|
COM/DCOM
Accessing a Remote DCOM IOM Server from an Active Server Page
When you access a remote DCOM IOM server from an Active Server Page (ASP), your IOM server is on a
different machine than your Web server and you access DCOM objects through
the network.
Follow the configuration instructions for configuring permissions on either for Windows NT 4, or for Windows 2000 and XP.
Configuring Windows NT 4 with IIS to Access a Remote DCOM IOM Server
To enable the NT Anonymous Logon user with permissions to launch and access the DCOM server:
On your remote IOM server, start dcomcnfg.
Select SAS.Workspace (SAS Version 9.1), and then select Properties.
Select the Security tab, and add launch and access permissions for the following users:
- System (the operating system)
- Network (users accessing this object remotely)
If your DCOM IOM server is on Windows NT 4, this configuration is sufficient.
If your DCOM IOM server is on Windows 2000 or XP, you must change the identity of the user that will run the DCOM server process.
The NT Anonymous Logon user account
on Windows NT 4 does not have sufficient permission to run SAS on a Windows 2000 or XP server.
For Windows 2000 or XP, to change the user that will run the DCOM server process:
- Select the Identity tab.
- Select either The interactive user or
This user.
Note: If you have selected The interactive user and no users are logged onto the computer, the application
will fail. It is recommended that you select This user and indicate a specific account.
If you select This user, enter a valid user account that has
permission to run SAS on your server.
Configuring Windows 2000 or XP with IIS 5 to Access a Remote DCOM IOM Server
For Windows 2000 and XP, IIS processes are configured as COM+ Applications. Therefore,
you must configure an additional layer of security prior to accessing a remote IOM DCOM
server from an ASP.
By default, an application in IIS 5 uses Medium (Pooled) application protection, and, as a result, it
runs under the IIS Out of Process Pooled Applications COM+ application.
In a typical IIS 5 installation, this application is launched by the IWAM _<machine_name> account.
The IWAM_<machine name> account exists on the \\<machine name>* domain on which IIS is running.
But, when the IWAM_<machine name> attempts to authenticate on the
remote server as the IWAM_<machine name> user, access is denied because the account
does not exist on the remote server. The COM+
application must run under an account that exists on both machines. There are two ways
to achieve this access:
- if the two computers are located under the same domain, you can use an account on the domain.
- you can use an account that exists locally on both computers if the passwords for the account match on both computers.
Important Note:
It is recommended that you DO NOT change the launching user of the IIS Out of Process Pooled Applications.
Changing the launching user will cause all of your pooled IIS applications to launch as a specific user and could cause problems.
In addition, if you change the launching user from the IWAM account to another user,
it is difficult to revert back to the IWAM account. You might want to revert back to the IWAM account
if another application fails because you changed this launching user.
For these reasons, we recommend that you change to High (Isolated) Application Protection for the IIS Application that will access
SAS using DCOM. This will create a new COM+ Application that you can configure independently,
without affecting any other pooled applications.
If you change the launching user of the IIS Out of Process Pooled Application, it is possible to revert back to the IWAM account.
For more information about resetting the IWAM password, see
PRB: Configured Identity is Incorrect for IWAM Account (Q297989) on the Microsoft Web site.
|
To set up remote DCOM and COM+:
- Configure your IIS application to use High (Isolated) Application Protection.
- Configure the IIS application to run as a specific user.
- Set access and launch permissions for the user.
Configure your IIS Application to use High (Isolated) Application Protection
To run your application as an isolated process:
Start Internet Services Manager by clicking
Start Settings
Control Panel.
Open Administrative Tools and click Internet Services Manager.
Select the directory where your ASP is located.
Right-click, and select Properties to view the properties for your directory.
On the Directory tab under Application Settings, change Application Protection to
High (Isolated).
Configure your COM+ Application
Note: Be sure to read the Important Note under Configuring Windows 2000 or XP
with IIS 5 Remote DCOM and COM+ Settings.
It is recommended that you do NOT change the launching
user of the IIS Out-Of-Process Pooled Applications.
To configure the COM+ application:
- Click Start Settings
Control Panel.
- Open Administrative Tools and click Component Services.
- Expand the Component Services folder, expand the
Computers folder, expand the My Computer folder, and then expand the COM+ Applications folder.
- Find the newly created COM+ application for your IIS application. It will
be named IIS--{Default Web Site//Root/<iis_application>} where <iis_application>
is the name of your IIS application.
Right-click the appropriate COM+ application, and select Properties.
Select the Identity tab, and do one of the following:
- Indicate a specific user account for the application.
- Use the interactive user if the interactive user exists on both machines.
Note: If you have selected The interactive user and no users are logged onto the computer, the application
will fail. It is recommended that you select This user and indicate a specific account.
Setting Access and Launch Permissions for the User
You must give the user who launches the IIS COM+ application permission to
access and launch the remote IOM DCOM server. To set the permissions:
On your remote IOM DCOM server, start dcomcnfg.
Select SAS.Workspace (SAS Version 9.1), and then select Properties.
Select the Security tab, and add launch and access permissions for the user who is launching your IIS COM+ application.
Add access permissions for
found in the \\<machine name>* domain.
More Information
These COM/DCOM configurations will work for most simple setups. There are many other ways to
configure IIS, DCOM and COM+ that might better suit your specific needs. The following documents and books on the World Wide Web
provide additional information about IIS, DCOM, COM+ as well as information about developing ASP applications
that use COM objects. There are also many other resources for Active Server Page developers available on the
MSDN Web site.
|