locked
Security headache: accessing a DCOM server RRS feed

  • Question

  • User-570742420 posted
    Hi, I have a ASP.NET 3.5 web server that accesses a DCOM server.
    When the ASP.NET application is deployed on Windows XP, I give the ASPNET 
    user access permission to the DCOM server using DCOM config. The web 
    application works well.
    
    The problem is when the ASP.NET application is deployed on Windows 2003 
    Server.
    In this case I give to the NETWORK SERVICE user the same permissions I gave 
    to the ASPNET user in Windows XP, but it doesn’t work: it gives me 0x80070005 
    error (Access denied). 
    The only solution I found, is to turn on local impersonation in web.config 
    and give DCOM permissions to the IUSR_machinename user.
    
    Is there a way to give right permissions to the NETWORK SERVICE user, so 
    that it can access a DCOM server that is on a remote machine?
    Thanks
    
    Monday, January 26, 2009 10:37 AM

Answers

  • User372121194 posted

    Hi,

    If we use impersonation via <identity impersonate="true"/>, the identity will be the anonymous user (IUSR_MACHINENAME by default), and we need to add this account to Access Permission.

    If we don't use impersonation, the identity is IIS account (typically Network Service on IIS 6.0). In this case, we just need to make sure we add this account to Access Permission.

    For testing, we can add everyone to Access Permission to see whether it works.

    We also need to make sure we don't use custom account for Application Pool to run your web application. If we use custom account, we need to add this custom account to Access Permission.

     

    I look forward to receiving your test results.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, January 31, 2009 10:50 PM
  • User-570742420 posted

    Thanks again, I solved this issue.

    As I told you the web application is running as NETWORK SERVICE with no IIS 5.0 isolation mode, as confirmed also looking in task manager.
    Setting the access rights in the remote machine to NETWORK SERVICE doesn't work.
    To make it work I have to leave the web server running as NETWORK SERVICE but on the remote DCOM server I have to set access rights to the NETWORK user.

    I don't know exactly why, I'm going to explore it tomorrow...

    Thanks again
    Igor

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 3, 2009 12:55 PM

All replies

  • User372121194 posted

    Hi,

    If we use impersonation via <identity impersonate="true"/>, the identity will be the anonymous user (IUSR_MACHINENAME by default), and we need to add this account to Access Permission.

    If we don't use impersonation, the identity is IIS account (typically Network Service on IIS 6.0). In this case, we just need to make sure we add this account to Access Permission.

    For testing, we can add everyone to Access Permission to see whether it works.

    We also need to make sure we don't use custom account for Application Pool to run your web application. If we use custom account, we need to add this custom account to Access Permission.

     

    I look forward to receiving your test results.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, January 31, 2009 10:50 PM
  • User-570742420 posted

    Hi, thanks for the answer.

    The situation is the following: the web server and the DCOM application are on two different machines (both members of the same windows domain).
    The application pool of the web server is the default one, that uses NETWORK SERVICE.
    The 3 tested scenarios are the following:

    WebServer: <identity impersonate="true"/>
    DCOM server: access rights to IUSR_machinename
    It WORKS

    WebServer: <identity impersonate="false"/>
    DCOM server: access rights to EVERYONE
    It WORKS!!!

    WebServer: <identity impersonate="false"/>
    DCOM server: access rights to NETWORK SERVICE
    DOESN'T WORK!!!

    WebServer: <identity impersonate="false"/>
    DCOM server: access rights to NETWORK SERVICE and to IUSR_machinename
    DOESN'T WORK!!!

    Seems like the network service of the web server cannot be used on the other machine to grant access (but setting everyone works). So which is this "secret" user that is member of everyone but it is not NETWORK SERVICE?

    Monday, February 2, 2009 5:17 AM
  • User372121194 posted

    Hi,

    Thanks for your response.

    If ASP.NET process identity is NETWORK SERVICE, and  we add it to permission access, it should work.

    For EVERYONE, it works. I think this ASP.NET process identity is not NETWORK SERVICE. In IIS 6.0, if we configurate IIS 6.0 for IIS 5.0 isolation  mode, the ASP.NET process identity is ASPNET.

    So we can try to add ASPNET to permission access.

    For more information about IIS and Built-in Accounts (IIS 6.0), see http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx?mfr=true 

     


    I look forward to receiving your test results.

    Monday, February 2, 2009 10:48 PM
  • User-570742420 posted

    Thanks again, I solved this issue.

    As I told you the web application is running as NETWORK SERVICE with no IIS 5.0 isolation mode, as confirmed also looking in task manager.
    Setting the access rights in the remote machine to NETWORK SERVICE doesn't work.
    To make it work I have to leave the web server running as NETWORK SERVICE but on the remote DCOM server I have to set access rights to the NETWORK user.

    I don't know exactly why, I'm going to explore it tomorrow...

    Thanks again
    Igor

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 3, 2009 12:55 PM
  • User-570742420 posted

    It seems impossible, it's all the morning I'm searching knowledge bases but I was not able to find an article that explains the difference between the NETWORK SERVICE account and the NETWORK account.
    The only thing I found was an article expressing a similar problem when an ASP.NET server has to access a SQL Server that's on a different machine. In this case if you give permissions to the NETWORK SERVICE account to access SQL Server it doesn't work, it is necessary to give permissions to the DOMAIN\SERVER$ user.

    It seems that the NETWORK SERVICE account, despite of its name, it has not rights to access many resources over the LAN.

    Wednesday, February 4, 2009 7:21 AM