Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C++ ASP COM Scheduler , +
I've developed a COM+ server component (dll) that uses the ITaskScheduler and ITask interfaces to create and edit tasks for a specific .exe also created by the company I work for. The component is called from a classic ASP page (VBScript) and is part of an office package we are developing. The whole system uses a web interface. When run under IIS on Windows Server 2003/2008 I get 0x80070005 access denied errors when attempting to call, for instance, ITaskScheduler->Enum. This makes perfect sense, the IUsr_... account shouldn't have access to the task scheduler. I added fields for the user to enter their credentials on the webpage, and then made calls to LogonUser and then ImpersonateLoggedOnUser in the COM object. However I still get access denied errors. Subsequent calls to IServerSecurity->QueryBlanket show that the COM object is still being run under the IUsr_... account. My logon logic is as follows:
 
 
bool SystemUser::LogonUser(const wchar_t* userName, const wchar_t* domain, const wchar_t* password)
{
    if(::LogonUser(userName, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &_token))
    {
        return true;
    }
    System::LogSystemError(__W_FILE__, __W_FUNCTION__, __LINE__, L"Unable to logon user: %s domain: %s", userName, domain);
    return false;
}
     
bool SystemUser::Impersonate()
{
    if(::ImpersonateLoggedOnUser(_token))
    {
        return true;
    }
    System::LogSystemError(__W_FILE__, __W_FUNCTION__, __LINE__, L"Unable to impersonate user");
    return false;
}
     
SuccessCode::Enum SystemUser::Logon(const wchar_t* userName, const wchar_t* domain, const wchar_t* password)
{
    if(!_token)
    {
        if(!LogonUser(userName, domain, password) || !Impersonate())
        {
            return SuccessCode::ImpersonateError;
        }
        else
        {
            Global::systemLog.Write(LogLevel::Information, L"Successfully logged on as user: '%s' domain: '%s'", userName, domain);
        }
    }
    return SuccessCode::Success;
}
 
Using LOGON32_LOGON_INTERACTIVE as the logon type makes no difference. Neither does setting up specific roles in the COM+ MMC. Any help or suggestions hugely appreciated.
Posted 26-Apr-12 17:13pm
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Do you impersonate the user prior to the COM calls?
COM call could be executing in different thread, for which your impersonation is not set.
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Make sure your IUsr_... user has SeImpersonatePrivilege privilege. The easiest way to check and/or set it is via secpol.msc. Go to User Rights Assignments->Impersonate a client after authentication and add the IUsr_... user there
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 350
1 Jochen Arndt 190
2 Richard MacCutchan 135
3 Sergey Alexandrovich Kryukov 130
4 DamithSL 105
0 OriginalGriff 6,045
1 DamithSL 4,601
2 Maciej Los 4,087
3 Kornfeld Eliyahu Peter 3,480
4 Sergey Alexandrovich Kryukov 3,310


Advertise | Privacy | Mobile
Web03 | 2.8.141220.1 | Last Updated 10 Oct 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100