Need help on a Web security thing

[Jayme Pechan]

I wrote a very simply web application and I'm having all sorts of problems
with the security getting in the way. All the web application does is load
an out-of-process COM server that is running as a service. The code is here
written for both a WinForm C# application (which works correctly) and a Web
application (which does not work correctly):

// C# application
xtapisvrLib.XtapiConfig x = new xtapisvrLib.XtapiConfigClass();

txtConfig.Text = x.GetConfiguration();



// WEB APPLICATION

xtapisvrLib.XtapiConfig xc = new xtapisvrLib.XtapiConfigClass();

TextBox1.Text = xc.GetConfiguration();



I get an exception : System.UnautorizedAccessException: Access is denied.

So as an attempted to simply get this working, I added the IUSR_CDTBTL1F6
user and the ASPNET user to the administrator account with no effect.

My authorization section in my Web.Config looks like this:

<authentication mode="None" />

<authorization>

<allow users="*" />

</authorization>



This Web Application works fine on my Windows XP development machine but if
I try to put it on my Windows 2000 test machine, it gives me the exception.
Anyone have any ideas where I can go from here? I know of no other security
mechnism for a Web Application to access a local COM object.

Thanks

 

[Jayme Pechan]

I ran File Monitor on the machine and reproduced the error in the browser
but I saw no failure type result but still got the error message. Hmmm.
This seems very odd to me.

 

[Scott Allen]

You gave permissions to a couple users, but what identity does the COM
server run with?

 

[Willy Denoyette [MVP]]

You need to set your DCOM permissions using DCOMCNFG.EXE

Willy.

 

[Jayme Pechan]

The COM server runs as a service under the system account.

 

[Willy Denoyette [MVP]]

The identity of the server doesn't matter. You have to change the security
access permissions for your "DCOM server" by running dcomcnfg.exe (check
component services - DCOM config - yourserver - properties - security-
access permissions - add .. ASPNET).

Willy.

 

[Jayme Pechan]

I'm not sure why it would require DCOM permissions since I am only accessing
it locally as a COM object but I went ahead and did it anyway. It still had
no affect. I continue to get the same error.

I set the Authentication Level to "None"
Set custom access permissions to add ASPNET and IUSR_CDTBTL1F6 with Allow
Access
Set custom launch permissions to add ASPNET and IUSR_CDTBTL1F6 with Allow
Launch
Set custom config permissions to add ASPNET and IUSR_CDTBTL1F6 with Full
Control

I don't really want DCOM access to this object but it doesn't seem to help
anyway.

 

[Willy Denoyette [MVP]]

I'm not sure why it would require DCOM permissions since I am only
accessing
it locally as a COM object but I went ahead and did it anyway. It still
had
no affect. I continue to get the same error.

I set the Authentication Level to "None"
Set custom access permissions to add ASPNET and IUSR_CDTBTL1F6 with Allow
Access
Set custom launch permissions to add ASPNET and IUSR_CDTBTL1F6 with Allow
Launch
Set custom config permissions to add ASPNET and IUSR_CDTBTL1F6 with Full
Control

I don't really want DCOM access to this object but it doesn't seem to help
anyway.

It's an "out of process server" so you are using DCOM right? You don't need
to give launch permissions as the process is launched as a service, not by a
DCOM instance creation request, the same for config permissions, aspnet and
IUSR_XXXX are no interactive user accounts so they can configure DCOM
annyway.
Did you restart your service, after you changed the permissions?

Willy.

 

[Jayme Pechan]

Ok, I think I have the right combination. There are settings in the server
that have to be set in addition to the DCOMCNFG program. My question now
is, is there anyway to set these permissions with an installer or must I
instruct the user how to run DCOMCNFG and make the changes? That seems
pretty bad so I'm hoping for an alternative. btw, thanks for the DCOM
suggestion. I don't quite understand why it needs right through DCOM but it
does help.

 

[Willy Denoyette [MVP]]

Ok, I think I have the right combination. There are settings in the
server
that have to be set in addition to the DCOMCNFG program. My question now
is, is there anyway to set these permissions with an installer or must I
instruct the user how to run DCOMCNFG and make the changes? That seems
pretty bad so I'm hoping for an alternative. btw, thanks for the DCOM
suggestion. I don't quite understand why it needs right through DCOM but
it
does help.

Out-of-process COM servers use ORPC as IPC protocol (commonly called DCOM)
and security is an integral part of it. Normally you should configure COM
security programatically in your server code, if you don't, you can set it
in the registry chech this: "Setting Processwide Security Through the
Registry in MSDN".
However, If you don't need security at all why didn't you implement the
server using remoting instead of DCOM? Or better why didn't you use
System.EnterpriseServices (COM+) to host your out-proc server, here you
could use the administrative facilities of COM+ to configure the security
settings.


Willy.

 

[Jayme Pechan]

It turns out to be a problem with the CoInitializeSecurity call on Windows
2000 SP4. It works fine on Windows 2003 and Windows XP