CLR calling a web service and AppPool impersonation - weird issue

CLR calling a web service and AppPool impersonation - weird issue

Post by Sergei She » Wed, 10 Oct 2007 01:17:22


Hi. Crossposted because the issue seems bizzare and I have no idea
where the problem lies.

We have a CLR that calls ASP.NET Web Service using NetworkCredentials
to pass in login, passowrd and domain of a domain user.
Application and apppool housing the webservice run under network
service; IIS6 on WIn2003 is used; windows auth is used; and everything
works fine.
If you check IIS logs you see POST request to web service resulting in
401 error immediately followed by the call with user supplied and WS
procedure does launch.

As soon as you change the App Pool that houses the application to run
under the specific user (the same user that is used for Web Service
auth), CLR s/WS method combo stops working.
There are no errors; if you check the logs there's a user-less WS call
resulting in 401 but second successful call is not longer there.

How do we fix this?
 
 
 

CLR calling a web service and AppPool impersonation - weird issue

Post by David Wan » Wed, 10 Oct 2007 12:57:34


Read IIS6 documentation on changing the Application Pool Identity. It
calls out the exact reason why Integrated Auth+Custom AppPool Identity
+Domain Server fails and how to fix it. Basically, when you start
customizing, you better know more about the security implications and
requirements of the customization -- no way to just ignore it as
"bizarre". Security is not easy nor is it automatic.

http://www.yqcomputer.com/

Unfortunately, the link is no longer valid but that information should
still exist.


//David
http://www.yqcomputer.com/
http://www.yqcomputer.com/
//