Hi all:

I am continuing to struggle with coming up with a good application architecture based on COM+/IIS/Active Directory security, and I keep on running into architectural shortcomings in COM+ security. Here is my latest...

I have the following situation:

ASP(impersonating the caller) -----calls-----> [Roles] COM+ Server Application ("BSL")
                  ------calls-----> [Roles] COM+ Library Application ("BO")

All three logical tiers (BSL=Business Service Layer, BO=Business Objects) are on the same physical machine. COM+ security is turned on in all applications. ASP impersonates the logged in user before making any COM+ calls. All users have domain accounts in Active Directory.

The users are in Active Directory groups, and I make the COM+ roles contain the AD groups. This centralizes user administration.

We would like to enforce some business rules in the business objects based on the role of the original caller. That means, we need to know the role of the original caller 2 calls away from ASP, i.e. in the BO.

At first I tried IsCallerInRole in the BO. That didn't work as "IsCallerInRole" checks only the direct caller and at the BO level, the direct caller is the identity of the BSL Application.

Then I tried "IsUserInRole(user,role)" passing in the original callers SID as the "user" parameter. That didn't work till I applied Win2k SP2.

-----> PROBLEM: Then I set the identity of the BSL application to a local user (it was the interactive user before), and voila - "IsUserInRole" stopped working! Seems like for IsUserInRole to work, you need the COM+ identity to be a domain user. However, setting the COM+ identity to a domain user makes the machine quite vulnerable - the userid/pwd is pretty easily available to any hacker who can hack into the machine and run scripts. Compromising a domain account is not a good idea.

-----> ARCHITECTURAL ISSUE: So, how do I use COM+ roles and check the roles across multiple COM+ applications? I can't combine ti all into one large com+ app for other reasons (easy of sharing the BO's across multiple apps, deployment ease, etc.).

Has anyone successfully architectected based on COM+ security? What was the architecture like?

tahsin

---------------------------------
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone with Yahoo! by Phone.

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]