none
ASP .NET and OCS Security RRS feed

  • Question

  •  

    With the following configuration:

     

    Box 1: Speech Server

    Win2k3 SP3

    SS2k7

    IIS runing the Workflow application locally (created by coping the web files to Intetpub\wwwroot then creating an applicaiton inside the SS Console).

    Application Pool running under a Local User "ocsServiceUser", not the default Network Service identity.

    IIS Web Site/Application is running under, Intergrated Security

    Web.config

    Impersonation = True

    Connection String is using Integrated Security.

     

     

    Box 2: SQL Server

    Win2k3 SP1

    SQL 2k5

    Has mirrored Local account "ocsServiceUser" that is running the Application Pool on box 1.

    Local user "ocsServiceUser" is a member of the NT Group that has permission to the Database.

     

    Problem:

     

    Unless the Local User which runs the Applicaiton Pool (ocsServiceUser), on the Speech Server, is a member of the Administrators group, the application does not work (see error below).  If there is another suggested way to setup the users/impersonation, etc...I'd like to know.

     

    When running all by default (network service runs the Application Pool on box 1), Speech Server is able to write files on box 2 (per this suggestion ) but is unable to connect to SQL on box2 unless the connection string contains a SQL user, which we'd like to not do.

     

     

    --------

    Error from OCS SS 2007 when a Local User is running the application pools in IIS but IS NOT a member of the administrators group.

     

    Event Type: Warning
    Event Source: Office Communications Server 2007 Speech Server
    Event Category: Telephony Application Proxy
    Event ID: 28676
    Date:  11/27/2007
    Time:  5:09:21 PM
    User:  N/A
    Computer: S01
    Description:
    The Telephony Application Proxy declined a call with Call Id '20DA17C4-9C8411DC-A5BAEB58-B90D5EAF@192.168.10.252' from '' for application 'Mobile' at URL 'http://localhost/Mobile/MobileWorkflow/MobileWorkflow.speax' for the following reason: 'Microsoft Office Communications Server 2007 Speech Server is inaccessible for the following reason: Remoting call invoked by invalid user S01\ocsServiceUser  (expected Network Service, Local System, Personal Self, ASPNET, or a member of the Administrators group).  Ensure that the IIS Application Pool for this application is correctly configured with a valid user'.  
     
    Further trace information for support personnel follows:
     
    System.Web.HttpException: Microsoft Office Communications Server 2007 Speech Server is inaccessible for the following reason: Remoting call invoked by invalid user S01\ocsServiceUser (expected Network Service, Local System, Personal Self, ASPNET, or a member of the Administrators group).  Ensure that the IIS Application Pool for this application is correctly configured with a valid user ---> System.Runtime.Remoting.RemotingException: Remoting call invoked by invalid user S01\ocsServiceUser (expected Network Service, Local System, Personal Self, ASPNET, or a member of the Administrators group)

    Server stack trace:
       at Microsoft.SpeechServer.Common.RemotingInfrastructure.ValidateAuthenticatedIdentity(IdentityValidDelegate identityIsValid, String validIdentityDescription)
       at Microsoft.SpeechServer.Common.RemotingInfrastructure.ValidateAuthenticatedIdentityWorker()
       at Microsoft.SpeechServer.MssService.BrokerManager.RegisterTah(Guid id, Int32 pid)
       at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
       at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
       at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.SpeechServer.Core.TahBroker.RegisterTahDelegate.EndInvoke(IAsyncResult result)
       at Microsoft.SpeechServer.Core.TahBroker.ConnectToMss()
       --- End of inner exception stack trace ---
       at Microsoft.SpeechServer.Core.TahBroker.ConnectToMss()
       at Microsoft.SpeechServer.Core.ApplicationFactory.ValidateRequest(HttpRequest request, String requestType)
       at Microsoft.SpeechServer.Core.ApplicationFactory.System.Web.IHttpHandlerFactory.GetHandler(HttpContext context, String requestType, String url, String pathTranslated)

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    Thanks,

    Dan Foxley

    Wednesday, November 21, 2007 3:52 AM

All replies

  • I am having a hard time with your request; can I get some more information?

     

    1.) Provide a description of what your applications is doing? (You have a speech application that is trying to call a remote SQL 2005 database etc.)

     

    2.) Any specific reason why you want to use impersonation? Is this a requirement?

     

    3.) Provide an explanation of what you are trying to accomplish, I see the error message but without knowing what you are trying to achieve I am unsure what direction to take you in.

     

    Keith Kabza
    keith@visualgov.com

     

     

    Thursday, November 29, 2007 7:07 PM