COM object creation fails when impersonation is done [PSC]

Anthony Munter

I have a web application with impersonate=â€trueâ€ in Web.config and on my own logon page I allow the user to either

- specify a userid/password for the app to impersonate when calling legacy COM objects
- or, just use the interactive user

If they choose to use the interactive option, the impersonate="true" means that the process runs under the interactiv
user (which I've confirmed works correctly). If they specify a userid/password, I impersonate that user in code via th
LogonUser/ImpersonateLoggedOnUser API's. This too works

When using the interactive option the COM object is correctly instantiated under the interactive user and can be called

BUT, if a user is specifically impersonated (even the same one as was available as interactive), object instantiation fails on "Type.GetTypeFromProgID(sObj, true)" with an â€œinvalid class stringâ€ exception. The class string is the same one tha
succeeded previously

Note the following

- setting AspCompat=â€œtrueâ€ on the page doing the impersonation and COM object creation as per the â€œASP.Ne
MTA calling STA COM object access deniedâ€ problem doesn't alter behaviour

- doesnâ€™t matter if the COM object is in a COM+ package under a particular userid/password or outside of COM+

- using different API's (LogonUser/DuplicateToken/WindowsIdentity.Impersonate) to perform impersonatio
doesnâ€™t affect the problem. In all cases impersonation succeeds

- doesnâ€™t matter if the ASPNET user is admin on the machine or is set to â€˜Act as part of OSâ€™ via Local Policy (whic
isnâ€™t required on WinXP anyway)

- doesnâ€™t matter if impersonation and COM object creation is attempted in Page_ events or not

Finally, changing to impersonate=â€œfalseâ€ in Web.config allows COM object creation to succeed when impersonation i
requested (as opposed to above). It also works in interactive mode, however the user in this case stays as ASPNE
which is not much good for the purposes of this particular application

IS there any other reason that COM object creation is still failing when impersonate="true" and I try to impersonat
another userid/password in code? Are there workarounds for the situation? The options I've tried above were suggested b
other posts in this forum

Anthony

Nov 18 '05 #1

Subscribe Post Reply

3433

Steven Cheng[MSFT]

Hi Anthony,

From your description, you used impersonate (declaratively or
programatically ) in your asp.net web application and call a COM object.
When you set the impersonate= true and also use the LogonUser or other API
to specifially impersonate as another user, you encountered error when
calling the COM object, yes?
I still not sure the actual steps , so if anything I misunderstand, please
feel free to correct me.

As for this problem, I think you can still try the following things:
1. Try using the SYSTEM account instead of the MACHINE for the asp.net's
workerprocess in the <processModel> element in mahcine.config file to see
whether it'll work.

2. Since you mentioned that the error occure after you call API to
impersonate as a specified account and calling a COM object. Have you tried
use API to reimpersonate as the certain user which is passed form the
IIS(for the integrated windows authentication). For example, when we use a
Domain user account visit the impersonated web app and the current user
should be the domain account, then we use API to impersonate as this
account again to see whether the problem remains.

3. Since the Error message indicate that the problem is likely caused by
the permission issues when try accessing a certain registry for calling the
COM. I recommend that you use Filemon or regmon to have a monitor to
confirm this .

If you have any finding on this, please feel free to let me know. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 18 '05 #2

Steven Cheng[MSFT]

Hi Anthony,

Have you had a chance to check out the suggestions in my last reply or have
you got any further ideas on this issue? If you have anything unclear or if
there're anything else we can help, please feel free to post here. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 18 '05 #3

Anthony Munter

Steven

Sorry for the late reply. I've been tied up on other things

You had the right idea about the steps. The application is a test harness to test VB6 COM business objects. I allow
domain\userid-password to be entered on a Logon page and then impersonate programmatically if they are supplied
If no domain\userid-password are supplied, the interactive user is automatically made available by impersonate="true
in Web.config. This allows the business objects to be called in whatever user context the person using the test harnes
desires

As already stated, the problem arises creating COM objects after impersonating programmatically whe
impersonate="true". If impersonate="false", creating COM objects works after programmatic impersonation or whe
using the interactive user without further impersonation

Questions/observations of your points

For 1), I don't currently have a machine.config. Is this a per machine or per application file (like Web.config)? I didn't se
one in the .Net framework dir tree. I'll do more reading about this

In 2) you suggest re-impersonating as the (same) interactive user. I tried this by supplying my own domain\userid
password which was the interactive user and was being correctly handled via impersonate="true". I typed the sam
domain-serid\password on my Logon page and programmatically impersonated again and COM creation still failed

3) If it was a permissions problem I wouldn't have expected my own userid to fail when I used this to impersonate. Bu
I'll look at the utilities you mentioned

Anthony

Nov 18 '05 #4

Anthony Munter

Steven

I've found the Machine.config file and made the change you suggested (using system account)

It seems to have worked. I can now instantiate COM objects after having done programmatic impersonation

What would be the reason for this? That SYSTEM has the authority to instantiate COM objects, but ASPNET doesn't? And even though I do impersonation in code, the authorities are still inherited from these users

Also, is there a way to automate the change to Machine.config so that when my application is installed on another serve
the Machine.config is correct. Or can this be done on an application-by-application basis

It seems odd to have to change a machine-wide configuration to get this to work just for my application

Anthony

Nov 18 '05 #5

Steven Cheng[MSFT]

Hi Anthony,

Since it works when you change the processModel's account in
machine.config. We can confirm that the problem is caused by the default
machine\aspnet account which haven't the read permission to the certain COM
's registry.
Also, the processModel setting is only avaliable in machine.config and not
able to override in web.config.
As my opinion, we still need to find the certain registry which the
machine\aspnet account failed to access and grant the permission for the
machine\aspnet account so that we don't have to change the processModel's
account. Do you think so?

