|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
AzMan threading problemswhere else to go, I would appreciate the recomendation. On to my problem, I have built a windows service that makes decisions based on AzMan roles and operations. Client requests come in over .NET remoting. I am having problems with the authorization manager store and application objects. If I create the store and open the application for every request, it all works. However I would like to open the store object and the application when the service cranks up and use those objects to open client contexts (sounds like it would perform better, but to date it just breaks) . When I try to do this, I almost always get an interop error the error is "InvalidCastException calling any method on the IAzApplication. (System.InvalidCastException: QueryInterface for interface Microsoft.Interop.Security.AzRoles.IAzApplication failed).". If I run the exact same code in a winforms applicaitno, the calls work fine. I am pretty sure I am hitting a threading problem here (see note below), but cant seem to figure it out Thanks in advance for any ideas or advice -Robert p.s. I have found a similar discussion on http://www.dotnetmonster.com/Uwe/Forum.aspx/dotnet-interop/1590/InvalidCastException-Using-AzMan-from-ASP-NET, but no resolution Are you using an XML based store or ActiveDirectory?
I understand that there can be concurrency problems when using an XML store. If you are running XP there are problems using AzMan if using the NETWORK_SERVICE account. Basically it all seems to work better if you use a domain account - seems that AzMan is really a Windows 2003 product and not fully supported on XP. Thanks for the response, I posted this several places and almost no one
seems to be working extensively with AzMan. The final platform target is indeed Win 2003, however I am developing on XP. I have tested a bit on Win2003 and have seem similar problems , my current "temporary" solution is to treat it like an STA COM object (this is how it behaves) and throw it in COM+. It behaves a bit better there but the overhead is pretty huge. Show quoteHide quote "richlm" <richlm@nospam.nospam> wrote in message news:eVN16C8OFHA.524@TK2MSFTNGP09.phx.gbl... > Are you using an XML based store or ActiveDirectory? > I understand that there can be concurrency problems when using an XML > store. > > If you are running XP there are problems using AzMan if using the > NETWORK_SERVICE account. > Basically it all seems to work better if you use a domain account - seems > that AzMan is really a Windows 2003 product and not fully supported on XP. > Hello Robert,
i will look into it - cannot be that AzMan is for STA use only - would be a major design flaw... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Thanks for the response, I posted this several places and almost no > one seems to be working extensively with AzMan. The final platform > target is indeed Win 2003, however I am developing on XP. I have > tested a bit on Win2003 and have seem similar problems , my current > "temporary" solution is to treat it like an STA COM object (this is > how it behaves) and throw it in COM+. It behaves a bit better there > but the overhead is pretty huge. > > "richlm" <richlm@nospam.nospam> wrote in message > news:eVN16C8OFHA.524@TK2MSFTNGP09.phx.gbl... > >> Are you using an XML based store or ActiveDirectory? >> I understand that there can be concurrency problems when using an XML >> store. >> If you are running XP there are problems using AzMan if using the >> NETWORK_SERVICE account. >> Basically it all seems to work better if you use a domain account - >> seems >> that AzMan is really a Windows 2003 product and not fully supported >> on XP. I agree, it would be a major flaw, and the object is marked as "Both" in its
CLSID registration, however it behaves very much like a poorly written STA object. All samples I have found are fairly transactional, either operating inside a desktop application or always opening and closing the applicaiton store/app/usercontext inside the scope of a single request. Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:%23t$RwccPFHA.244@TK2MSFTNGP12.phx.gbl... > Hello Robert, > > i will look into it - cannot be that AzMan is for STA use only - would be > a major design flaw... > > > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Thanks for the response, I posted this several places and almost no >> one seems to be working extensively with AzMan. The final platform >> target is indeed Win 2003, however I am developing on XP. I have >> tested a bit on Win2003 and have seem similar problems , my current >> "temporary" solution is to treat it like an STA COM object (this is >> how it behaves) and throw it in COM+. It behaves a bit better there >> but the overhead is pretty huge. >> >> "richlm" <richlm@nospam.nospam> wrote in message >> news:eVN16C8OFHA.524@TK2MSFTNGP09.phx.gbl... >> >>> Are you using an XML based store or ActiveDirectory? >>> I understand that there can be concurrency problems when using an XML >>> store. >>> If you are running XP there are problems using AzMan if using the >>> NETWORK_SERVICE account. >>> Basically it all seems to work better if you use a domain account - >>> seems >>> that AzMan is really a Windows 2003 product and not fully supported >>> on XP. > > > In case any of you are interested, the AzMan object is not actually STA, it
