What makes the uid/pwd for the COM+ identity insure? The fact that the COM+
catalog settings for your application is storing that info somewhere locally
on the PC?

How are you impersonating the clients on the PC? IIS authentication (basic?
integrated?)?
Are the clients NT logins on their PCs the same identities as the identity
IIS impersonates for them?

-----Original Message-----
From: Tahsin Alam [mailto:tahsinalamYAHOO.COM]
Sent: Wednesday, October 03, 2001 8:57 AM
To: DCOMDISCUSS.MICROSOFT.COM
Subject: Using COM+ to control security: architectural issues

Hi all:

I am continuing to struggle with coming up with a good application
architecture based on COM+/IIS/Active Directory security, and I keep on
running into architectural shortcomings in COM+ security. Here is my
latest...

I have the following situation:

ASP(impersonating the caller) -----calls-----> [Roles] COM+ Server
Application ("BSL")
                  ------calls-----> [Roles] COM+ Library Application ("BO")

All three logical tiers (BSL=Business Service Layer, BO=Business Objects)
are on the same physical machine. COM+ security is turned on in all
applications. ASP impersonates the logged in user before making any COM+
calls. All users have domain accounts in Active Directory.

The users are in Active Directory groups, and I make the COM+ roles contain
the AD groups. This centralizes user administration.

We would like to enforce some business rules in the business objects based
on the role of the original caller. That means, we need to know the role of
the original caller 2 calls away from ASP, i.e. in the BO.

At first I tried IsCallerInRole in the BO. That didn't work as
"IsCallerInRole" checks only the direct caller and at the BO level, the
direct caller is the identity of the BSL Application.

Then I tried "IsUserInRole(user,role)" passing in the original callers SID
as the "user" parameter. That didn't work till I applied Win2k SP2.

-----> PROBLEM: Then I set the identity of the BSL application to a local
user (it was the interactive user before), and voila - "IsUserInRole"
stopped working! Seems like for IsUserInRole to work, you need the COM+
identity to be a domain user. However, setting the COM+ identity to a domain
user makes the machine quite vulnerable - the userid/pwd is pretty easily
available to any hacker who can hack into the machine and run scripts.
Compromising a domain account is not a good idea.

-----> ARCHITECTURAL ISSUE: So, how do I use COM+ roles and check the roles
across multiple COM+ applications? I can't combine ti all into one large
com+ app for other reasons (easy of sharing the BO's across multiple apps,
deployment ease, etc.).

Has anyone successfully architectected based on COM+ security? What was the
architecture like?

tahsin

---------------------------------
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone with Yahoo! by Phone.

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]