Peter
Fri May 21 20:36:02 CDT 2004
Thanks, but I finally figured it out. I had to use "aspcompat=true" in my
ASP.NET page directive because the COM object was running in it's own
thread. Apparently the new thread then inherits the process identity (ie.
Network Service), not the impersonated thread identity running the ASP.NET
code.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:uqcDyO5PEHA.3052@TK2MSFTNGP12.phx.gbl...
> This is not really a question for IIS. I suggest you ask an ASP.Net
forum.
>
> IIS has handed control to ASP.Net when your ASP.Net code executes, giving
it
> a process identity of Network Service and thread identity of IUSR -- and
if
> ASP.Net chose to call RevertToSelf prior to executing any code, that is an
> ASP.Net behavior.
>
> In other words, I suspect you have anonymous access enabled in IIS and
that
> you had ASP.Net's "identity" section configured to "impersonate". This
> would lead you to first see IUSR_machinename inside your ASP.Net code, and
> when you subsequently changed the thread token to Administrator, that also
> worked. However, you're saying that when you then CoCreateInstance on the
> DLL from managed code, it does so using process identity. Something has
> called RevertToSelf, and it wasn't IIS...
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Peter Johansen" <peterJohan13384SPAMSUCKS@hotmail.com> wrote in message
> news:Pmtrc.101655$0qd.58978@twister01.bloor.is.net.cable.rogers.com...
> Hi, I posted this question in ASP.NET newsgroup but later thought it may
be
> more relevant to this group. If anyone can shed some light on this for me
> I'd appreciate it.
>
> --------------------------------------------------------------------------
--
> I'm trying to figure out a simple problem but I'm stumped. I have an
> application that needs to access a .dll that (for security reasons) only
> grants permissions to the Administrators group. Since the application
pool's
> identity is the default "Network Service", I was thinking I'll just
> impersonate the "Administrator" account in my ASP.NET code.
>
> Now, when I check the value of "WindowsIdentity.GetCurrent().Name" BEFORE
> the identity switch it reports the identity as that of the anonymous
> "MACHINE\IUSR_machine" account. When I check the same value right AFTER
the
> switch it reports "MACHINE\Administrator". So the identity switch seems to
> be successful.
>
> However, when I try to access the .dll right after that, I get the "Can't
> create ActiveX object" error. That's because when I check access to the
.dll
> with FileMon it reports that it's still trying to access the .dll as the
> "Network Service" user!
>
> What am I missing? Why is it using the identoty of the application pool,
and
> NOT the impersonated identity for access to the .dll?
>
> Thanks for any help!
> --------------------------------------------------------------------------
--
>
>
>