is a decent MTA object (not speedy but it works), it appears to incorrectly aggregrate the free-threaded marshaller. I got a hint for this by reading at http://support.microsoft.com/kb/313510/EN-US/ . Since the aggregration is a function of early binding, I wrote a late bound wrapper for all of the functions I needed and it appears to work ok. Not done with any real scaleability testing yet, but it does correctly keep user az client context accross threads. Show quoteHide quote "Robert Ginsburg" <robert.ginsb***@ver3.com> wrote in message news:%23Kx6Z%23dOFHA.3444@tk2msftngp13.phx.gbl... >I cannot find a newgroup dedicated to AzMan so if anyone has any ideas on >where else to go, I would appreciate the recomendation. On to my problem, I >have built a windows service that makes decisions based on AzMan roles and >operations. Client requests come in over .NET remoting. I am having >problems with the authorization manager store and application objects. If I >create the store and open the application for every request, it all works. >However I would like to open the store object and the application when the >service cranks up and use those objects to open client contexts (sounds >like it would perform better, but to date it just breaks) . When I try to >do this, I almost always get an interop error the error is >"InvalidCastException calling any method on the IAzApplication. >(System.InvalidCastException: QueryInterface for interface >Microsoft.Interop.Security.AzRoles.IAzApplication failed).". If I run the >exact same code in a winforms applicaitno, the calls work fine. I am >pretty sure I am hitting a threading problem here (see note below), but >cant seem to figure it out > > > Thanks in advance for any ideas or advice > > -Robert > > > > p.s. I have found a similar discussion on > http://www.dotnetmonster.com/Uwe/Forum.aspx/dotnet-interop/1590/InvalidCastException-Using-AzMan-from-ASP-NET, > but no resolution > > Hello Robert,
do you want to post the code that did not work - and how you got it working...i still can't believe that just using late binding solves the problem... thanks --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > In case any of you are interested, the AzMan object is not actually > STA, it is a decent MTA object (not speedy but it works), it appears > to incorrectly aggregrate the free-threaded marshaller. I got a hint > for this by reading at http://support.microsoft.com/kb/313510/EN-US/ . > Since the aggregration is a function of early binding, I wrote a late > bound wrapper for all of the functions I needed and it appears to work > ok. Not done with any real scaleability testing yet, but it does > correctly keep user az client context accross threads. > > "Robert Ginsburg" <robert.ginsb***@ver3.com> wrote in message > news:%23Kx6Z%23dOFHA.3444@tk2msftngp13.phx.gbl... > >> I cannot find a newgroup dedicated to AzMan so if anyone has any >> ideas on where else to go, I would appreciate the recomendation. On >> to my problem, I have built a windows service that makes decisions >> based on AzMan roles and operations. Client requests come in over >> .NET remoting. I am having problems with the authorization manager >> store and application objects. If I create the store and open the >> application for every request, it all works. However I would like to >> open the store object and the application when the service cranks up >> and use those objects to open client contexts (sounds like it would >> perform better, but to date it just breaks) . When I try to do this, >> I almost always get an interop error the error is >> "InvalidCastException calling any method on the IAzApplication. >> (System.InvalidCastException: QueryInterface for interface >> Microsoft.Interop.Security.AzRoles.IAzApplication failed).". If I >> run the exact same code in a winforms applicaitno, the calls work >> fine. I am pretty sure I am hitting a threading problem here (see >> note below), but cant seem to figure it out >> >> Thanks in advance for any ideas or advice >> >> -Robert >> >> p.s. I have found a similar discussion on >> http://www.dotnetmonster.com/Uwe/Forum.aspx/dotnet-interop/1590/Inval >> idCastException-Using-AzMan-from-ASP-NET, but no resolution >> To duplicate the problem, all you have to do is try to share an an open
