The options I've tried above were suggested b
other posts in this forum

Anthony

Nov 18 '05 #1
8 3452
Hi Anthony,

From your description, you used impersonate (declaratively or
programatically ) in your asp.net web application and call a COM object.
When you set the impersonate= true and also use the LogonUser or other API
to specifially impersonate as another user, you encountered error when
calling the COM object, yes?
I still not sure the actual steps , so if anything I misunderstand, please
feel free to correct me.

As for this problem, I think you can still try the following things:
1. Try using the SYSTEM account instead of the MACHINE for the asp.net's
workerprocess in the <processModel > element in mahcine.config file to see
whether it'll work.

2. Since you mentioned that the error occure after you call API to
impersonate as a specified account and calling a COM object. Have you tried
use API to reimpersonate as the certain user which is passed form the
IIS(for the integrated windows authentication) . For example, when we use a
Domain user account visit the impersonated web app and the current user
should be the domain account, then we use API to impersonate as this
account again to see whether the problem remains.

3. Since the Error message indicate that the problem is likely caused by
the permission issues when try accessing a certain registry for calling the
COM. I recommend that you use Filemon or regmon to have a monitor to
confirm this .

If you have any finding on this, please feel free to let me know. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx


Nov 18 '05 #2
Hi Anthony,

Have you had a chance to check out the suggestions in my last reply or have
you got any further ideas on this issue? If you have anything unclear or if
there're anything else we can help, please feel free to post here. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 18 '05 #3
Steven

Sorry for the late reply. I've been tied up on other things

You had the right idea about the steps. The application is a test harness to test VB6 COM business objects. I allow
domain\userid-password to be entered on a Logon page and then impersonate programmaticall y if they are supplied
If no domain\userid-password are supplied, the interactive user is automatically made available by impersonate="tr ue
in Web.config. This allows the business objects to be called in whatever user context the person using the test harnes
desires

As already stated, the problem arises creating COM objects after impersonating programmaticall y whe
impersonate="tr ue". If impersonate="fa lse", creating COM objects works after programmatic impersonation or whe
using the interactive user without further impersonation

Questions/observations of your points

For 1), I don't currently have a machine.config. Is this a per machine or per application file (like Web.config)? I didn't se
one in the .Net framework dir tree. I'll do more reading about this

In 2) you suggest re-impersonating as the (same) interactive user. I tried this by supplying my own domain\userid
password which was the interactive user and was being correctly handled via impersonate="tr ue". I typed the sam
domain-serid\password on my Logon page and programmaticall y impersonated again and COM creation still failed

3) If it was a permissions problem I wouldn't have expected my own userid to fail when I used this to impersonate. Bu
I'll look at the utilities you mentioned

Anthony

Nov 18 '05 #4
Steven

I've found the Machine.config file and made the change you suggested (using system account)

It seems to have worked. I can now instantiate COM objects after having done programmatic impersonation

What would be the reason for this? That SYSTEM has the authority to instantiate COM objects, but ASPNET doesn't? And even though I do impersonation in code, the authorities are still inherited from these users

Also, is there a way to automate the change to Machine.config so that when my application is installed on another serve
the Machine.config is correct. Or can this be done on an application-by-application basis

It seems odd to have to change a machine-wide configuration to get this to work just for my application

Anthony

Nov 18 '05 #5
Hi Anthony,

Since it works when you change the processModel's account in
machine.config. We can confirm that the problem is caused by the default
machine\aspnet account which haven't the read permission to the certain COM
's registry.
Also, the processModel setting is only avaliable in machine.config and not
able to override in web.config.
As my opinion, we still need to find the certain registry which the
machine\aspnet account failed to access and grant the permission for the
machine\aspnet account so that we don't have to change the processModel's
account. Do you think so?

If you have any further question, please feel free to post here. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 18 '05 #6
Steven

I found another way around this. When I call LogonUser (followed by ImpersonateLogg edOnUser) I should specif
LOGON32_LOGON_N ETWORK rather than LOGON32_LOGON_I NTERACTIVE. This allows Machine.config to stay unchanged (processModel username="machi ne") and Web.config to use impersonate="tr ue"

Anthony

Nov 18 '05 #7
Hi Anthony,

Thanks for your followup. Well, since you mentioned that it worked well
when you use LOGON32_LOGON_N ETWORK instead of LOGON32_LOGON_I NTERACTIVE to
call the LogonUser api, I think this
confirm that the problem is caused by some certain permission of the COM
component's register key not set for the machine account. And when calling
LogonUser via the LOGON32_LOGON_N ETWORK and LOGON32_LOGON_I NTERACTIVE may
have different perform on the registry's permissions. The
LOGON32_LOGON_I NTERACTIVE will let use fully use the current user's
registry permission, so that makes use possible to access the certain
regkey. Do you think so. Also, you can have a monitor to see which regkey
caused the problem and check its access permission list to confirm this.
Any way, I'm glad that you've found a proper solution on this issue. Have a
good day.Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 18 '05 #8
Steven

