Server 2003 AD, security context APIs, "operations error" ??
- From: "Ollie Jones" <olliejones@xxxxxxxxx>
- Date: 29 Jun 2006 11:30:21 -0700
Hello Windows security experts,
I am having trouble bringing a legacy server into the world of Windows
Server 2003 domain controllers. I am probably doing something
wrongheaded.... any wisdom would be most welcome.
The server has a serviceConnectionPoint and some ExtendedRights, duly
loaded into the domain controller. The serviceConnectionPoint is
loaded as a child object of the Computer. The server impersonates the
client, loads the serviceConnectionPoint, then checks whether the
appropriate extended right has been granted. The server doesn't
actually need to DO anything except this check ("is this user
authorized to do this server function?") while impersonating the
client.
When I run this setup with a Windows 2000 domain controller it works.
But when I run it with a 2003 domain controller, it doesn't work.
Specifically, I'm calling ADsOpenObject to retrieve the
serviceConnectionPoint. I'm calling it from the thread impersonating
the client. The call works with a 2000 AD and fails with 2003 AD.
The failure code is 0x80072020, ERROR_DS_OPERATIONS_ERROR, "An
operations error occurred." What does this mean? How can I
troubleshoot it?
Here is the setup. All machines have plenty of RAM and disk space,
etc, and are on the same subnet.
My server is written in VC++ 6, with generic c++ rather than MFC. It's
running from a logged in user on an XP Pro machine; the user has local
administrator rights but is a generic domain user.
My client is a VC++ 6 / MFC ActiveX control. It is running (from a
tiny VB6 app) on a logged in user on a different XP Pro machine. The
client user doesn't have any special privileges. Client and server talk
TCP/IP to one another.
Both machines are members of the same Windows server 2003 domain. The
domain controller is configured to allow legacy (NT 4) clients as well
as modern clients.
dsquery on both machines is capable of retrieving the
serviceConnectionPoint from the AD. dsquery runas the client user on
the server machine is also capable of retrieving it.
The server accepts a connection from the client, and does an NTLM (not
Kerberos) exchange (AcceptSecurityContext, etc) with the client.
It then impersonates the client, calls ADsOpenObject, and gets the
"operations error."
If I hack the code to skip the client impersonation call, ADsOpenObject
works fine.
Thanks for reading this far! Any help understanding this would be great.
.
- Follow-Ups:
- Re: Server 2003 AD, security context APIs, "operations error" ??
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Server 2003 AD, security context APIs, "operations error" ??
- Prev by Date: Re: Secure POP3 session using Schannel.
- Next by Date: Re: Server 2003 AD, security context APIs, "operations error" ??
- Previous by thread: InitializeSecurityContext returns SEC_E_UNSUPPORTED_FUNCTION on XP??
- Next by thread: Re: Server 2003 AD, security context APIs, "operations error" ??
- Index(es):
Relevant Pages
|
