IIS, Impersonation and COM Interop. Permission Denied

Question

We are in the throes of integrating a Document Management System with Dynamic CRM 4. We have done similar things previously but in this instance we are having to reference a COM dll.

We've configured the asp.net page (we are bringing the info in via an iFrame in CRM), setting Impersonation = True in the Web.config and ensured that Windows authentication is the only method available within IIS.

This all works as we would expect when logged into the server itself; the page happily goes off and finds all the relevant documents for the CRM account and presents them to a user in a nice Infragistics CRM styled grid. However, trying this from a client workstation we get the following:

System.Runtime.InteropServices.COMException (0xC0042335): Permission denied.

Impersonation appears to be passing over the correct details but nothing we've tried thus far has been able to make this work outside of logging into the server. Any thoughts as to what we are missing?

Answer 1

This could be a multi-hop Kerberos issue. Does the document management system exist on another physical server? If so, you probably need to enable Delegation on the computer account in Active Directory, assuming you installed CRM using the default settings (Network Service running the App Pool). Impersonation is different than Delegation - impersonation only works when accessing resources on the local server. If you are accessing resources on another server on behalf of a user, you need to also enable Delegation. Here is a link showing you how:

http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsDelegation.html

Once you make these changes, have your AD administrator force a replication, then log out and back in to your workstation to refresh your Kerberos ticket cache.