mandhjo
asked on
CreateEvent -- Access Denied
I have a DCOM Server running remotely which is running under a particular account in the domain. Code in this server attempts to call CreateEvent and it is failing with GetLastError = 5 (Access Denied).
Any ideas? Is there a particular right that must be granted to the the account under which the DCOM server is running? I will give mucho points for the right answer.
Any ideas? Is there a particular right that must be granted to the the account under which the DCOM server is running? I will give mucho points for the right answer.
In an NT domain, perhaps the user account has to have admin privileges to be able to do what you need ... not positive about that, but just a thought. Check with your net administrator to modify those privileges and test it just for fun...
You'll have to create the event using an appropriate SID, e.g.
PSID psid WorldSid = NULL;
SECURITY_DESCRIPTOR sd;
SECURITY_ATTRIBUTES sa;
SID_IDENTIFIER_AUTHORI TY siaW orldSidAut hority = SECURI TY_WORLD_S ID_AUTHORI TY;
// Create a security descriptor for the object that allows
// access from both the privileged service and the non-privileged
// user mode programs
psidWorldSid = ( PSID) LocalAlloc ( LPTR,
GetSidLe ngthRequir ed ( 1)
);
InitializeSid ( ps idWorldSid , &siaWo rldSidAuth ority, 1) ;
*( GetSidSubAuthority ( psid WorldSid, 0)) = SECURITY_WORLD_RID;
InitializeSecurityDesc riptor ( &sd, SECURITY _DESCRIPTO R_REVISION );
SetSecurityDescriptorG roup ( &sd, psidWorl dSid, TR UE);
ZeroMemory ( &sa, sizeof ( SECURI TY_ATTRIBU TES));
sa.nLength = size of ( SE CURITY_ATT RIBUTES);
sa.lpSecurityDescripto r = &sd;
*Note* that this SD has to be applied when the event is initially created...
PSID
SECURITY_DESCRIPTOR
SECURITY_ATTRIBUTES
SID_IDENTIFIER_AUTHORI
// Create a security descriptor for the object that allows
// access from both the privileged service and the non-privileged
// user mode programs
psidWorldSid = ( PSID) LocalAlloc ( LPTR,
InitializeSid ( ps
*( GetSidSubAuthority
InitializeSecurityDesc
SetSecurityDescriptorG
ZeroMemory ( &sa,
sa.nLength
sa.lpSecurityDescripto
*Note* that this SD has to be applied when the event is initially created...
BTW: That's the code I use to share synchronization object handles between services and 'normal' applications, so it should also work for your event ;-)
ASKER
Interestingly enough, I added the following call to my WinMain function of my out of process COM Server and the problem has gone away.
hRes = CoInitializeSecurity( 0, -1, 0, 0, RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, 0, EOAC_NONE, 0 );
hRes = CoInitializeSecurity( 0, -1, 0, 0, RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, 0, EOAC_NONE, 0 );
Yes, that's due to 'RPC_C_AUTHN_LEVEL_NONE', which will will turn off RPC authenticarion at all (e.g. 'guest' is always sufficiant) - is this what you want?
Err, comment is not precise enough ;-)
This means that the component you're activating runs in the default security context of the remore server (may be sufficianf for your needs), but if user-level security applies for your app, it's a bit 'too open'
This means that the component you're activating runs in the default security context of the remore server (may be sufficianf for your needs), but if user-level security applies for your app, it's a bit 'too open'
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good enough for me...thanks for the explanation...er, explanationS.