IIS, Impersonation and COM Interop Premission Denied

Question

Hello we are in the throws of integrating a Document Management System with Dynamic CRM 4, have done similar things previously but in this instance we are having to reference a COM dll. We've configured the asp.net page (we are bringing the info in via a i-Frame in CRM), setting Impersonation = True in the Webconfig and ensured that Windows authentication is the only method available within IIS.

All works as we would expect when logged into the server itself and the page happily does off finds all the relevant documents for the CRM account and presents them to a user in a nice Infragistics CRM styled grid. However trying this from a client workstation we get the following:

System.Runtime.InteropServices.COMException (0xC0042335): Permission denied.

Impersonation appears to be passing over the correct details but nothing we've tried thus far has been able to make this work outside of logging into the server. Any thoughts as to what we are missing?

Answer 1

This could be a multi-hop Kerberos issue. Does the document management system exist on another physical server? If so, you probably need to enable Delegation on the computer account in Active Directory, assuming you installed CRM using the default settings (Network Service running the App Pool). Impersonation is different than Delegation - impersonation only works when accessing resources on the local server. If you are accessing resources on another server on behalf of a user, you need to also enable Delegation. Here is a link showing you how:

http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsDelegation.html

Once you make these changes, have your AD administrator force a replication, then log out and back in to your workstation to refresh your Kerberos ticket cache.