CLR calling a web service and AppPool impersonation - weird issue

CLR calling a web service and AppPool impersonation - weird issue

am 08.10.2007 18:17:22 von realgeek

Hi. Crossposted because the issue seems bizzare and I have no idea
where the problem lies.

We have a CLR that calls ASP.NET Web Service using NetworkCredentials
to pass in login, passowrd and domain of a domain user.
Application and apppool housing the webservice run under network
service; IIS6 on WIn2003 is used; windows auth is used; and everything
works fine.
If you check IIS logs you see POST request to web service resulting in
401 error immediately followed by the call with user supplied and WS
procedure does launch.

As soon as you change the App Pool that houses the application to run
under the specific user (the same user that is used for Web Service
auth), CLR s/WS method combo stops working.
There are no errors; if you check the logs there's a user-less WS call
resulting in 401 but second successful call is not longer there.

How do we fix this?

Re: CLR calling a web service and AppPool impersonation - weird issue

am 09.10.2007 05:57:34 von David Wang

On Oct 8, 9:17 am, Sergei Shelukhin wrote:
> Hi. Crossposted because the issue seems bizzare and I have no idea
> where the problem lies.
>
> We have a CLR that calls ASP.NET Web Service using NetworkCredentials
> to pass in login, passowrd and domain of a domain user.
> Application and apppool housing the webservice run under network
> service; IIS6 on WIn2003 is used; windows auth is used; and everything
> works fine.
> If you check IIS logs you see POST request to web service resulting in
> 401 error immediately followed by the call with user supplied and WS
> procedure does launch.
>
> As soon as you change the App Pool that houses the application to run
> under the specific user (the same user that is used for Web Service
> auth), CLR s/WS method combo stops working.
> There are no errors; if you check the logs there's a user-less WS call
> resulting in 401 but second successful call is not longer there.
>
> How do we fix this?



Read IIS6 documentation on changing the Application Pool Identity. It
calls out the exact reason why Integrated Auth+Custom AppPool Identity
+Domain Server fails and how to fix it. Basically, when you start
customizing, you better know more about the security implications and
requirements of the customization -- no way to just ignore it as
"bizarre". Security is not easy nor is it automatic.

http://groups.google.com/group/microsoft.public.windows.serv er.general/browse_thread/thread/3e016b9dfb057445/14f41a7e97b dabb6

Unfortunately, the link is no longer valid but that information should
still exist.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//