I'd guess too that it's a permission thing affected by LOGON_NETWORK versus LOGON_INTERACTI VE. Although m
understanding is that LOGON_NETWORK just gives access to network resources and we don't seem to be dealing wit
network-specific resources here I think

Anyway, if I get to do a registry monitor and it shows something interesting, I'll post here

Thanks for your help

Anthony

Nov 18 '05 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
106
5614
class object initialisation
by: A | last post by:
Hi, I have always been taught to use an inialization list for initialising data members of a class. I realize that initialsizing primitives and pointers use an inialization list is exactly the same as an assignment, but for class types it has a different effect - it calls the copy constructor. My question is when to not use an initalisation list for initialising data members of a class?
C / C++
7
1979
Object Creation
by: Naren | last post by:
Hello All, I am confused on the object creation. Is it the constructor or something else? When constrcutor is called , Is space allocated for the object alraedy and only intialisation to object members done. What if the object is create using new?
C / C++
2
2980
Object factory and Intel compiler
by: Ryan Mitchley | last post by:
Hi all I have code for an object factory, heavily based on an article by Jim Hyslop (although I've made minor modifications). The factory was working fine using g++, but since switching to the Intel compiler it has stopped working. I think the singleton pattern static instance thing may be at the root of the problem, but I'm not sure. I had to add calls to instance() in regCreateFn, which gets the behaviour more in line with what I was...
C / C++
9
10904
Error 1307: Adding File Permissions to NTFS using System.Management Object in ASP.NET
by: Ben Dewey | last post by:
Project: ---------------------------- I am creating a HTTPS File Transfer App using ASP.NET and C#. I am utilizing ActiveDirectory and windows security to manage the permissions. Why reinvent the wheel, right? Everything so far is working well with the Active Directory. The problem I am having is with adding File Permissions to a directory. I am currently using some code courtesy of "Willy Denoyette "
C# / C Sharp
4
14470
Create remote object with specified credentials.
by: Heliotic | last post by:
Hi everyone, Currently I am working on an application that will perform a remote scan of a specified server using the following code: Type t = Type.GetTypeFromProgID( "Microsoft.Update.Session", "proact" ); UpdateSession UpdSess = (UpdateSession) Activator.CreateInstance(t); This code works quite well, as long as the user you are currently authenticated to also has administrative access on the target device. This
C# / C Sharp
3
1190
simple web fails with C:\Temp problem
by: Robm | last post by:
I have a super simple asp.net web (hello world plus the current time) which works fine on my development system. When copied to the target server an error is reported in that a file cannot be created in the C:\Temp folder. The person responsible fo rthe server has tried to play with permissions on that folder without any success. Can anybody point me, or more importnatly him, in the right direction? I have tried this with a web matrix...
ASP.NET
2
3103
Remote DNS Zone Creation with WMI and VB.NET
by: vbnetdev | last post by:
Hello All: This is crossposted to 2 WMI groups as they subject matter is relevant to their focus. I apologize in advance if it offends anyone. This code is giving access denied errors ("Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))") when attempted to be done from a remote IP. It works if performed locally. Please advise what permissions must be changed to allow it to work remotely. IN addition, any attempt to...
Visual Basic .NET
6
2256
Help with destruction of an object created with the new operator- destructors
by: Pablo | last post by:
Hello, I am writing a windows application using C++ and BorlandBuilder 6 compiler. It is an event driven program and I need to create objects of some classes written by me. One of the classes contains a pointer to int values as a filed. In the definition (implementation) of constructor I use this pointer to create table of int values with the new operator. The number of elements of the table is provided by the user during execution of the...
C / C++
0
2010
WCF Impersonation Process.Start Fails
by: =?Utf-8?B?SmFzb24gTGluZA==?= | last post by:
Hi, I have a WCF Service hosted by a Windows Service using Impersonation. The impersonation seems to be configured correctly, in that Thread.CurrentPrinipal is the user calling the service, not the local system account. However when I call Process.Start the process does not seem to be started by the requested user. This code runs fine without impersonation (ie: if I change the host user of the service to myself). Any ideas on what I...
.NET Framework
0
9480
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10325
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10148
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10091
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8972
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing, and deploymentwithout human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
6740
Couldnt get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5511
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4053
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
3
2879
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us