R
Robert E. Maurer
Hello.
Hopefully someone can help me (or at least explain what is going on to me.)
Before .Net, I would develop and application that had a web GUI, some COM
components, and some SQL Server tables. Then I would deploy the ASP files
and set up the web site to allow anonymous access and impersonate a specific
user. Then I would grant that specific user access to SQL Server and my
database. Then, when users would access my web site, it would create an
instance of a COM object in
COM+, using the identity that was set up in COM+. That object then creates
an instance of
another COM component, in process, that is my data access component. When I
profile this,
the user that I have configured in the COM+ application is what is used to
connect to SQL Server.
Now, I have a .Net web service written in C#. I edited the web.config file
to set the web service to "None" for authentication and Impersonate="true".
Then I set the web site in IIS to allow anonymous access and I set a
specific user. I then granted that specific user access to SQL Server and
my database. Finally, I have the web service create an interop assembly
object that
creates a reference to my data access COM component to attempt to access SQL
Server.
The problem is that when somebody accesses my web service, it attempts to
connect to SQL Server as either ASPNET or NT AUTHORITY\NETWORK SERVICE.
First, am I doing something wrong or have I missed a step? And, second, how
do I (if I can) configure my web service to impersonate a specific user
without seriously compromising the security of my machine.
Secondly, I assume that the web service and all assemblies it used will run
as the same user?
Finally, does this mean I need to put my web service into COM+ so that I can
configure an Identity?
That is a pain because then I have to put it into the GAC and then strong
name all of the interop assemblies, etc.
Thank you all in advance for any help you can provide.
Robert E. Maurer
Hopefully someone can help me (or at least explain what is going on to me.)
Before .Net, I would develop and application that had a web GUI, some COM
components, and some SQL Server tables. Then I would deploy the ASP files
and set up the web site to allow anonymous access and impersonate a specific
user. Then I would grant that specific user access to SQL Server and my
database. Then, when users would access my web site, it would create an
instance of a COM object in
COM+, using the identity that was set up in COM+. That object then creates
an instance of
another COM component, in process, that is my data access component. When I
profile this,
the user that I have configured in the COM+ application is what is used to
connect to SQL Server.
Now, I have a .Net web service written in C#. I edited the web.config file
to set the web service to "None" for authentication and Impersonate="true".
Then I set the web site in IIS to allow anonymous access and I set a
specific user. I then granted that specific user access to SQL Server and
my database. Finally, I have the web service create an interop assembly
object that
creates a reference to my data access COM component to attempt to access SQL
Server.
The problem is that when somebody accesses my web service, it attempts to
connect to SQL Server as either ASPNET or NT AUTHORITY\NETWORK SERVICE.
First, am I doing something wrong or have I missed a step? And, second, how
do I (if I can) configure my web service to impersonate a specific user
without seriously compromising the security of my machine.
Secondly, I assume that the web service and all assemblies it used will run
as the same user?
Finally, does this mean I need to put my web service into COM+ so that I can
configure an Identity?
That is a pain because then I have to put it into the GAC and then strong
name all of the interop assemblies, etc.
Thank you all in advance for any help you can provide.
Robert E. Maurer