BUG: Session_OnEnd Changes Security Context of InProcess Component (243828)

SYMPTOMS

When instantiating an InProcess COM component from ASP's Session_OnEnd event, the COM component runs using the process token. During the Session_OnEnd event, the thread of execution reverts to the process security token. If the Web application is in-process, the process token is the Local System security context. If the Web application is set to run in a separate memory space, the process token is the IWAM_<machine> This behavior can produce a variety of unexpected results, but the most common result is an error message stating Access is Denied.

RESOLUTION

Workaround #1

Add your component to a Microsoft Transaction Server (MTS) Server Package. A server package launches a new Mtx.exe in the security context of the package user identity, thus the security context is preserved.

Workaround #2

You can impersonate a specific security context by making the following calls from within your component:

LogonUser
ImpersonateLoggedOnUser

NOTE: If your Web application is in-process, the executing thread is running under the Local System account. By default, the Local System account has the correct privilege to call LogonUser successfully. If your Web application in a separate memory space from Inetinfo.exe, the executing thread is running under the IWAM_<machine>. By default, the IWAM_<machine> account does not have the privilege to call LogonUser, so you will need to modify the account. Windows NT Auditing can be useful in diagnosing permission and privilege issues.

IMPORTANT: After you are done with the impersonation, you must call RevertToSelf.

BUG: Session_OnEnd Changes Security Context of InProcess Component (243828)

SYMPTOMS

RESOLUTION

Workaround #1

Workaround #2

STATUS