[wix-users] How to config DCom permissions for IUsers group (ASP.NET app)

Phill Hogland phill.hogland at rimage.com
Wed Mar 30 10:44:07 PDT 2016

>>Are you using it to backdoor IIS security?
Not as far as I know, but if I need to push back on the developer that wrote the ASP.NET app and get him to take another approach I am happy to do that.  In fact, while researching this issue I read some stuff about IClient SecurityBlanket and asked him to evaluate wheterh he needed to make some changes.

The story here is we have an ASP.NET app with a third-party desktop app that provides a DCOM interface. The ASP.NET app consumes the DCOM object as an out of process server.  So I have always had to use dcomcnfg  (or in the old setup dcomprem.exe) to add the apppool identity to the DCOM object's launch and access permissions.  I find that adding the builtin IUsers group is as effective as adding a specific identity like NetworkService, because IIS adds the app pool identity to the IUsrs group only when the identity needs access/Activate permissions.  The ASP.NET app and DCOM interface have been deployed for some time, starting back on xp, but this conversion from InstallScript setup to an MSI is one of the last major hurdles on my journey to eliminate all of our InstallScript setups. (Yeh! Thanks WiX team!!!).

Thanks for your comments, and any further suggestions. 

From: wix-users <wix-users-bounces at lists.wixtoolset.org> on behalf of John Cooper <JoCooper at jackhenry.com>
Sent: Wednesday, March 30, 2016 12:13 PM
To: WiX Toolset Users Mailing List
Subject: Re: [wix-users] How to config DCom permissions for IUsers      group   (ASP.NET app)

Are you using it to backdoor IIS security?

I have a single product that needs IIS wrapped in DCOM with the permissions of a particular user so that user can spawn additional sites, app pools, and applications.

It's easy enough to execute use either a C# or C++ custom action.  The problem comes with the need for an affinity between the affected process and the DCOM object.  Since custom actions are launched independent of the installing process, it's very unlikely that process will work.  Indeed, I could get the DCOM service setup, but it was for the wrong process context.

Ultimately, for that one product, we use a post install PowerShell script.  If you find a way to get the process context right, I'd really like to know.

John Merryweather Cooper
Senior Software Engineer | Integration Development Group | Enterprise Notification Service
Jack Henry & Associates, Inc.® | Lenexa, KS  66214 | Ext:  431050 |JoCooper at jackhenry.com

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Phill Hogland
Sent: Wednesday, March 30, 2016 11:56 AM
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: [wix-users] How to config DCom permissions for IUsers group (ASP.NET app)

The e-mail below is from an external source.  Please do not open attachments or click links from an unknown or suspicious origin.

I need to configure a DCom object's LaunchPermission and AccessPermission to include the IUsrs group for access by a ASP.NET app.  I am just wondering how other folks have approached this issue.

WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.

WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-users mailing list