How to flow security context from ASP to MTS components with a non-MTS COM component (262763)


The information in this article applies to:

  • Microsoft Internet Information Server 4.0
  • Microsoft Transaction Server 2.0
This article was previously published under Q262763

Introduction

This article describes how to create components so that you can use Microsoft Transaction Server (MTS) role-based security when you create an instance of a non-MTS Component Object Model (COM) component from Microsoft Active Server Pages (ASP) that in turn instantiates an MTS component.

MORE INFORMATION

You create an instance of a non-MTS COM component from ASP. When ASP then creates an instance of an MTS component, MTS role-based security tries to identify the calling user of ASP. For MTS role-based security to identify the calling user, you must use the correct methods when you create the two COM components.

Microsoft Internet Information Server (IIS) provides the following authentication schemes to control access to IIS resources:
  • Anonymous
  • Basic
  • Windows NT Challenge/Response
Note If you use Anonymous authentication, you cannot identify the calling user.

When ASP receives a request, it impersonates the calling user on the Windows Application Manager (WAM) thread that it spins off to handle the request. By default, COM components on computers that are running Microsoft Windows NT use the process token to perform the impersonation. COM Components on computers that are running Windows 2000 use the thread token to impersonate COM calls.

Create a non-MTS component: Server.CreateObject

If the Microsoft Visual Basic COM component is instantiated with the ASP Server.CreateObject method, the object context flows in the call to create and to use the component, and the thread token is used in the call. When you use the Microsoft Visual Basic Scripting CreateObject method, the process token of the application is used instead, and the context does not flow into the COM component. Therefore, for in-process ASP applications, the calling user identity is SYSTEM. For out-of-process ASP applications, the COM component uses the default IWAM_machine name, unless the identity of that application has been changed in the MTS Explorer Microsoft Management Console (MMC).

Create a MTS component: GetObjectContext.CreateInstance

If your Visual Basic COM component calls the CreateObject method to create an instance of the MTS component, the context does not flow. This also applies to the CoCreateInstance method for straight C++ and the CComObject::CreateInstance method for Active Template Library (ATL). However, if you call the GetObjectContext.CreateInstance method and you reference the Microsoft Transaction Server Type Library, the context and thread token security credential propagates down the chain to the MTS component. The MTS component can then correctly identify the calling user and can implement declarative security authorization or programmatic security within the code of the component.

Note In Internet Information Server (IIS) 4.0, all ASP code runs under MTS. Therefore, when you create a non-MTS COM component in ASP, it is still running under MTS even though you did not explicitly set the component to run under MTS.

REFERENCES

For additional information about security and Internet Information Server (IIS), click the following article numbers to view the articles in the Microsoft Knowledge Base:

158229 Security ramifications for IIS applications

Modification Type:MajorLast Reviewed:3/1/2006
Keywords:kbhowto KB262763 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.