Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Impersonating a user in x64

Reply
Thread Tools

Impersonating a user in x64

 
 
CJM
Guest
Posts: n/a
 
      03-08-2006
I use the following technique to impersonate a user in ASP, in order to
query active directory:

http://support.microsoft.com/default...b;EN-US;248187

Although the article indicates that this technique is supported by IIS4 &
IIS5, I actually run it successfully on Windows Server 2003 (IIS6).

However, I've got a new development machine which is running XP Pro x64
Edition, and now this technique doesnt work ('Cannot create object'-type
error).

Is there a way to get this to work on this OS? If not, what is the best
alternative that works on Server 2003 and XP x64?

Thanks in advance...

Chris


 
Reply With Quote
 
 
 
 
Anthony Jones
Guest
Posts: n/a
 
      03-09-2006

"CJM" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I use the following technique to impersonate a user in ASP, in order to
> query active directory:
>
> http://support.microsoft.com/default...b;EN-US;248187
>
> Although the article indicates that this technique is supported by IIS4 &
> IIS5, I actually run it successfully on Windows Server 2003 (IIS6).
>
> However, I've got a new development machine which is running XP Pro x64
> Edition, and now this technique doesnt work ('Cannot create object'-type
> error).
>
> Is there a way to get this to work on this OS? If not, what is the best
> alternative that works on Server 2003 and XP x64?
>
> Thanks in advance...
>
> Chris
>


Is suspect the problem has nothing to do with the impersonation technique.
You are getting an error trying to instantiate the object.

Try it in a standalone VBScript file does that work?

You probably need to resolve permissions allowing IUSR to access the dll.

Anthony.


 
Reply With Quote
 
 
 
 
David Wang [Msft]
Guest
Posts: n/a
 
      03-09-2006
The VB ActiveX object is 32bit. The OS is 64bit. The different "bitness" are
incompatible if attempting to run them in the same process (which you need
to do in order to change the impersonation token).

Your choices are to either:
1. Configure IIS on XP64 to run in 32bit WOW64 compatibility mode.
adsutil set W3SVC/Enable32BitAppOnWin64 1
Changing bitness can obviously cause other failures if you have code running
on IIs that must be 64bit. Search my blog for "WOW64" or "64bit" for an
understanding of the issue
2. Recompile a 64bit version of the ActiveX object (probably have to do it
in C++ - there is no such thing as 64bit VB) and run everything as native
64bit.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"CJM" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I use the following technique to impersonate a user in ASP, in order to
>query active directory:
>
> http://support.microsoft.com/default...b;EN-US;248187
>
> Although the article indicates that this technique is supported by IIS4 &
> IIS5, I actually run it successfully on Windows Server 2003 (IIS6).
>
> However, I've got a new development machine which is running XP Pro x64
> Edition, and now this technique doesnt work ('Cannot create object'-type
> error).
>
> Is there a way to get this to work on this OS? If not, what is the best
> alternative that works on Server 2003 and XP x64?
>
> Thanks in advance...
>
> Chris
>



 
Reply With Quote
 
CJM
Guest
Posts: n/a
 
      03-09-2006

"David Wang [Msft]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The VB ActiveX object is 32bit. The OS is 64bit. The different "bitness"
> are incompatible if attempting to run them in the same process (which you
> need to do in order to change the impersonation token).
>
> Your choices are to either:
> 1. Configure IIS on XP64 to run in 32bit WOW64 compatibility mode.
> adsutil set W3SVC/Enable32BitAppOnWin64 1
> Changing bitness can obviously cause other failures if you have code
> running on IIs that must be 64bit. Search my blog for "WOW64" or "64bit"
> for an understanding of the issue
> 2. Recompile a 64bit version of the ActiveX object (probably have to do it
> in C++ - there is no such thing as 64bit VB) and run everything as native
> 64bit.
>



Thanks David...

Option 2 seems preferable... I do have a copy of C++ but unfortunately I
have zero knowledge of the language, so it would be very difficult for me to
do off my own back. Is there an equivalent KB article that provides the C++
code?

Option 1 is obviously a possibility. Switching to 32bit wont be a problem at
the moment, but you never know in the future. Plus we will be slowly
migrating to 64bit servers, and I might not have as much control over
these - these may need to run some 64bit code.

