Setting DCOM Server "run as" Identity via Code

OK smart guys here is a question for you...

I want to automatically configure a DCOM Server 'run as" identity in code and bypass the need to use DCOMCNFG to do this.  We have developed an DCOM Server that is part of an NT Server written in delphi.  For reason that I don't want to get into now we need to configure this DCOM server to run as a particular person rather than the system account.  We have a DCOM DLL that we got from MS called DCOMPerm which allow us to do this.  However it doesn't appear to work when the DCOM Server is part of an NT Service.  However, if we use DCOMCNFG we can in fact select a user to run this server as.  

Again, for technical reasons both the NT Service and the DCOM Server object need to be configured to run as a user.  We have several of these Services and want to do it as part of install.

Any ideas on how to do this????

blitz051697Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LischkeCommented:
Perhaps something like LogonAsUser or CreateProcessAsUser? I'm just guessing here. I don't know whether there's a CreateServiceAsUser API. Will look at this tomorrow...

Ciao, Mike
0
EpsylonCommented:
How can a DCOM server be a part of a service? I don't get this....
0
KECommented:
Oh yes - are we enjoying M$ DCOM security or what ?

Delphi VCL is not very suited to operate a DCOM server in a service. There are several points where the VCL is not dealing with DCOM properly (in respect to services). I suggest that you visit this place for more info on this issue:
http://members.tripod.com/~aldyn

To set the RunAs registry key you basically do this:

procedure COM_SetRunAs( GUID: TGUID; Value: String );
var
  r : TRegistry;
begin
  r := TRegistry.Create;
  try
    r.RootKey := HKEY_LOCAL_MACHINE;
    r.OpenKey( '\SOFTWARE\Classes\AppID\'+GUIDToString(GUID), True );
    r.WriteString('RunAs', Value );
  finally
    r.Free;
  end;
end;

If you want it to be the Interactive User just write "Interactive User" to the value. There's just one little hack to this - Delphi dont write the AppID to the CLSID's - therefore it launches a new server for each connection (like if it were the "Launching User").

Use this correction:

procedure COM_SetCLSIDAppID( GUID: TGUID );
var
  r : TRegistry;
begin
  r := TRegistry.Create;
  try
    r.RootKey := HKEY_CLASSES_ROOT;
    r.OpenKey( '\CLSID\'+GUIDToString(GUID), True );
    r.WriteString('AppID', GUIDToString(GUID) );
  finally
    r.Free;
  end;
end;

BTW. GUID's should take your LIBID

To specify RunAs as a special account (like for a service), you don't have to do anything. DCOM will run in the context of the service process - in other words, the service account determines the "RunAs user".

Regards

PS. Are you ready for the security issues now ;-)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

RBertoraCommented:
following..
0
blitz051697Author Commented:
KE, I got the first part.  I'm still unclear on the second part of your comment. Why do I need to do step two?  Also, how do I determine the APPID for my application.  I did a search for my server in the registry and determined that one of the CLASS IDs was actually what was stored as the APPID.  But I have several.  Why did it choose this one?  Why isn't there an APPID in the TLB file anywhere?
0
LischkeCommented:
KE, you seem to have very good knowledge in this field. Please look at Q.10229218 I'm currently working on. I have no idea what could be wrong there.

Ciao, Mike
0
KECommented:
Step two is nescessarry if DCOM should have a chance of finding you application by a reference to the class id. When you call CoCreateRemote DCOM searches the CLSID's to find what class you wish to invoke. It may then find your class, but as Delphi doesn't write the APPID (which hold's information about the executable) - it can't launch the Application properly.

APPID:
Look for the LIBID...

Regards
0
blitz051697Author Commented:
Thanks.  I'm verifying that it works and I'll get back to you.
0
blitz051697Author Commented:
Appears to work.   Thanks.
0
KECommented:
Great - thanks...

Tell me if you are having any trouble with the security issues...

