RE: IAzClientContext AccessCheck returns 0x80070057

From: Denis (Denis_at_discussions.microsoft.com)
Date: 06/21/04 

Date: Mon, 21 Jun 2004 14:50:01 -0700

Thanks for testing it out for me.

Yes, I did make the CoInitializeEx call.

Were you testing on Win2K3?

Denis

"Eric Slesar [MS]" wrote:

> I have tried this with your store, and I still can't reproduce your problem. I am able to get a successful ("access denied") access check.
>
> The only things I have changed from your code were to add the COM initialization call:
>
> hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
>
> and to change the string literals for the assignments to your string variables domainName and memberName to correspond to my domain and username.
>
> I am assuming you're making the call to CoInitializeEx in your code? It isn't in the code you posted.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of any included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> "Denis" wrote:
>
> > Hi Eric,
> >
> > Thanks for responding my question. Here is the text version of the xml store.
> >
> > Would that because I am using the W2K Authorization Manager Runtime (on a Win2K machine), instead of W2k3? My VB client is fine.
> >
> > <?xml version="1.0" encoding="utf-8"?>
> > <AzAdminManager MajorVersion="1" MinorVersion="0">
> > <AzApplication Guid="14167730-07f9-4b2a-98d9-be88490fc223" Name="app1"><AzOperation Guid="bdcf4b1b-c9d1-4ade-9557-1e4d3157eef3" Name="op1" Description="this is operation 1"><OperationID>1</OperationID></AzOperation><AzTask Guid="75122cfe-b5c1-4a4b-b6c9-fc1e9c0434b2" Name="task1"/><AzRole Guid="20fe32e8-6944-4780-8813-ba0307505395" Name="role1" Description="this is role 1"><OperationLink>bdcf4b1b-c9d1-4ade-9557-1e4d3157eef3</OperationLink><Member>S-1-5-21-1659004503-1177238915-682003330-1002</Member></AzRole></AzApplication></AzAdminManager>
> >
> > Denis
> >
> > "Eric Slesar [MS]" wrote:
> >
> > > Hi Denis.
> > >
> > > I can not reproduce your error. When I run your code, I get a successful access check.
> > >
> > > Could you send me a text representation of your XML authorization store?
> > >
> > > Thanks.
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no rights.
> > > Use of any included script samples are subject to the terms specified at
> > > http://www.microsoft.com/info/cpyright.htm
> > >
> > >
> > > "Denis" wrote:
> > >
> > > > Hi,
> > > >
> > > > I have been trying to use (in C++) the MS Authorization Manager API
> > > > to create an authorization store (an xml file), and then to verify
> > > > client access on a particular operation.
> > > >
> > > > So far, I have created the store (roles, tasks (without any
> > > > bizrules), and operations) successfully. I have also successfully
> > > > called InitializeClientContextFromName to create a client context from
> > > > the client's domain and name. However, when I called AccessCheck, I
> > > > got 0x80070057 (the parameter is incorrect) error.
> > > >
> > > > I followed the example on
> > > > "http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/verifying_client_access_to_a_requested_resource_in_c__.asp"
> > > > exactly, and still got the same error.
> > > >
> > > > However, when I use VB to access and verify the store, I got no
> > > > error. It returns me the correct result.
> > > >
> > > > I suspect it's the 3rd parameter (operation id array) that I passed
> > > > to VC API is invalid, but couldn't figure out why and how to solve it.
> > > >
> > > > Can someone help me to take a look of the following code? Thanks.