Is there an alternative to this whole impersonation technique?

Thanks


 
Reply With Quote
 
David Wang [Msft]
Guest
Posts: n/a
 
      03-09-2006
Impersonation approach is the only choice you have.

I don't know if ADSI has a syntax to allow you to pass username/password for
the ADSI call, but if it does, it can be an "alternative".

Otherwise, you have no choice since:
1. ADSI needs a valid user identity
2. ASP only executes code with an impersonated identity from authentication

This means that:
1. if you configure authentication in IIS, the remote user identity is used
to execute code - which may not have permissions to Active Directory - hence
you need to modify the user somehow, either via an object that temporarily
changes the Impersonation token, or if ADSI allows a username/password to be
passed.
2. if you do not configure authentication in IIS and just use anonymous,
then the configured anonymous user account is used to execute code - which
can be configured to have permissions to Active Directory. But there is no
user authentication.

In other words, with ASP, there is no such thing as:
1. Authenticate using a Windows user account
2. Run code using another user account
-> Unless you use a custom component to perform #2

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"CJM" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "David Wang [Msft]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> The VB ActiveX object is 32bit. The OS is 64bit. The different "bitness"
>> are incompatible if attempting to run them in the same process (which you
>> need to do in order to change the impersonation token).
>>
>> Your choices are to either:
>> 1. Configure IIS on XP64 to run in 32bit WOW64 compatibility mode.
>> adsutil set W3SVC/Enable32BitAppOnWin64 1
>> Changing bitness can obviously cause other failures if you have code
>> running on IIs that must be 64bit. Search my blog for "WOW64" or "64bit"
>> for an understanding of the issue
>> 2. Recompile a 64bit version of the ActiveX object (probably have to do
>> it in C++ - there is no such thing as 64bit VB) and run everything as
>> native 64bit.
>>

>
>
> Thanks David...
>
> Option 2 seems preferable... I do have a copy of C++ but unfortunately I
> have zero knowledge of the language, so it would be very difficult for me
> to do off my own back. Is there an equivalent KB article that provides the
> C++ code?
>
> Option 1 is obviously a possibility. Switching to 32bit wont be a problem
> at the moment, but you never know in the future. Plus we will be slowly
> migrating to 64bit servers, and I might not have as much control over
> these - these may need to run some 64bit code.
>
> Is there an alternative to this whole impersonation technique?
>
> Thanks
>



 
Reply With Quote
 
Anthony Jones
Guest
Posts: n/a
 
      03-10-2006

"CJM" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I use the following technique to impersonate a user in ASP, in order to
> query active directory:
>
> http://support.microsoft.com/default...b;EN-US;248187
>
> Although the article indicates that this technique is supported by IIS4 &
> IIS5, I actually run it successfully on Windows Server 2003 (IIS6).
>
> However, I've got a new development machine which is running XP Pro x64
> Edition, and now this technique doesnt work ('Cannot create object'-type
> error).
>
> Is there a way to get this to work on this OS? If not, what is the best
> alternative that works on Server 2003 and XP x64?
>
> Thanks in advance...
>
> Chris
>


Is this of any use to you:-

http://msdn.microsoft.com/library/de...endsobject.asp



 
Reply With Quote
 
CJM
Guest
Posts: n/a
 
      03-10-2006

"Anthony Jones" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Is this of any use to you:-
>
> http://msdn.microsoft.com/library/de...endsobject.asp
>
>




TBH, I'm not sure! On the first pass, it looks like double-dutch... on the
second, it started to make a little sense. I'm not sure if it's a viable
alternative, but it certainly looks worth investigating.

Thanks

Chris


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Impersonating user kedar ASP .Net 4 09-12-2007 07:43 PM
Occasional SecurityException when impersonating a user on a new thread =?iso-8859-1?q?Eir=EDkur_Fannar_Torfason?= ASP .Net 4 05-18-2007 03:31 PM
Impersonating other domain user in ASP.Net cmw@europe.com ASP .Net Security 4 02-15-2007 03:08 PM
Impersonating a User and Starting Standalone Processes stop workin =?Utf-8?B?SW5kZXB0aA==?= ASP .Net 1 04-01-2005 09:05 PM
impersonating windows authenticated user? Jamie ASP .Net Security 5 02-11-2004 11:57 AM



Advertisments