Posted on 2001-07-24
I have written an NT service (written in ATL) and also written the client of it (in C++/MFC). When the client calls CoCreateInstanceEx to access the service across the network the return value is E_ACCESSDENIED, unless the server has an account with the same name as the user who is running the client program. (Running the client locally on the server works fine.)
All I want is for the service to allow access to everyone on the network. But creating an account on the server for all potential users is not practical.
I have tried all possible combinations of security, authentication, identity etc in DCOMCNFG on both the client and server machines to no avail. I have also tried different combinations of having the client and server in different domains without success.
I have also tried changing options in ConInitializeSecurity in both the client and service, but originally tried:
In the service (ATL):
// This provides a NULL DACL which will allow access to everyone.
hr = CoInitializeSecurity(sd, -1, NULL, NULL,
NULL, EOAC_NONE, NULL);
In the client:
CoInitializeSecurity(NULL, -1, NULL, NULL,
NULL, EOAC_NONE, NULL )
Note that I use DCOMCNFG to say where to run the "application" by specifying the server name in the Location page.
As a test I set up a W2K server with the service installed and running, and a W2K workstation running the client. Initially I could not access anything on the server from the workstation, including my service and local disk drives etc.
However, it was very easy to get access to the disk drives by just sharing them with "Everyone". There must be a way to do a similar thing with services - ie share them with "Everyone", but I cannot find it.
We need a solution that does not require a major reconfiguration of client networks. Having all client machines in the same domain, or having to create accounts for all users on the server is not an option. But there is surely an easier way.