Re: ORA 12203 with IIS ASP.NET application

A follow-up to the message I posted yesterday. I did some research and spent 90 minutes on the phone with some good techs at Microsoft and found the answer.

The issues seems to lie with the security user context that the Aspnet_wp.exe worker process runs in. When I would watch the activity on my proxy server when running the Oracle application, I would see a user named ASPNET from my machine attempt to hit the proxy - which of course refused it since ASPNET is not a valid domain account.

This link explains more about IIS and ASP.NET security: http://www.msdnaa.net/interchange/preview.asp?PeerID=1288

Armed with that info, Microsoft and I finally hit upon the following workaround:

1. Open your machine.config file and find the following tag: <identity impersonate="false" userName="" password=""/>

   Change it to:

        <identity impersonate="true" userName="" password=""/>

(See the previously mentioned article to understand what that does... it basically sets up the aspnet worker process to change it's security context from default to what IIS tells it to do.)

2. In the machine.config, find the following tag:

        <processModel

There will probably be quite a number of attributes for that tag, the one we are interested in is:

                        userName="machine"

The machine.config file explains:

   userName="[user]" - Windows user to run the process as.    Special users: "SYSTEM": run as localsystem (high privilege admin) account.

   "machine": run as low privilege user account named "ASPNET".    Other users: If domain is not specified, current machine name is assumed

   to be the domain name.

Change this attribute to:

                        userName="system"

3. Make sure all instances of VS.NET are closed and from Start/Run, run "iisreset"

That's basically all there is to it. Because the ASPNET user account is not a domain account, the Proxy server doesn't recognize it. Setting the IIS Anonymous user doesn't seem to work either. When the process is set to System, it would appear that System has enough priviledges through NT Authentication to allow it to use the Proxy.

Microsoft is supposed to followup with a more detailed explanation to me, as soon as I get it, I'll post it here. I hope this helps someone!

Regards,
N

neurowiz_at_hotmail.com (Neurowiz) wrote in message news:<d3385204.0205090727.58868639_at_posting.google.com>...
> I have a strange problem that I'm hoping someone else has run into and
> can help me resolve.
>
> Client application: ASP.NET application deployed to IIS. Windows 2000
> Professional SP2. Oracle Client installed - connectivity to target
> server verified via connection by SQL*Net.
>
> Client network: Firewalled/Proxied through MS Proxy v. 2.0
>
> Target server: Oracle 8 on Linux
>
> Symptoms: Using the Visual Studio.NET tools or through a Windows Forms
> application, I can successfully connect and get data from the Oracle
> server. When I run the Web application, I get an ORA-12203 error. When
> I put the workstation outside of the Proxy Server, connection works.
>
> I've read several messages that comment on how to set up an NT server
> with SQL*Net Proxy or setting USE_SHARED_SOCKET - but my situation
> seems to be client based. Can I specify a given port to be always be
> used by the connection after the initial handshake on 1521 so I can
> dig a hole through the firewall? And why is it that the problem only
> shows up when I'm using a Web/IIS ASP.NET application? Any tools that
> might help me to debug what is happening at the Oracle client level?
>
> Thanks!
> Regards,
> N
Received on Fri May 10 2002 - 21:13:24 CEST