Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / October 2005

Tip: Looking for answers? Try searching our database.

Impersonate to call COM object via DCOM

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Achim Domma (SyynX Solutions GmbH) - 29 Oct 2005 19:31 GMT
Hi,

I want to use impersonation to call a COM object on a remote machine. I
have copied the code from this example:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158#XSLTH31671211231
20121120120

To create the object, I first do a Type.GetTypeFromProgID(clsid,server)
which works. But the following Activator.CreateInstance(type) fails with
an access denied exception.

I have written a small Python test script like this:

from win32com.client import DispatchEx
obj=DispatchEx(clsid,server)
print obj.some_method()

If I start a cmd.exe via 'runas' and execute this script, it works fine.
So I guess my impersonation has to be wrong!?

Any help would be very appreciated!

regards,
Achim
Reply to this Message
Raffaele Rialdi [MVP] - 30 Oct 2005 11:53 GMT
> I want to use impersonation to call a COM object on a remote machine.
> I have copied the code from this example:
[quoted text clipped - 13 lines]
> If I start a cmd.exe via 'runas' and execute this script, it works
> fine. So I guess my impersonation has to be wrong!?

I think the problem is that, when there is an apartment switching, COM uses
the process token and not the thread token (that is the one used in
impersonation operations).

If you are using asp.net, as in the sample you posted, you should use the
aspcompat=true in the Page directive. This forces asp.net to run in the STA
and not in the MTA.

Otherwise you should consider to use delegation (that is disabled by default
because it can open bad security holes) or beter constrained delegation
(available only on win2k3) that is a form of delegation that you can use
only for a specific target process.

Signature

Raffaele Rialdi
Microsoft .NET MVP http://mvp.support.microsoft.com -
http://italy.mvps.org UGIdotNET - User Group Italiano .NET
http://www.ugidotnet.org Weblog: http://blogs.ugidotnet.org/raffaele

Reply to this Message
Achim Domma (SyynX Solutions GmbH) - 30 Oct 2005 12:43 GMT
> I think the problem is that, when there is an apartment switching, COM uses
> the process token and not the thread token (that is the one used in
> impersonation operations).

I find a similar answer in another thread. My idea seems to be
impossible out of the box. I implemented a test where the app restarst
itself using CreateProcessWithLogonW. That works fine but is not
appropriate for all my scenarios.

> If you are using asp.net, as in the sample you posted, you should use the
> aspcompat=true in the Page directive. This forces asp.net to run in the STA
> and not in the MTA.

If I implement a C# GUI app, is there a option to let it run in STA also?

> Otherwise you should consider to use delegation (that is disabled by default
> because it can open bad security holes) or beter constrained delegation
> (available only on win2k3) that is a form of delegation that you can use
> only for a specific target process.

I tried to google about these topics, but without result. Could give me
some more details? What do you mean with delegation in that context? The
code has to run on XP also, so constrained delegation seems not to be an
option.

thanks in advance,

Achim
Reply to this Message
Raffaele Rialdi [MVP] - 30 Oct 2005 14:32 GMT
> I find a similar answer in another thread. My idea seems to be
> impossible out of the box. I implemented a test where the app restarst
> itself using CreateProcessWithLogonW. That works fine but is not
> appropriate for all my scenarios.

If you create a new process with specific credentials, the new process token
will have that credentials so there is no impersonation.
Impersonation means to create a thread token where normally there is not.
You can use process explorer by sysinternals to look at process and thread
tokens (you have to be admin to do this if process is not running with your
credentials).

> If I implement a C# GUI app, is there a option to let it run in STA
> also?
That's the default for vs.net. Over the main method you'll find [STAThread]
attribute.
Otherwise you have to assign asap the System.Threading.ApartmentState
property on the thread.
You can also query that property.

Anyway I re-read your question and I'm sorry but I think that this scenario
applies to com calls on different apartments.
On dcom you have to manage yourself the "cloaking":
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsImpersonation.html
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/5b97d9
d6-8fa9-4da2-8351-64772227d9a2.asp

> I tried to google about these topics, but without result. Could give
> me some more details? What do you mean with delegation in that
> context? The code has to run on XP also, so constrained delegation
> seems not to be an option.
Again, after having re-read your question I think that delegation should not
help your dcom problem, sorry.
Anyway here there are some articles about delegation and how to config it:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/weba
pp/iis/remstorg.mspx
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsDelegation.html

> thanks in advance,
you are welcome

Signature

Raffaele Rialdi
Microsoft .NET MVP http://mvp.support.microsoft.com -
http://italy.mvps.org UGIdotNET - User Group Italiano .NET
http://www.ugidotnet.org Weblog: http://blogs.ugidotnet.org/raffaele

Reply to this Message
Raffaele Rialdi [MVP] - 30 Oct 2005 14:53 GMT
[...]

Consider another solution:
You write a new piece of software "X" that talks with the client using
remoting.
X talks with COM server via DCOM using a fixed identity that has the
required permissions.
If you host "X" in IIS you'll gain the authentication feature, that is
you'll know the identity of the clients connecting with X.

This way, X check if the caller can access the COM server methods using .net
framework declarative security (using attributes).

Signature

Raffaele Rialdi
Microsoft .NET MVP http://mvp.support.microsoft.com -
http://italy.mvps.org UGIdotNET - User Group Italiano .NET
http://www.ugidotnet.org Weblog: http://blogs.ugidotnet.org/raffaele

Reply to this Message
Ziga Jakhel - 31 Oct 2005 01:01 GMT
You could also use System.EnterpriseServices and create a serviced object
that runs in it's own server process (and identity), which in turn calls
your com object. Should be the simplest way to get it done.

Regards,

Ziga

> Hi,
>
[quoted text clipped - 20 lines]
> regards,
> Achim
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.