If you have any further question, please feel free to post here. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 18 '05 #6

Anthony Munter

Steven

I found another way around this. When I call LogonUser (followed by ImpersonateLoggedOnUser) I should specif
LOGON32_LOGON_NETWORK rather than LOGON32_LOGON_INTERACTIVE. This allows Machine.config to stay unchanged (processModel username="machine") and Web.config to use impersonate="true"

Anthony

Nov 18 '05 #7

Steven Cheng[MSFT]

Hi Anthony,

Thanks for your followup. Well, since you mentioned that it worked well
when you use LOGON32_LOGON_NETWORK instead of LOGON32_LOGON_INTERACTIVE to
call the LogonUser api, I think this
confirm that the problem is caused by some certain permission of the COM
component's register key not set for the machine account. And when calling
LogonUser via the LOGON32_LOGON_NETWORK and LOGON32_LOGON_INTERACTIVE may
have different perform on the registry's permissions. The
LOGON32_LOGON_INTERACTIVE will let use fully use the current user's
registry permission, so that makes use possible to access the certain
regkey. Do you think so. Also, you can have a monitor to see which regkey
caused the problem and check its access permission list to confirm this.
Any way, I'm glad that you've found a proper solution on this issue. Have a
good day.Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 18 '05 #8

Anthony Munter

Steven

I'd guess too that it's a permission thing affected by LOGON_NETWORK versus LOGON_INTERACTIVE. Although m
understanding is that LOGON_NETWORK just gives access to network resources and we don't seem to be dealing wit
network-specific resources here I think

Anyway, if I get to do a registry monitor and it shows something interesting, I'll post here

Thanks for your help

Anthony

Nov 18 '05 #9

Similar topics

106

class object initialisation

by: A | last post by:

Hi, I have always been taught to use an inialization list for initialising data members of a class. I realize that initialsizing primitives and pointers use an inialization list is exactly the...

C / C++

Object Creation

by: Naren | last post by:

Hello All, I am confused on the object creation. Is it the constructor or something else? When constrcutor is called , Is space allocated for the object alraedy and only intialisation to...

C / C++

Object factory and Intel compiler

by: Ryan Mitchley | last post by:

Hi all I have code for an object factory, heavily based on an article by Jim Hyslop (although I've made minor modifications). The factory was working fine using g++, but since switching to the...

C / C++

Error 1307: Adding File Permissions to NTFS using System.Management Object in ASP.NET

by: Ben Dewey | last post by:

Project: ---------------------------- I am creating a HTTPS File Transfer App using ASP.NET and C#. I am utilizing ActiveDirectory and windows security to manage the permissions. Why reinvent...

C# / C Sharp

Create remote object with specified credentials.

by: Heliotic | last post by:

Hi everyone, Currently I am working on an application that will perform a remote scan of a specified server using the following code: Type t = Type.GetTypeFromProgID(...

C# / C Sharp

simple web fails with C:\Temp problem

by: Robm | last post by:

I have a super simple asp.net web (hello world plus the current time) which works fine on my development system. When copied to the target server an error is reported in that a file cannot be...

ASP.NET

Remote DNS Zone Creation with WMI and VB.NET

by: vbnetdev | last post by:

Hello All: This is crossposted to 2 WMI groups as they subject matter is relevant to their focus. I apologize in advance if it offends anyone. This code is giving access denied errors ("Access...

Visual Basic .NET

Help with destruction of an object created with the new operator- destructors

by: Pablo | last post by:

Hello, I am writing a windows application using C++ and BorlandBuilder 6 compiler. It is an event driven program and I need to create objects of some classes written by me. One of the classes...

C / C++

WCF Impersonation Process.Start Fails

by: =?Utf-8?B?SmFzb24gTGluZA==?= | last post by:

Hi, I have a WCF Service hosted by a Windows Service using Impersonation. The impersonation seems to be configured correctly, in that Thread.CurrentPrinipal is the user calling the service, not the...

.NET Framework

Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"

by: taylorcarr | last post by:

A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...

General

How to turn on java script in a villaon keypad mobile phone

by: Charles Arthur | last post by:

How do i turn on java script on a villaon, callus and itel keypad mobile phone

Java

Basic Javascript concepts

by: aa123db | last post by:

Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...

Javascript

Navigating the Data Structures and Algorithms (DSA)

by: BarryA | last post by:

What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...

Algorithms / Advanced Math

Looking to do Android software development, any suggestions? Is flutter better?

by: nemocccc | last post by:

hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?

General

Is that possible of reading the .csv file in column wise and the column have different lengths ?

by: Sonnysonu | last post by:

This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...

C / C++

How to build RAID in BIOS?

by: Hystou | last post by:

There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

Computer Hardware

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...

General

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...

Windows Server