Access is denied when calling a remote serviced component (framework 1.1->1.0 issue)

Hi Stan,

From your description, you are calling a remote serviced component which
is developed in .net framework 1.0 from a web applicaton on a server. And
you encountered the Access Denied error yes?

As you mentioned that the problems gone away when you remove the framework
1.1 on the webserver? That means that the webserver has both 1.0 and 1.1
framework installed ,yes? If so, I think before we do some further
troubleshoot, we can first confirm that whether its the different version
that cause the problem.
Can you create a winform application( both under 1.0 and 1.1 framework) to
call the remote component to see what's the result.
Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

> Can you create a winform application( both under 1.0 and 1.1 framework) to

call the remote component to see what's the result.

WinForm or Console application does not have such problem..

Hi Stan,

Thanks for your followup. As you said that
=====================================
WinForm or Console application does not have such problem..
=====================================

Do you mean that both 1.0 or 1.1 's winform or console application can
correcttly consume the remote serviced component? If so, I think we can
address the problem as a secuirty issue. And the Serviced Component has
restriction on "Access Security" and "Launch Security". You can have a
check in the Configuration setting on the Serviced Component's server
through the
Administrator tools-->Component Services tool

When you running a winform or console application, it's security context is
your current login user on the machine. However, ASP.NET will by default
use the process account (Machine\ASPNET or NetworkService on WIN2K3 IIS6).
You can try use the "impersonate" to impersonate the ASP.NET run under a
powerful domain account( maybe the login account when you running the
winform application) to see whether the problem is really as we expected.
If you're not familiar with impersonate, here is a kb article which maybe
helpful:

#INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default...b;en-us;306158

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Steven,

When you running a winform or console application, it's security context is your current login user on the machine. However, ASP.NET will by default
use the process account (Machine\ASPNET or NetworkService on WIN2K3 IIS6).

That was the first thing I tried - setting processModel to the domain
account. It did not help.

What exactly is different in terms of security in 1.1? Why do I get 'Access
Deinied'?

Thanks,

-Stan

Hi Stan,

It is strange that there is no any event log.
I think you may try to see if the policies have been opened.
1. Audit Logon event (check success and failure)
2. Audit Account logon event (check success and failure)
3, Audit Object access(check success and failure)

We may find that by follow the steps below.
Start/Control panel/Administrative Tools/Local Security Policy/
In the Local Security Policy dialog, navigate to Security setting/Local
policies/Audit policy

After that we should find some events in the Security Log in the event log.

You may have a try and let me know the result.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

In 1.1 when ApplicationAccessControlAttribute is not present in the assembly,
the COM+ security configuration is enabled by default. In 1.0 security is
disabled by default. Maybe this is the problem.

"Stan" wrote:

Here is my scenario:

Web server
------------
Framework 1.1
Application proxy for the serviced component

Component server
-------------------
Framework 1.0
Serviced component (written in 1.0)

There is Access Denied error message on the web server when a call is made
to the component.

The problem goes away if framework 1.1 is uninstalled.

I switched the ISS binding with ASPNET_REGIIS - did not help...

Has anybody seen this before? How can I fix it?

Thanks,

-Stan

Yes, but if security is enabled, should I see that COM+ explorer? The
security checkbox was not checked...

"Ed" <Ed@discussions.microsoft.com> wrote in message
news:1C**********************************@microsof t.com...

In 1.1 when ApplicationAccessControlAttribute is not present in the assembly, the COM+ security configuration is enabled by default. In 1.0 security is
disabled by default. Maybe this is the problem.

"Stan" wrote:

Here is my scenario:

Web server
------------
Framework 1.1
Application proxy for the serviced component

Component server
-------------------
Framework 1.0
Serviced component (written in 1.0)

There is Access Denied error message on the web server when a call is made to the component.

The problem goes away if framework 1.1 is uninstalled.

I switched the ISS binding with ASPNET_REGIIS - did not help...

Has anybody seen this before? How can I fix it?

Thanks,

-Stan

Hi Stan,

Yes, we can check the security setting in the COM+ explorer. You may find
the three counterpart options by following the steps below.
1. Open COM+ explorer by running dcomcnfg
2. Navigate to the component we are using
3. right click on the component and click properties
4. select security tab
5. You may find security level, authentication level and Impersonate level
which is corresponding to the three options of
ApplicationAccessControlAttribute.

We can use the winform application but not the Webform application to
access to the Serviced component, so I suggest you check the eventlog's
security section on both the application proxy located computer and the
component located computer. If we do find we are using the same account to
access to the serviced component, but windows form succeeded while webform
application failed I think you may need to contact Microsoft PSS for
further and detailed trouble shooting, since we can not reproduce the
problem, it is hard to us to troubleshooting the problem in newgroup.

Thank for you understanding.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Stan,

Have you had a chance to check the suggestions in the former reply or have
you got this problem resolved? If there is anything else we can help,
please feel free to post here. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)