Remoting security with IIS and custom Forms authentication

dotnet framework


  • 1. Remoting and scalability
    I'm investigating various methods of doing a scalable middle tier in .NET. Our current requirements are to handle 300 - 1000 concurrent clients. We are currently re-engineering some of our 2 tiered application architecture to be 3-tiered. What I am looking for is either input or pointers to white papers, etc. on the best methods for creating a scalable middle tier using .NET. Remoting seems like an option, as does COM+/EnterpriseServices. The client will have a .NET interface library so that's not an issue. Our biggest concern is performance. The application handles medical office workflow and each of the user's are relatively "busy". Currently, with the 2 tier architecture all I can measure are SQL Server batches per second which are currently around 72 queries/second, but we'll need to be supporting the equivalent of 250+ batches/second in the near future. I'm assuming that .NET framework 2.0 / VS.NET 2005 has some good performance improvements for scenarios like this. If you have any insight into this as well, I'm more than happy to hear it :) Thanks, Mike
  • 2. Forging responses on intercepted call.
    I've implemented a custom RealProxy for an object I want to test. I'm using a proxy because I want to log what calls are made to this object. Using the example in MSDN on RealProxy, I can easily log what is passed to the objects but here's the sticking point. I don't want to actuall call the object in question, I'd like to return a 'forged' return message. Any suggestion as to how I'd do this? Cheers, Jack
  • 3. Singleton object - both in "classical" interpretation and remo
    "Robert Jordan" wrote: > Omit the RegisterWellKnownServiceType call and create the > object instance yourself: Thank you for help, it works.

Remoting security with IIS and custom Forms authentication

Postby miha.valencic » Fri, 11 Nov 2005 07:08:26 GMT


What are the options for securing remote objects, which are accessible
through IIS, when you have an application deployed on the same server,
which uses custom Forms authentication?

Server hosts app a, which is configured as: authentication:Forms,
authorization: deny users="?".

Now, for Remoting to work, I had to specify that the remoting URI
(RemotableObject.rem) requires no authorization, so IIS let the request
through. Since this object return reference to another object, IIS
(ASP.NET) creates a temporary link to this remote object, which of
course can not be known in advance and the request thus fails. The URI
is, for instance like this:

Two questions:
1) how to configure IIS (ASP.NET application) to let the remoting
requests through
2) how to configure IIS (and remoting app) to be secure? (once the
requests will go through).

I guess that one can not mix windows authentication for remoting and
custom forms authentication for "regular" application.

And the two ( app & remoting objects) have to be deployed within
the same application, since remoting object is used to expose some of
the application functionality.

Pointers appreciated.


Re: Remoting security with IIS and custom Forms authentication

Postby miha.valencic » Fri, 11 Nov 2005 07:13:02 GMT

	The HTTP channel uses the authentication features provided by IIS and
ASP.NET, although Passport and Forms authentication is not supported.

I guess I am trying to have a secure remoting app within an application
which uses Forms authentication, which is not supported -- but I reckon
there has to be a workarround?

Similar Threads:

1.Remoting authentication without IIS

2.Authentication and security in .NET Remoting


I have a remotable object hosted in a server outside IIS. This way I
can't rely on IIS for security.

I need to have authentication and encryption of data in this
communication cliente-server communication.

My questions:

- is it possible to authenticate users against my own user database? Or
I have to use Windows/AD database?

- Is there any document, sample, advice, for this situation?

Thanks in advance,


3.IIS Integrated Windows authentication and SQL Integrated security

4.Remoting is hanging from Custom to IIS Host swap

I had a perfectly working remoting host working out of a console
environment. As soon as it was finished i planned to move it over to
my Hosting service which required me to use IIS.
The host still works but seems to crash when more and more traffic
seems to accumulate, it worked perfectly on a custom HOST....what can
i do to see what is causing it or any suggestions or things to add in
code that might make my application more IIS friendly?


5.Can't get Custom Authentication Sink to work in IIS

I have IIS directory security set to Integrated Windows authentication.
Whenever I call a method on my remote object I get an error - "The remote
server returned an error (401) Unauthorized"

This is happening before my sink is being called so I can't authenticate.

How do I go about configuring IIS so my sink is called? If I use the normal
Anonymous security my sink is called.


6. Custom authentication for Remoting applications

7. Remoting and custom authentication

8. Need a Custom Compressor for Remoting/IIS

Return to dotnet framework


Who is online

Users browsing this forum: No registered users and 51 guest