Link to home
Start Free TrialLog in
Avatar of mandhjo
mandhjoFlag for United States of America

asked on

CreateEvent -- Access Denied

I have a DCOM Server running remotely which is running under a particular account in the domain.  Code in this server attempts to call CreateEvent and it is failing with GetLastError = 5 (Access Denied).

Any ideas?  Is there a particular right that must be granted to the the account under which the DCOM server is running?   I will give mucho points for the right answer.
Avatar of captainkirk
captainkirk
In an NT domain, perhaps the user account has to have admin privileges to be able to do what you need ... not positive about that, but just a thought. Check with your net administrator to modify those privileges and test it just for fun...
Avatar of jkr
jkr
Flag of Germany image
You'll have to create the event using an appropriate SID, e.g.

    PSID                        psidWorldSid            =   NULL;
    SECURITY_DESCRIPTOR         sd;
    SECURITY_ATTRIBUTES         sa;
    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;


    //  Create a security descriptor for the object that allows
    //  access from both the privileged service and the non-privileged
    //  user mode programs

    psidWorldSid    =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );

    InitializeSid   (   psidWorldSid,   &siaWorldSidAuthority,  1);

    *(  GetSidSubAuthority  (   psidWorldSid,   0)) =   SECURITY_WORLD_RID;

    InitializeSecurityDescriptor    (   &sd,    SECURITY_DESCRIPTOR_REVISION);

    SetSecurityDescriptorGroup      (   &sd,    psidWorldSid,   TRUE);

    ZeroMemory  (   &sa,    sizeof  (   SECURITY_ATTRIBUTES));

    sa.nLength              =   sizeof  (   SECURITY_ATTRIBUTES);
    sa.lpSecurityDescriptor =   &sd;


*Note* that this SD has to be applied when the event is initially created...
Avatar of jkr
jkr
Flag of Germany image
BTW: That's the code I use to share synchronization object handles between services and 'normal' applications, so it should also work for your event ;-)
Avatar of mandhjo
mandhjo
Flag of United States of America image

ASKER

Interestingly enough, I added the following call to my WinMain function of my out of process COM Server and the problem has gone away.

      hRes = CoInitializeSecurity( 0, -1, 0, 0, RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, 0, EOAC_NONE, 0 );

Avatar of jkr
jkr
Flag of Germany image
Yes, that's due to 'RPC_C_AUTHN_LEVEL_NONE', which will will turn off RPC authenticarion at all (e.g. 'guest' is always sufficiant) - is this what you want?
Avatar of jkr
jkr
Flag of Germany image
Err, comment is not precise enough ;-)

This means that the component you're activating runs in the default security context of the remore server (may be sufficianf for your needs), but if user-level security applies for your app, it's a bit 'too open'
ASKER CERTIFIED SOLUTION
Avatar of jkr
jkr
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mandhjo
mandhjo
Flag of United States of America image

ASKER

Good enough for me...thanks for the explanation...er, explanationS.