Re: DCOM hell with SP2, Only way out seems to be system wide anonymous login

From: George Mills (mswlogo_at_hotmail.com)
Date: 10/31/04 

Date: Sun, 31 Oct 2004 01:25:35 -0400

I made some progress on this.
Turns out the group "Everyone" does NOT include Domain Users. This
supposedly changed in XP.
I added Domain Users to the DCOM Computer Limits and to My service and I got
past CoCreateInstanceEx() E_ACCESSDENIED.
Then all my QueryInterface calls got E_ACCESSDENIED. I added
CoSetProxyBlanket call for every interface and it seems to be working.
So if the admin wants anybody they add Anonymous Logon, If they only want
Domain Users they add Domain Users.
I also removed all the suggestions below and pass NULL to
CoCreateInstanceEx() for the authetucation list. And NULL to
CoInitializeSecurty()
This was insane sorting it out.
Is there anything better I could do?

Here is a snippet of the code, Error checking removed:

CoInitializeSecurity(NULL, -1, NULL, NULL,RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);

CComPtr<IPBMSeqQMgr> msQMgrComPtr;
CComPtr<IUnknown> spIUnknown;

 COSERVERINFO csi = {0, A2W(m_ServerHostNameArray[i]), NULL, 0};
 MULTI_QI qi = {&__uuidof(IPBMSeqQMgr), NULL, S_OK};

 CoCreateInstanceEx(CLSID_MasterSeq, NULL, CLSCTX_REMOTE_SERVER, &csi, 1,
&qi);
 msQMgrComPtr = static_cast<IPBMSeqQMgr *>(qi.pItf);
 msQMgrComPtr.QueryInterface(&spIUnknown); // This was REQUIRED !!! I could
not use interface return from QI directly in CoSetProxyBlanket()
 CoSetProxyBlanket(spIUnknown, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NAME, NULL,
RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
 msQMgrComPtr.QueryInterface(&msInterfacePointers.spIPBMethodValidate);