Regards
0
blitz051697Author Commented:
Ke, it didn't work after all.  During our testing it looks like the service will not start unless we actually go into the DCOMConf and save it there.  We continue to get a logon failure when we start the service until we use Dcomcnfg.

Even though when you launch the Dcomcnfg program it has the correct persons name displayed.  We took a snapshot before and after saving via the dcomcnfg program and  noticed that there are some additional entries that are made in the registry.  Unfortunately the information is encrypted or something because there is no way to tell what it is. My guess is that it is the password and some other control information.  You probably need to use an API from MS to really pull this off.  It sounded like you had used this approach before.  Did it actually work for you?????

I'm willing to open another question and give more points to answer it...
0
KECommented:
Hmmmmm....

Actually, I have not completed my service app. yet  - the keys I refered to was in respect to an ordinary application approach (I'm still debugging/making modifications).
I'm sorry that I wasn't seeing this in the first place.
The "good news" is that I'm working on migrating from an app. to a service - I will start probably tomorrow, or within the next few days. I'll let you know all what I find interesting during this migration - OK !

Which keys are you refering to ?
LaunchPermissions ?
AccessPermissions ?

What "logon failure" are you refering to - clients or "service start" ?

How do you install the service ?
Do you set account and password during service installation ?
Do you try to use the system account ?

If you could show me the key(s) and contents, I will maybee be able to tell wether it is a Security Descriptor or whatever...

Regards
0
blitz051697Author Commented:
HEre is the key that changes....

Before DcomConf Save...

[HKEY_USERS\S-1-5-21-463936550-686630240-922709458-1053\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs]
"a"=hex:62,00,65,00,66,00,6f,00,72,00,65,00,2e,00,72,00,65,00,67,00,00,00,1a,\
  00,30,00,00,00,00,00,00,00,00,00,00,00,62,65,66,6f,72,65,2e,6c,6e,6b,00,00,\
  00,00
"MRUList"="a"

  00,00,00,00,00,00,00,00,00,00,00,61,66,74,65,72,2e,6c,6e,6b,00,00,00,00


After DComCnfg SAve...

[HKEY_USERS\S-1-5-21-463936550-686630240-922709458-1053\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs]
"a"=hex:62,00,65,00,66,00,6f,00,72,00,65,00,2e,00,72,00,65,00,67,00,00,00,1a,\
  00,30,00,00,00,00,00,00,00,00,00,00,00,62,65,66,6f,72,65,2e,6c,6e,6b,00,00,\
  00,00
"MRUList"="ba"
"b"=hex:61,00,66,00,74,00,65,00,72,00,2e,00,72,00,65,00,67,00,00,00,19,00,30,\
  00,00,00,00,00,00,00,00,00,00,00,61,66,74,65,72,2e,6c,6e,6b,00,00,00,00
0
KECommented:
Well, I'm affraid that this has nothing to do with it. This is the MRUlist (Most Recently Used) that shows which documents that you have opened lately.

I'm 99.99% sure that this has no impact on DCOM !!!

What's done here is that a new file (b) is added to the MRU list...
b='after.reg'
a='before.reg'

They are WideString encoded !

What about my other questions - any hints on these...

Regards
0
blitz051697Author Commented:
Then something else must be going on then.  I also thought that is looks strange but it is the only thing that changes in the registry.  Could it be doing something else outside of registry???
0
KECommented:
Try to save the registry in another way...

At the command prompt type:

at 11:45 /interactive regedit.exe

Substitute the time with the time on your system + 1 minute.
This will launch regedit with LocalSystem access rigths. You may get more entries saved when you have more rights (Well, I actually don't know).
Another way is to download the RegMon at www.sysinternals.com.

Regards

PS. How do you install the service ?
0
KECommented:
BTW. Be carefull what you do - you can easilly damage the registry with system rights...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Delphi

From novice to tech pro — start learning today.