application context accross threads. I cannot post the original source , but you can do this. Create a web application, in the global.asax application on starte, initialize a store and open an application. In the session on start, initialize a user context and store it the Application collection or the Session collection. If you access it via the Session collection, it will work most of the time, if you store it in the application collection it will work some of the time. In my case the interface is hosted inside a service that is available via remoting, and it only works the first time. The problem appears to be that there is more than one type of client context , and AuthZ does not always return the type that you created, or at least the interface is not aggregrated correctly. I fixed it by querying the object for its type each time I want to invoke something off of ot and then using InvokeMember instead of the Interop bound methods. A snippet of the code for client context looks like this , using this method, it always works and works no matter which thread creates it or calls it (ergo it is MTA, just does not have quite all the plumbing ): internal class AzContext { object _Context = null; System.Type _Type = null; internal AzContext(object Context) { _Context = Context; _Type = Context.GetType(); } internal object[] AccessCheck(ref string AuditID, ref object[] Scopes, ref object[] OperationIDs, ref object[] ParamaterNames, ref object[] ParamaterValues) { object [] oParms = new Object[8]{AuditID, Scopes, OperationIDs, ParamaterNames, ParamaterValues, null,null,null}; return (object[]) _Type.InvokeMember("AccessCheck",BindingFlags.InvokeMethod,null,_Context,oParms,null, null,null); } internal object[] GetRoles() { object [] oParms = new Object[1]{""}; return (object[]) _Type.InvokeMember("GetRoles",BindingFlags.InvokeMethod,null,_Context,oParms,null, null,null); } } Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:278825632495295403773760@news.microsoft.com... > Hello Robert, > > do you want to post the code that did not work - and how you got it > working...i still can't believe that just using late binding solves the > problem... > > thanks > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> In case any of you are interested, the AzMan object is not actually >> STA, it is a decent MTA object (not speedy but it works), it appears >> to incorrectly aggregrate the free-threaded marshaller. I got a hint >> for this by reading at http://support.microsoft.com/kb/313510/EN-US/ . >> Since the aggregration is a function of early binding, I wrote a late >> bound wrapper for all of the functions I needed and it appears to work >> ok. Not done with any real scaleability testing yet, but it does >> correctly keep user az client context accross threads. >> >> "Robert Ginsburg" <robert.ginsb***@ver3.com> wrote in message >> news:%23Kx6Z%23dOFHA.3444@tk2msftngp13.phx.gbl... >> >>> I cannot find a newgroup dedicated to AzMan so if anyone has any >>> ideas on where else to go, I would appreciate the recomendation. On >>> to my problem, I have built a windows service that makes decisions >>> based on AzMan roles and operations. Client requests come in over >>> .NET remoting. I am having problems with the authorization manager >>> store and application objects. If I create the store and open the >>> application for every request, it all works. However I would like to >>> open the store object and the application when the service cranks up >>> and use those objects to open client contexts (sounds like it would >>> perform better, but to date it just breaks) . When I try to do this, >>> I almost always get an interop error the error is >>> "InvalidCastException calling any method on the IAzApplication. >>> (System.InvalidCastException: QueryInterface for interface >>> Microsoft.Interop.Security.AzRoles.IAzApplication failed).". If I >>> run the exact same code in a winforms applicaitno, the calls work >>> fine. I am pretty sure I am hitting a threading problem here (see >>> note below), but cant seem to figure it out >>> >>> Thanks in advance for any ideas or advice >>> >>> -Robert >>> >>> p.s. I have found a similar discussion on >>> http://www.dotnetmonster.com/Uwe/Forum.aspx/dotnet-interop/1590/Inval >>> idCastException-Using-AzMan-from-ASP-NET, but no resolution >>> > > > 
Other interesting topics
How to run aspnet with system account
web application can not access event log Difference between VS2003 / VS20005 causes CRYPTO BAD DATA excepti Cannot Run Application on Windows Server 2003 Cannot run program from network drive Changing folder security User's Privileges ?cannot be instantiated under a partially trusted security policy (AllowPartiallyTrustedCallersAttri Forms authentication to enter a static website Custom Authentication |
|||||||||||||||||||||||
