?
Solved

DCOM E_ACCESSDENIED

Posted on 2001-07-24
8
Medium Priority
?
1,028 Views
Last Modified: 2013-12-03
I have written an NT service (written in ATL) and also written the client of it (in C++/MFC).  When the client calls CoCreateInstanceEx to access the service across the network the return value is E_ACCESSDENIED, unless the server has an account with the same name as the user who is running the client program.  (Running the client locally on the server works fine.)

All I want is for the service to allow access to everyone on the network.  But creating an account on the server for all potential users is not practical.

I have tried all possible combinations of security, authentication, identity etc in DCOMCNFG on both the client and server machines to no avail.  I have also tried different combinations of having the client and server in different domains without success.  

I have also tried changing options in ConInitializeSecurity in both the client and service, but originally tried:

In the service (ATL):

    // This provides a NULL DACL which will allow access to everyone.
    CSecurityDescriptor sd;
    sd.InitializeFromThreadToken();
    hr = CoInitializeSecurity(sd, -1, NULL, NULL,
        RPC_C_AUTHN_LEVEL_PKT,
        RPC_C_IMP_LEVEL_IMPERSONATE,
        NULL, EOAC_NONE, NULL);

In the client:

        CoInitializeSecurity(NULL, -1, NULL, NULL,
                             RPC_C_AUTHN_LEVEL_NONE,
                       RPC_C_IMP_LEVEL_IMPERSONATE,
                             NULL, EOAC_NONE, NULL )

Note that I use DCOMCNFG to say where to run the "application" by specifying the server name in the Location page.

As a test I set up a W2K server with the service installed and running, and a W2K workstation running the client.  Initially I could not access anything on the server from the workstation, including my service and local disk drives etc.

However, it was very easy to get access to the disk drives by just sharing them with "Everyone".  There must be a way to do a similar thing with services - ie share them with "Everyone", but I cannot find it.

We need a solution that does not require a major reconfiguration of client networks.  Having all client machines in the same domain, or having to create accounts for all users on the server is not an option.  But there is surely an easier way.

Andrew.
0
Comment
Question by:aphillips
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 6317281
Maybe a silly remark, but did you set the auth level to 'none' in the properties of your service (in dcomcnfg)?
0
 

Expert Comment

by:aarone
ID: 6317772
By default, the server is launched with the launching user credentials. Most probably that your server tries to access system resources that the launching user is not allowed to. If this is the problem, you can set that the server will be launched with other credentials (in dcomcnfg->Applications click on your app, click properties, then Identity->This user and set it to a user that has full access to the system).

0
 
LVL 3

Author Comment

by:aphillips
ID: 6320485
Thanks for the suggestions.

I have tried all the options in DCOMCNFG (both on client and server) before, but I just double-checked the above suggestions but still get E_ACCESSDENIED returned.

> ... did you set the auth level to 'none'...

Yes tried that on both server and client.

> set that the server will be launched with other credentials ...

I tried setting the Identity to both the local administrator and the domain administrator.

Perhaps I should ask this in another group, but it was unlcear which of the following groups were appropriate:

Windows NT
Windows 2000
Windows NT Setup
Windows NT Networking
Network Security
Windows Programming

0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 3

Author Comment

by:aphillips
ID: 6320486
Thanks for the suggestions.

I have tried all the options in DCOMCNFG (both on client and server) before, but I just double-checked the above suggestions but still get E_ACCESSDENIED returned.

> ... did you set the auth level to 'none'...

Yes tried that on both server and client.

> set that the server will be launched with other credentials ...

I tried setting the Identity to both the local administrator and the domain administrator.

Perhaps I should ask this in another group, but it was unlcear which of the following groups were appropriate:

Windows NT
Windows 2000
Windows NT Setup
Windows NT Networking
Network Security
Windows Programming

0
 
LVL 7

Expert Comment

by:jimwasson
ID: 6328164
You should be able to set this up pretty easily with dcomcfg.  When you run dcomcfg you can either edit your default security permissions and have the component use the default or you can configure the component individually (since you're on a network you most likely want to do that). You need to set up both the "Launch" and the "Access" permissions.  You should find your component in the listbox on the "Applications" tab.  Find your component and select it and then hit the "Properties..." button.  Then go to the "Security" tab and select the "Use custom access permissions" radio button and then selec the "Edit" button.  You should see a listbox with those user entities allowed to access the component -- the type of access should be "Allow Access".  You can add additional users by clicking the "Add" button and selecting the additional users from the Add Users dialog, adding them using that dialog's "Add" button.  After clicking "OK" there, you should see that the additional names have been added.
0
 
LVL 7

Accepted Solution

by:
jimwasson earned 800 total points
ID: 6328266
There is also an issue with how the authentication is done.  If you don't have a domain controller, or are using a Novell network, I believe that you will have to have identical accounts set up on the server and the client machines -- to the point of having the exact same username and the exact same (case sensitive) passwords.  We have a similar situation and the above fixes it.  If a solution without using identical accounts on the client and server machines I'd love to hear it.
0
 
LVL 3

Author Comment

by:aphillips
ID: 6329677
Thanks jim.  Unfortunately I have tried all the permission settings in DCOMCNFG (many times actually in combination with other settings), on both client and server.

As you said, without a domain controller we can get it to work if we have identical accounts set up on both machines.  But we wanted to allow anyone on the network to connect to it without the onerous restriction of having them have an account on the service machine.

Since my last post we have also discovered another thing.  We can get it to work in a domain if the service is set up on the domain controller, and the user has a domain account. BUT we can't get the thing to work at all if the service is on a machine in the domain but not on the domain controller itself even with a domain account and a local accounts on both machines all with the same name and password.

Using a service across the network really should be as easy as sharing a disk.  I have spent over a week trying to get this to work and understand NT security.  It really is another MS mess.

0
 
LVL 3

Author Comment

by:aphillips
ID: 7276136
I never got completely what I wanted but we got it working with a domain controller, which was decided was acceptable.

One bug that was found was that the impersonation level in the call to CoInitializeSecurity() was RPC_C_IMP_LEVEL_DEFAULT rather than RPC_C_IMP_LEVEL_IMPERSONATE.  This had been correct at some stage but had been changed in an attempt to get it working and not changed back.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial is about how to put some of your C++ program's functionality into a standard DLL, and how to make working with the EXE and the DLL simple and seamless.   We'll be using Microsoft Visual Studio 2008 and we will cut out the noise; that i…
With most software applications trying to cater to multiple user needs nowadays, the focus is to make them as configurable as possible. For e.g., when creating Silverlight applications which will connect to WCF services, the service end point usuall…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question