IIS、模拟和 COM 互操作。没有权限
我们正在努力将文档管理系统与 Dynamic CRM 4 集成。 我们以前做过类似的事情,但在本例中我们必须引用 COM dll。
我们已经配置了 asp.net 页面(我们通过 CRM 中的 iFrame 引入信息),在 Web.config
中设置 Impersonation = True
并确保 Windows身份验证是 IIS 中唯一可用的方法。
当登录到服务器本身时,这一切都如我们所期望的那样工作;页面愉快地关闭并找到 CRM 帐户的所有相关文档,并将它们以漂亮的 Infragistics CRM 样式网格呈现给用户。但是,从客户端工作站尝试此操作,我们得到以下结果:
System.Runtime.InteropServices.COMException(0xC0042335):权限被拒绝。
模拟似乎传递了正确的详细信息,但到目前为止,我们尝试过的任何方法都无法在登录服务器之外实现此目的。关于我们缺少什么有什么想法吗?
We are in the throes of integrating a Document Management System with Dynamic CRM 4.
We have done similar things previously but in this instance we are having to reference a COM dll.
We've configured the asp.net page (we are bringing the info in via an iFrame in CRM), setting Impersonation = True
in the Web.config
and ensured that Windows authentication is the only method available within IIS.
This all works as we would expect when logged into the server itself; the page happily goes off and finds all the relevant documents for the CRM account and presents them to a user in a nice Infragistics CRM styled grid. However, trying this from a client workstation we get the following:
System.Runtime.InteropServices.COMException (0xC0042335): Permission denied.
Impersonation appears to be passing over the correct details but nothing we've tried thus far has been able to make this work outside of logging into the server. Any thoughts as to what we are missing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这可能是多跳 Kerberos 问题。文档管理系统是否存在于另一台物理服务器上?如果是这样,您可能需要在 Active Directory 中的计算机帐户上启用委派,假设您使用默认设置(运行应用程序池的网络服务)安装了 CRM。模拟与委托不同 - 模拟仅在访问本地服务器上的资源时有效。如果您代表用户访问另一台服务器上的资源,则还需要启用委派。以下链接向您展示了操作方法:
http://alt. pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsDelegation.html
进行这些更改后,让 AD 管理员强制进行复制,然后注销并返回工作站以刷新 Kerberos 票证缓存。
This could be a multi-hop Kerberos issue. Does the document management system exist on another physical server? If so, you probably need to enable Delegation on the computer account in Active Directory, assuming you installed CRM using the default settings (Network Service running the App Pool). Impersonation is different than Delegation - impersonation only works when accessing resources on the local server. If you are accessing resources on another server on behalf of a user, you need to also enable Delegation. Here is a link showing you how:
http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsDelegation.html
Once you make these changes, have your AD administrator force a replication, then log out and back in to your workstation to refresh your Kerberos ticket cache.