Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

COM Security

Status
Not open for further replies.
COMSecurity

COMSecurity

Programmer
Jul 16, 2002
2
0
0
US
Hi

Setup:
- AD Domain Controller on machine #1
- IIS/COM+ on machine #2 belonging to the same domain
- SQL Server on machine #3 belonging to the same domain

Settings:
- All users are authenticated against AD
- IIS web server:
- Basic Authentication
- Application setting - Medium (Pooled)
- COM+ Server Application:
- In Security tab, impersonation is set to 'Identify'
- In Identity tab, the account is running under AppAccount (that is setup in AD) and NOT as 'Interactive User'.

Problem:
In order for the application to work the first time, I have to logon into machine #2 using AppAccount (in AD Domain). If not, the application does not work giving the message "Automation Error - Logon Failure - Invalid user name or bad password".
But after logging into the machine #2 using AppAccount for the first time, the application continues to work for any other authenticated user account in AD as long as any of the following does not happen:
- IIS is restarted
- COM+ is restarted or
- Machine #2 is rebooted.
If any of them happen, I again need to login in using AppAccount into machine #2. This creates major issues in a production environment.

Has anyone run into this issue before. Any suggestions are also appreciated. Thanks.
 
Sort by date Sort by votes
hi

you need to review your code to see if you are using any win32 calls that require an active account.

if you are using CryptoAPI, when you acquire a context:

if( !CryptAcquireContext(&hProv, sKeyStoreName, MS_DEF_PROV, PROV_RSA_FULL, 0) && !CryptAcquireContext(&hProv, sKeyStoreName, MS_DEF_PROV, PROV_RSA_FULL, CRYPT_NEWKEYSET) ) {
fail;
}
else {
continue;
}

you should include the 0 in the first test so that CryptAcquireContext uses the logged in account. in the second call, the CRYPT_NEWKEYSET option will instruct CryptAcquireContext to generate one from the machine account.

 
Upvote 0 Downvote
Hi Bryn,

Thanks for your input.
We identified that this was the problem a couple of days back. We were in the process of testing it. We were using OpenDSObject in Visual Basic which was using the Account Id and Password. This information was stored in the registry and we were using Crypto to encrypt and decrypt. When we changed to GetObject it started to work since that was using the current user's context. Hence, we have now changed the encryption logic and it is working fine.

Thanks a ton for your input!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

fmwhitman
  • Locked
  • Helpful tip
Reinstalling Com+
Replies
0
Views
77
fmwhitman
fmwhitman
bereza
  • Locked
  • Question
com+ and isolation level
Replies
0
Views
66
bereza
bereza
raveneyes86
  • Locked
  • Question
COM+ synchronization feature
Replies
0
Views
66
raveneyes86
raveneyes86
wdweb
  • Locked
  • Question
Problem with Message Queuing and Com+ Objects
Replies
0
Views
65
wdweb
wdweb
huckfinn19
  • Locked
  • Question
Access a .Net COM object hosted in a COM+ Server in .Net?
Replies
0
Views
69
huckfinn19
huckfinn19

Part and Inventory Search

Sponsor

Back
Top