DCOM connection to service

From: Zachary Turner (zturner@bindview.com)
Date: 05/20/02 

From: "Zachary Turner" <zturner@bindview.com>
Date: Mon, 20 May 2002 10:21:07 -0500

Hi, I've got a client app trying to connect to a DCOM service I wrote that
lives on a remote box. This is happening between two Windows 2000 machines.
Everything used to work fine, and now I get the error RPC_S_SEC_PKG_ERROR
0x80070721 (A Security Package Specific Error has occured) as soon as I try
to call a method on the object. Creating the object, setting the security
blanket, etc works fine. I've found a few workarounds, all of which provide
information as to what might be the problem. I'm hoping someone might be
able to give me more ideas on how to get to the root of the problem, since
we haven't changed the code.

1) On the *client* machine, using DCOMCNFG to change the Authentication
Level from Connect to None fixes the problem.
2) On the server, changing the service to run under the account of a
distinguished user, rather than LocalSystem, fixes the problem.
3) In the code, hardcoding the authentication service to be NTLM fixes the
problem. I've tried every other authentication service that there is.
Snego, default, Kerberos, etc. All of them fail with the same error. The
only time it works is when I hardcode NTLM.

Unfortunately none of these are acceptable. We really need to get to the
root of the problem and figure out what is going on. Here's a bit more
information:
1) If I open up Internet Services Manager on the client, and try to connect
to the IIS on the server, IIS reports the exact same error and IIS fails to
connect to the server. So it's pretty clear that one of our machines is
configured incorrectly.
2) I can install the client on any machine in the domain, and try to connect
to the server, and they all fail. So the problem seems to be either
specific to the one server, or to the whole domain.

It almost seems like Kerberos is configured incorrectly. Because Snego and
Default will both choose Kerberos won't they? I don't really know enough
about W2k security to be able to know what to even look at, but it really
seems like we have a misconfigured Kerberos, since IIS doesn't even work.

Any ideas greatly appreciated.

Thanks
Zachary Turner
zturner@bindview.com

Relevant Pages

  • RE: 401.2 Errors
    ... the server name as their proxy server, ... really understand the point in deploying the Firewall Client to all clients. ... I had a look at the log file but it only seems to be ... recording access that the IIS Server itself goes through. ...
    (microsoft.public.windows.server.sbs)
  • Re: Connect Computer Problem at 2 Customer Sites
    ... I understand this issue to be: the client ... please restart the IIS service. ... join the domain has got the valid IP address and DNS server address in the ... Microsoft Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem with connect computer wizard
    ... You mentioned that you're using Anonymous access with Administrator ... Open ConnectComputer properties in IIS. ... And there is only the DNS server be configured on client ...
    (microsoft.public.windows.server.sbs)
  • Re: Kerberos with Windows Integrated authentication
    ... behaviour if your Web server is in the client broweser's Internet zone. ... referencing it by computer name rather than FQDN), the browser will request ... Obviously, if you want to use Kerberos for authentication, you will either ...
    (microsoft.public.windows.server.security)
  • Re: Kerberised NFS
    ... Kerberised NFS presumably requires authentication and encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server. ... server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. ...
    (comp.protocols.kerberos)