«

Hello,

I'm writing a web method which calls a COM+ method, which I need to
call with the user that logged on to windows and invoked the WebMethod
(impersonation).

Simple impersonation works (impersonte=true in web.config) - however, i
need that only a certain part of the code will run in this context. For
other parts, i need different grant opions.

So that where code-impersonation comes in (using
HttpContext.Current.User.Indetity and calling Impersonate()).

For example:

[WebMethod]
public void ConfusedMethod()
{
// This lines will need some powerful grants
WriteSomethingToEventLog();
OpenFileInSystemDirectory();

// This lines should be run with the user
DoImpersonation();
CallComComponent();
UndoImpersonation();
}

THE PROBLEM IS:
i need the first lines to run with a differnet user. i dont want to use
2 impersonations.
i want all the other parts - which are not in the impersonation scope -
to run with a user ill configure in IIS (NOT "network service"!)

tried the following:
1 - configure the webservice to run as anonymous access, with a certain
user. but then Impersonate() doesnt work (exception - cant impersonate
with an anonymous user).

2 - configure the webservice as windows-integrated security. now i
want to decide which user will run the "default lines". so the only way
i see - is create an application pool with identity=MyDefaultUser.
when doing this, i get an http 401 error (unauthorized) if i try to
call the web service. the only user which works is if i call the
webservice with MyDefaultUser.

I DO set the credentials for the webservice (defaultCredentials) - so
thats not the problem.

whats the correct way to accomplish that?

Hi,

set the AppPool identity to whatever you want your app to run under (add
this account to the IIS_WPG local group)
You have to enable Windows integrated auth and disable anonymous access in
IIS
enable Windows authentication in ASP.NET <authentication mode="Windows" />
the clients need read DACLS on the asmx files.

this should do it.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hello,
>
> I'm writing a web method which calls a COM+ method, which I need to
> call with the user that logged on to windows and invoked the WebMethod
> (impersonation).
>
> Simple impersonation works (impersonte=true in web.config) - however,
> i need that only a certain part of the code will run in this context.
> For other parts, i need different grant opions.
>
> So that where code-impersonation comes in (using
> HttpContext.Current.User.Indetity and calling Impersonate()).
> For example:
>
> [WebMethod]
> public void ConfusedMethod()
> {
> // This lines will need some powerful grants
> WriteSomethingToEventLog();
> OpenFileInSystemDirectory();
> // This lines should be run with the user
> DoImpersonation();
> CallComComponent();
> UndoImpersonation();
> }
> THE PROBLEM IS:
> i need the first lines to run with a differnet user. i dont want to
> use
> 2 impersonations.
> i want all the other parts - which are not in the impersonation scope
> -
> to run with a user ill configure in IIS (NOT "network service"!)
> tried the following:
> 1 - configure the webservice to run as anonymous access, with a
> certain
> user. but then Impersonate() doesnt work (exception - cant impersonate
> with an anonymous user).
> 2 - configure the webservice as windows-integrated security. now i
> want to decide which user will run the "default lines". so the only
> way
> i see - is create an application pool with identity=MyDefaultUser.
> when doing this, i get an http 401 error (unauthorized) if i try to
> call the web service. the only user which works is if i call the
> webservice with MyDefaultUser.
> I DO set the credentials for the webservice (defaultCredentials) - so
> thats not the problem.
>
> whats the correct way to accomplish that?
>

hi & thanks for the quick reply.

your suggestion is exactly the same as my #2 attempt to solve the
problem (mentioned above).
the situation now is exactly as you mentioned.
the new info you've added is about DACLs. i dont exactly know what you
meant, but i tried adding read permissions through windows file system
(is that what you meant?) to the user & nada.

btw - if i open myService.asmx from the local computer it works with no
problem (because im logged as the same user that runs the apppool).
if i open myService.asmx from a remote computer - i get prompted to
enter user & pass, and nothing passes through, even if i enter the
apppool user & its password.


any ideas?

Hi,

give it a try and give the IUSR account read DACL on the asmx.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> hi & thanks for the quick reply.
>
> your suggestion is exactly the same as my #2 attempt to solve the
> problem (mentioned above).
> the situation now is exactly as you mentioned.
> the new info you've added is about DACLs. i dont exactly know what you
> meant, but i tried adding read permissions through windows file system
> (is that what you meant?) to the user & nada.
> btw - if i open myService.asmx from the local computer it works with
> no
> problem (because im logged as the same user that runs the apppool).
> if i open myService.asmx from a remote computer - i get prompted to
> enter user & pass, and nothing passes through, even if i enter the
> apppool user & its password.
> any ideas?
>

Hello,
If i understood your problem exactly, my advice u to impersonate your com+
component not ASP.NET or IIS. To accomplish this u must register your com+
component under a com+ application that is configured to run as a server
application(or you can modify IIS application protection level). Impersonate
this com+ application. Add read&execute rights for the physical dll for
ASPNET user and give directory listing rights on that hard drive...

This is the easiest way to do this. But it might has some security risks i
am not sure.. Be careful on this scenario. "Anyone who can call your com+
component will have impersonated user's rights and permissions.. "

--
HTH

Thanks,
Yunus Emre ALPÖZEN
BSc, MCSD.NET
Microsoft .NET & Security MVP

<> wrote in message
news: oups.com...
> hi & thanks for the quick reply.
>
> your suggestion is exactly the same as my #2 attempt to solve the
> problem (mentioned above).
> the situation now is exactly as you mentioned.
> the new info you've added is about DACLs. i dont exactly know what you
> meant, but i tried adding read permissions through windows file system
> (is that what you meant?) to the user & nada.
>
> btw - if i open myService.asmx from the local computer it works with no
> problem (because im logged as the same user that runs the apppool).
> if i open myService.asmx from a remote computer - i get prompted to
> enter user & pass, and nothing passes through, even if i enter the
> apppool user & its password.
>
>
> any ideas?
>

Dominick: your suggestion didn't work.

Yunus: I didnt understand your suggestion. What do you mean by
"personationg the com+ component"? how can you do that?
the com+ component IS a server component. If you can be more specific..

remember -
1. i need the com+ methods to run with the user who invoked my web
service
2. i need other methods in my webservice to run as MyUser.

thanks.