"George Mills" <mswlogo@hotmail.com> wrote in message
news:eSxLcOjvEHA.4048@TK2MSFTNGP15.phx.gbl...
>I have a DCOM application that needs to run between all combinations of
> XP-SP1, XP-SP2, and Win2k
>
> All was fine until XP-SP2.
>
> We can get everything working if we add Remote Acess to Anonymous Login
> DCOM
> Limits.
>
> The Client is a Win32 desktop app. The server is an ATL COM Service.
>
> I keep getting E_ACCESSDENIED on the CoCreateInstanceEX() on Client (when
> Anonymous Login is disabled)
>
> The ATL COM service also calls back on a Client Sink interface.
>
> Everything is started manually on both Client and Server.
>
> I want to enable the simplest (most portable) authetication.
>
> Most customers run using an NT Domain. Some do not, And some cross
> domains.
>
> Previously to XP-SP2 we used CoInitializeSecurity to shutdown all
> authetication.
> We are not worried about security risks through our applications.
>
> But I don't want to open up the the new Computer wide ACL to Anonymous
> Login
> to allow just our application to run.
>
> I believe I am coming across the wire as anonymous and tried the
> suggestion
> posted below to use NTLM authebtication.
>
> But it still fails.
>
> Note the service is running under the default "System" account.
>
> What am I missing?
>
> ======================= OLD POST by someone else ===================
>
> Hi...
>
> To make the client-server communication to be non
> anonymous, refer to the help on ::CoInitializeSecurity
> function, it describes it pretty good.
>
> Remember that ::CoInitializeSecurity must be called on
> both the client and server.
> It's some time since I tested it, since I decided to go
> for the anonymous logon, but after searching some code I
> think these examples will work for you.
> --- Server Side ---
> SOLE_AUTHENTICATION_SERVICE* pacAuth = new
> SOLE_AUTHENTICATION_SERVICE;
>
> pacAuth->dwAuthnSvc = RPC_C_AUTHN_WINNT;
> pacAuth->dwAuthzSvc = RPC_C_AUTHZ_NAME;
> pacAuth->pPrincipalName = NULL;
> pacAuth->hr = S_OK;
>
> ::CoInitializeSecurity
> (NULL,1,pacAuth,NULL,RPC_C_AUTHN_LEVEL_CONNECT,RPC_C_IMP_L
> EVEL_IMPERSONATE,NULL,EOAC_NONE,NULL);
>
>
> --- Client Side ---
> ::CoInitializeSecurity(NULL, -1, NULL, NULL,
> RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, NULL,
> EOAC_NONE, NULL);
>
> aiAuthInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
> aiAuthInfo.dwAuthzSvc = RPC_C_AUTHZ_NAME;
> aiAuthInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CONNECT;
> aiAuthInfo.pwszServerPrincName = NULL;
> aiAuthInfo.dwImpersonationLevel =
> RPC_C_IMP_LEVEL_IMPERSONATE;
> aiAuthInfo.pAuthIdentityData = NULL;
> aiAuthInfo.dwCapabilities = 0;
>
> siServerInfo.dwReserved1 = 0;
> siServerInfo.pwszName = A2W("<Your servername>");
> siServerInfo.pAuthInfo = &aiAuthInfo;
> siServerInfo.dwReserved2 = 0;
>
> mrmq[0].pIID = &<Your interface ID>;
> mrmq[0].pItf = NULL;
> mrmq[0].hr = 0;
>
> ::CoCreateInstanceEx(<Your classid>, NULL,
> CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
> &siServerInfo, 1, mrmq);
>
>
> Regarding Workgroup security... To be able to run with
> authenticated users the logins must (as you indicates) be
> the same username and password on both the server and
> client.
>
> --Rune G
>
>>-----Original Message-----
>>Hi all,
>>
>>Let me say at first that SP2 is a lot of work for me so
> far... Our
>>application worked for NT4 and up and since SP2, there
> is a lot the be
>>configured to make it work. I have found the info to
> configure XP SP2 for
>>anonymous client-server authentication and it's working.
>>
>>Now I need to find a way not to use anonymous-logon to
> make dcom work. Most
>>of my clients are not on a domain, not even on a same
> workgroup. Is there a
>>way to make dcom use connect or something else, without
> opening everything
>>for anonymous.
>>
>>I tried different approach, but the server alway see the
> client coming with
>> NT AUTHORITY\ANONYMOUS LOGON SID ...
>>
>>Even if I set my client side for "connect".
>>
>>>From what I understand.
>>1. On the client side, Dcom obtains a user name
>>2. The server authenticate the user
>>3. Is the user in the list
>>4. Fail or accept
>>
>>So if I have on client-server(not a domain) the same
> user/pass pair, it
>>should work?
>>
>>I probably don't understand this correctly, since I
> cannot make it work
>>outside anonymous.
>>
>>Any help - pointers would be appreciated.
>>
>>Regards
>>
>>
>>.
>>
>
>

Relevant Pages

  • RE: logon error: error occured while an inital user program was st
    ... I can also give you a place to log in on my TS server with your client to see ... Such as run this program at logon? ... and granted permissions on RDP for domain users and guest ...
    (microsoft.public.windows.terminal_services)
  • RE: logon error: error occured while an inital user program was st
    ... administrators and server operators only have permission to read ... I added domain users, and everything started working. ... I would expect users other than admins and server ... I can also give you a place to log in on my TS server with your client to see ...
    (microsoft.public.windows.terminal_services)
  • Re: RWW Problem
    ... You join a client computer to the domain via ConnectComputer. ... The domain user is in the client computer's local remote desktop users ... The user of fleabag is jsmith and he is local admin of his ... >>he is a member of Remote Web WorkPlace Users and domain users. ...
    (microsoft.public.windows.server.sbs)
  • Re: Browse for file - on the server
    ... If they are domain users, cannot you have them browse the folders using the ... Is there a control where it can browse for a file on the server (not the ... client) and can do so using the permissions of the user on the client so ...
    (microsoft.public.dotnet.framework.aspnet.webcontrols)
  • Re: Unable to logon thru Terminal Services
    ... Nat shouldn't matter, becasue you can logon with the administrator account, ... which mean you client side network setting is correct. ... > Domain Users ...
    (microsoft.public.windows.server.sbs)