> > > >
> > > > Here is the code:
> > > >
> > > > IAzAuthorizationStore* pStore = NULL;
> > > > IAzApplication* pApp = NULL;
> > > > IAzClientContext* pClientContext = NULL;
> > > > IAzOperation* pOperation = NULL;
> > > > BSTR storeName = NULL;
> > > > BSTR appName = NULL;
> > > > BSTR operationName = NULL;
> > > > BSTR objectName = NULL;
> > > > LONG operationID;
> > > > HRESULT hr;
> > > > VARIANT varOperationIdArray;
> > > > VARIANT varOperationId;
> > > > VARIANT varResultsArray;
> > > > VARIANT varResult;
> > > >
> > > > VARIANT myVar;
> > > > VariantInit(&myVar);//.vt) = VT_NULL;
> > > >
> > > > // Create the AzAuthorizationStore object.
> > > > hr = CoCreateInstance(
> > > > __uuidof(AzAuthorizationStore)
> > > > /*"b2bcff59-a757-4b0b-a1bc-ea69981da69e"*/,
> > > > NULL,
> > > > CLSCTX_ALL,
> > > > __uuidof(IAzAuthorizationStore)/*"edbd9ca9-9b82-4f6a-9e8b-98301e450f14"*/,
> > > > (void**)&pStore);
> > > > if (!(SUCCEEDED(hr)))
> > > > return 0;
> > > >
> > > > // Allocate a string for the policy store.
> > > > if(!(storeName = SysAllocString(L"msxml://c:\\myStore.xml")))
> > > > return 0;
> > > >
> > > > // Initialize the store.
> > > > hr = pStore->Initialize(0, storeName, myVar);
> > > > if (!(SUCCEEDED(hr)))
> > > > return 0;
> > > >
> > > > // Create an application object.
> > > > if (!(appName = SysAllocString(L"App1")))
> > > > return 0;
> > > > hr = pStore->OpenApplication(appName, myVar, &pApp);
> > > > if (!(SUCCEEDED(hr)))
> > > > return 0;
> > > >
> > > > CString domainName ( "testdomain" );
> > > > BSTR bsDomainName = domainName.AllocSysString();
> > > > CString memberName ( "testmember" );
> > > > BSTR bsMemberName = memberName.AllocSysString();
> > > >
> > > > hr = pApp->InitializeClientContextFromName ( bsMemberName,
> > > > bsDomainName,
> > > > myVar, &pClientContext );
> > > > if (!(SUCCEEDED(hr)))
> > > > return 0;
> > > >
> > > > if (!(operationName = SysAllocString(L"op1")))
> > > > return 0;
> > > >
> > > > hr = pApp->OpenOperation(operationName, myVar, &pOperation);
> > > > if (!(SUCCEEDED(hr)))
> > > > return 0;
> > > >
> > > > hr = pOperation->get_OperationID(&operationID);
> > > > if(!(SUCCEEDED(hr)))
> > > > return 0;
> > > >
> > > > varOperationIdArray.parray = SafeArrayCreateVector(VT_VARIANT, 0, 1);
> > > > varOperationIdArray.vt = VT_ARRAY | VT_VARIANT;
> > > >
> > > > LONG* index = new LONG[1];
> > > > index[0] = 0;
> > > >
> > > > varOperationId.vt = VT_I4;
> > > > varOperationId.lVal = operationID;
> > > >
> > > > hr = SafeArrayPutElement(varOperationIdArray.parray, index,
> > > > &varOperationId);
> > > > if(!(SUCCEEDED(hr)))
> > > > return 0;
> > > >
> > > > if(!(objectName = SysAllocString(L"Op1"))) // used for audit
> > > > return 0;
> > > >
> > > > hr = pClientContext->AccessCheck(
> > > > objectName,
> > > > myVar,
> > > > varOperationIdArray,
> > > > myVar, // use default application scope
> > > > myVar,
> > > > myVar,
> > > > myVar,
> > > > myVar,
> > > > &varResultsArray);
> > > >
> > > > if ( FAILED(hr) )
> > > > {
> > > > printf ( "Failed (0x%x) to Perform Access Check on Operation (name:
> > > > Op1) "
> > > > "for Member (%s\\%s).\n", hr, domainName, memberName );
> > > > }
> > > >
> > > > hr = SafeArrayGetElement(varResultsArray.parray, index, &varResult);
> > > > if (!(SUCCEEDED(hr)))
> > > > return 0;
> > > >
> > > > if (varResult.lVal == 0)
> > > > printf("Access granted.\n");
> > > > else
> > > > printf("Access denied.\n");
> > > >
> > > > Denis
> > > >
> > > >