DCOM hell with SP2, Only way out seems to be system wide anonymous login
From: George Mills (mswlogo_at_hotmail.com)
Date: 10/30/04
- Previous message: Juan: "Re: Power User"
- Next in thread: George Mills: "Re: DCOM hell with SP2, Only way out seems to be system wide anonymous login"
- Reply: George Mills: "Re: DCOM hell with SP2, Only way out seems to be system wide anonymous login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Oct 2004 23:50:32 -0400
I have a DCOM application that needs to run between all combinations of
XP-SP1, XP-SP2, and Win2k
All was fine until XP-SP2.
We can get everything working if we add Remote Acess to Anonymous Login DCOM
Limits.
The Client is a Win32 desktop app. The server is an ATL COM Service.
I keep getting E_ACCESSDENIED on the CoCreateInstanceEX() on Client (when
Anonymous Login is disabled)
The ATL COM service also calls back on a Client Sink interface.
Everything is started manually on both Client and Server.
I want to enable the simplest (most portable) authetication.
Most customers run using an NT Domain. Some do not, And some cross domains.
Previously to XP-SP2 we used CoInitializeSecurity to shutdown all
authetication.
We are not worried about security risks through our applications.
But I don't want to open up the the new Computer wide ACL to Anonymous Login
to allow just our application to run.
I believe I am coming across the wire as anonymous and tried the suggestion
posted below to use NTLM authebtication.
But it still fails.
Note the service is running under the default "System" account.
What am I missing?
======================= OLD POST by someone else ===================
Hi...
To make the client-server communication to be non
anonymous, refer to the help on ::CoInitializeSecurity
function, it describes it pretty good.
Remember that ::CoInitializeSecurity must be called on
both the client and server.
It's some time since I tested it, since I decided to go
for the anonymous logon, but after searching some code I
think these examples will work for you.
--- Server Side ---
SOLE_AUTHENTICATION_SERVICE* pacAuth = new
SOLE_AUTHENTICATION_SERVICE;
pacAuth->dwAuthnSvc = RPC_C_AUTHN_WINNT;
pacAuth->dwAuthzSvc = RPC_C_AUTHZ_NAME;
pacAuth->pPrincipalName = NULL;
pacAuth->hr = S_OK;
::CoInitializeSecurity
(NULL,1,pacAuth,NULL,RPC_C_AUTHN_LEVEL_CONNECT,RPC_C_IMP_L
EVEL_IMPERSONATE,NULL,EOAC_NONE,NULL);
--- Client Side ---
::CoInitializeSecurity(NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, NULL,
EOAC_NONE, NULL);
aiAuthInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
aiAuthInfo.dwAuthzSvc = RPC_C_AUTHZ_NAME;
aiAuthInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CONNECT;
aiAuthInfo.pwszServerPrincName = NULL;
aiAuthInfo.dwImpersonationLevel =
RPC_C_IMP_LEVEL_IMPERSONATE;
aiAuthInfo.pAuthIdentityData = NULL;
aiAuthInfo.dwCapabilities = 0;
siServerInfo.dwReserved1 = 0;
siServerInfo.pwszName = A2W("<Your servername>");
siServerInfo.pAuthInfo = &aiAuthInfo;
siServerInfo.dwReserved2 = 0;
mrmq[0].pIID = &<Your interface ID>;
mrmq[0].pItf = NULL;
mrmq[0].hr = 0;
::CoCreateInstanceEx(<Your classid>, NULL,
CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
&siServerInfo, 1, mrmq);
Regarding Workgroup security... To be able to run with
authenticated users the logins must (as you indicates) be
the same username and password on both the server and
client.
--Rune G
>-----Original Message-----
>Hi all,
>
>Let me say at first that SP2 is a lot of work for me so
far... Our
>application worked for NT4 and up and since SP2, there
is a lot the be
>configured to make it work. I have found the info to
configure XP SP2 for
>anonymous client-server authentication and it's working.
>
>Now I need to find a way not to use anonymous-logon to
make dcom work. Most
>of my clients are not on a domain, not even on a same
workgroup. Is there a
>way to make dcom use connect or something else, without
opening everything
>for anonymous.
>
>I tried different approach, but the server alway see the
client coming with
> NT AUTHORITY\ANONYMOUS LOGON SID ...
>
>Even if I set my client side for "connect".
>
>>From what I understand.
>1. On the client side, Dcom obtains a user name
>2. The server authenticate the user
>3. Is the user in the list
>4. Fail or accept
>
>So if I have on client-server(not a domain) the same
user/pass pair, it
>should work?
>
>I probably don't understand this correctly, since I
cannot make it work
>outside anonymous.
>
>Any help - pointers would be appreciated.
>
>Regards
>
>
>.
>
- Previous message: Juan: "Re: Power User"
- Next in thread: George Mills: "Re: DCOM hell with SP2, Only way out seems to be system wide anonymous login"
- Reply: George Mills: "Re: DCOM hell with SP2, Only way out seems to be system wide anonymous login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
