Local Host Impersonation Works, Remote Don't???!!!!

[C0PP3R]

I have a set of pages that I'm beginnning an Intranet with. One page accesses a file server to diaply contents of it and another grabs information and display's it from a SQL database.

Now the web server is running Win2K and IIS 5 or above.

And when I browse the pages locally the impersonation works just fine. When I try and view the pages from a remnote location on the network I get access denied errors and Login failed errors for the file one and the SQL one respectivly.

I have the IIS set to Windows Authentication, I have impersonation = truew in the webconfig file.

AM I MISSING SOMTHING?

Any help would be spectaculer.

Copper

PS - I used the impersonation code for VB from Microsofts knowledge base.

 

[NoCoolHandle]

Do you have the setprn.exe running?

I think it is the name, but is allows you to have a Nt/Identity travel accross Service and Network boundarys..

Rob

 

[C0PP3R]

I'm not sure, I'll check, where do I check if thats running? Is it a service of IIS that should be running?

As well Active Directory is not set up on this network because of many NT servers still being used.

 

[C0PP3R]

Ok, we set up the so that the Anonymous access is turned of on the site and any virtual dir's relating to it. Unfortunately it still is not working. It seems that the IIS isn't passing the impersonated username.

??? Curious???

Any Takers?

Copper

 

[FluxAnomaly]

you could check the following things

1) the authentication level in web.config

2) the configuration of IIS out-of-proccess pooled applications (or somethin like that) check if impersonation is enabled for the com+ package

 

[chuckster1]

I have struggled with impersonation for weeks with no sollution. I believe the problem to be that IIS\.NET impersonation will not work across a Network connection.

The easist solution that I found is to edit the machine.config file. (This is clearly a big security risk)

%windir%\Microsoft.NET\Framework\v1.0.3705\CONFIG\machine.config

Now edit the <processModel...> element's attributes that follow.

userName=&quot;SYSTEM | Machine&quot; password=&quot;AutoGenerate&quot;

Change to a Domain\Network valid user e.g.

userName=&quot;Domain\Username&quot; password=&quot;hackmeplease&quot;

I found I could do anything I like all over the network after changing this setting. Still I'm not sure if I had the imperonation settings done correctly but I have tried literally dozens of options from books and web sites to no avail.

Hope this helps.

 

[C0PP3R]

Ok, Where do I check the permissions for the COM+ package?

 

[FluxAnomaly]

Control Panel -> Administrative Tools-> Component Services

 

[C0PP3R]

Sorry, I'm still new to allot of the administrative stuff involving this, under component services\Com+ Applications, can you tell me what part I need to adjust the permissions on, and what to adjust them to?

Thanks!

 

[FluxAnomaly]

you must change what's on the identity tab of
&quot;IIS out-of-proccess pooled applications&quot;

you probably have the IWAM_[Machine Name] User here
try changing it to the option &quot;Interactive User&quot;

WARNING: In some cases this could cause troubles due to the nature of IIS and make your web server inoperant, so try carefully and DO NOT change directly the user because you probably will lose the IWAM user forever since the password is apparently hardcoded inside IIS

 

[C0PP3R]

Ok, i'm a little hesitent to change that, cuz my IIS has another largeservice runnign on it....hmmm....

Ok, I'm trying a new methiod, using basic authentication on the web server, and I'm working on using the following code to authorize users:

Dim strServerName 'NT local machine name
Dim strGroup 'NT group name
Dim strMachineObject 'ADSI machine object path
Dim strUserADsPath 'ADSI user ads path
Dim objMachine 'ADSI machine object
Dim strNameSpace 'ADSI namespace
Dim objMember 'ADSI member object
Dim objGroup 'ADSI group object
Dim strADSPath 'ADS path
Dim bolAuthenticated 'Authentication flag
Dim strMember 'NT user name for group member

' Build MachineObject
strServerName = Request.ServerVariables(&quot;SERVER_NAME&quot
strMachineObject = &quot;WinNT://&quot; & strServerName

' Build Current User's UserAdsPath
strUserADsPath = &quot;WinNT://&quot; & Request.ServerVariables(&quot;LOGON_USER&quot
strUserADsPath = Replace(strUserADsPath, &quot;\&quot;, &quot;/&quot

' Get NameSpace from Machine Object
objMachine = GetObject(strMachineObject)
strNameSpace = objMachine.Parent
objMachine = Nothing

' Build Name Space for Group Object
strGroup = &quot;Senior Managers&quot;
strNameSpace = strNameSpace & &quot;/&quot; & strServerName


' Iterate through the Web Administrators group and ensure
' that the user visiting this page is a member
objGroup = GetObject(strNameSpace & &quot;/&quot; & strGroup)

For Each objMember In objGroup.Members
If objMember.ADsPath = strUserADsPath Then
bolAuthenticated = &quot;True&quot;
lblMessage.Text = lblMessage.Text & &quot; &quot; & objMember.adspath
Exit For
End If
Next

objGroup = Nothing

I get an error though saying cannot create Active X Component.

Hmmm...and the other thing I have a question about is developing the apps on the main IIS and being able to step through the code while it runs off there. I don't know what setting on the IIS allows Visual Studio.Net toi allow for debugging so I can step through my code.

 

[C0PP3R]

Ok, i'm a little hesitent to change that, cuz my IIS has another largeservice runnign on it....hmmm....

Ok, I'm trying a new methiod, using basic authentication on the web server, and I'm working on using the following code to authorize users:

Dim strServerName 'NT local machine name
Dim strGroup 'NT group name
Dim strMachineObject 'ADSI machine object path
Dim strUserADsPath 'ADSI user ads path
Dim objMachine 'ADSI machine object
Dim strNameSpace 'ADSI namespace
Dim objMember 'ADSI member object
Dim objGroup 'ADSI group object
Dim strADSPath 'ADS path
Dim bolAuthenticated 'Authentication flag
Dim strMember 'NT user name for group member

' Build MachineObject
strServerName = Request.ServerVariables(&quot;SERVER_NAME&quot
strMachineObject = &quot;WinNT://&quot; & strServerName

' Build Current User's UserAdsPath
strUserADsPath = &quot;WinNT://&quot; & Request.ServerVariables(&quot;LOGON_USER&quot
strUserADsPath = Replace(strUserADsPath, &quot;\&quot;, &quot;/&quot

' Get NameSpace from Machine Object
objMachine = GetObject(strMachineObject)
strNameSpace = objMachine.Parent
objMachine = Nothing

' Build Name Space for Group Object
strGroup = &quot;Senior Managers&quot;
strNameSpace = strNameSpace & &quot;/&quot; & strServerName


' Iterate through the Web Administrators group and ensure
' that the user visiting this page is a member
objGroup = GetObject(strNameSpace & &quot;/&quot; & strGroup)

For Each objMember In objGroup.Members
If objMember.ADsPath = strUserADsPath Then
bolAuthenticated = &quot;True&quot;
lblMessage.Text = lblMessage.Text & &quot; &quot; & objMember.adspath
Exit For
End If
Next

objGroup = Nothing

I get an error though saying cannot create Active X Component.

Hmmm...and the other thing I have a question about is developing the apps on the main IIS and being able to step through the code while it runs off there. I don't know what setting on the IIS allows Visual Studio.Net to allow for debugging so I can step through my code.