DCOM Configuration (optional)

DCOM Configuration is optional for most Web Connection applications, and unless you have a specific need for DCOM permissions, we recommend you don't mess with DCOMCnfg and DCOM related configuration.

Our Recomendation: Use Launching User Passthrough Security for DCOM

Our recommendation for COM server security is to use passthrough security, which is its default configuration setting. The default DCOM Impersonation setting is The Launching User.

In this scenario the DCOM server inherits the security context of the host application, which in a Web application running inside of IIS is an IIS Application Pool or one instance of a w3wp.exe process.

Configuring IIS Application Pool Security

To configure security in an IIS Application open the IIS Manager, select Application Pools and then select the application pool your application is running under such as West Wind Web Connection. Open Advanced Settings from the right side menu and the find the Identity key which brings up a dialog that lets you select a user:

By default a new IIS Application uses the very low rights ApplicationPoolIdentity account which generates a temporary non-configurable account. Do not use this account as it will not be able to launch COM servers. Choose an account that has adequate rights to access resources on this machine and any network resources you might need. For local only machines you can use LocalSystem or Network Service (lower rights and has to be explicitly configured) or use any custom account. Just make sure you add permissions for any account you add to the application folder and also web.config to allow updating of settings.

In almost all situations this is all you need - there's no need to use explicit DCOM Configuration on your server. If you don't need it - don't use it. It's one less thing to worry about.

Setting Explicit DCOM Permissions

Ok, so you decided you need explicit DCOM permissions. In some cases you may have to explicitly configure your EXE server for DCOM permissions. This includes if the permissions on the machine disable DCOM security access or when you need to use a different account for Web server and Web Connection server.

You can set DCOM permissions programmatically using some tools we provide or using the Windows DCOMCnfg utility.

Using DCOMCnfg

To do this you use the 32 bit DCOMCNFG utility in Windows.

Use the 32 Bit Version of DCOMCnfg!

Make sure you run the 32 bit version of the DCOMCnfg tool

To use the 32 bit version type the the following into the Windows Run box:

MMC comexp.msc /32

DCOM Server Names

If you have multiple COM objects marked as OLEPUBLIC in your project it's possible that the name of this object will pop up instead of .Server.

  • Scroll through the list and find your server name in the list usually (.Server) or if you used the Fox Project's server naming features the name of the server.

  • Once you find your server select it and choose Properties

  • Go to the Identity Tab and set the Impersonation to the desired account

This sets the server to run through whatever account is currently logged on and makes it possible to have a visible Web Connection server on the desktop.

Essentially DCOM creates an Interactive Logon for the current user session and runs the COM Server in your current Windows desktop environment.

Non Interactive Accounts run invisibly

When you use an account other than Interactive User, Web Connection will run invisibly - there will be no server form showing on the desktop. The server also runs in a non-console session so it has no access to a desktop.


© West Wind Technologies, 1996-2018 • Updated: 08/15/18
Comment or report problem with topic