Solved

DCOM E_ACCESSDENIED

Posted on 2001-07-24
8
994 Views
Last Modified: 2013-12-03
I have written an NT service (written in ATL) and also written the client of it (in C++/MFC).  When the client calls CoCreateInstanceEx to access the service across the network the return value is E_ACCESSDENIED, unless the server has an account with the same name as the user who is running the client program.  (Running the client locally on the server works fine.)

All I want is for the service to allow access to everyone on the network.  But creating an account on the server for all potential users is not practical.

I have tried all possible combinations of security, authentication, identity etc in DCOMCNFG on both the client and server machines to no avail.  I have also tried different combinations of having the client and server in different domains without success.  

I have also tried changing options in ConInitializeSecurity in both the client and service, but originally tried:

In the service (ATL):

    // This provides a NULL DACL which will allow access to everyone.
    CSecurityDescriptor sd;
    sd.InitializeFromThreadToken();
    hr = CoInitializeSecurity(sd, -1, NULL, NULL,
        RPC_C_AUTHN_LEVEL_PKT,
        RPC_C_IMP_LEVEL_IMPERSONATE,
        NULL, EOAC_NONE, NULL);

In the client:

        CoInitializeSecurity(NULL, -1, NULL, NULL,
                             RPC_C_AUTHN_LEVEL_NONE,
                       RPC_C_IMP_LEVEL_IMPERSONATE,
                             NULL, EOAC_NONE, NULL )

Note that I use DCOMCNFG to say where to run the "application" by specifying the server name in the Location page.

As a test I set up a W2K server with the service installed and running, and a W2K workstation running the client.  Initially I could not access anything on the server from the workstation, including my service and local disk drives etc.

However, it was very easy to get access to the disk drives by just sharing them with "Everyone".  There must be a way to do a similar thing with services - ie share them with "Everyone", but I cannot find it.

We need a solution that does not require a major reconfiguration of client networks.  Having all client machines in the same domain, or having to create accounts for all users on the server is not an option.  But there is surely an easier way.

Andrew.
0
Comment
Question by:aphillips
8 Comments
 
LVL 86

Expert Comment

by:jkr
Comment Utility
Maybe a silly remark, but did you set the auth level to 'none' in the properties of your service (in dcomcnfg)?
0
 

Expert Comment

by:aarone
Comment Utility
By default, the server is launched with the launching user credentials. Most probably that your server tries to access system resources that the launching user is not allowed to. If this is the problem, you can set that the server will be launched with other credentials (in dcomcnfg->Applications click on your app, click properties, then Identity->This user and set it to a user that has full access to the system).

0
 
LVL 3

Author Comment

by:aphillips
Comment Utility
Thanks for the suggestions.

I have tried all the options in DCOMCNFG (both on client and server) before, but I just double-checked the above suggestions but still get E_ACCESSDENIED returned.

> ... did you set the auth level to 'none'...

Yes tried that on both server and client.

> set that the server will be launched with other credentials ...

I tried setting the Identity to both the local administrator and the domain administrator.

Perhaps I should ask this in another group, but it was unlcear which of the following groups were appropriate:

Windows NT
Windows 2000
Windows NT Setup
Windows NT Networking
Network Security
Windows Programming

0
 
LVL 3

Author Comment

by:aphillips
Comment Utility
Thanks for the suggestions.

I have tried all the options in DCOMCNFG (both on client and server) before, but I just double-checked the above suggestions but still get E_ACCESSDENIED returned.

> ... did you set the auth level to 'none'...

Yes tried that on both server and client.

> set that the server will be launched with other credentials ...

I tried setting the Identity to both the local administrator and the domain administrator.

Perhaps I should ask this in another group, but it was unlcear which of the following groups were appropriate:

Windows NT
Windows 2000
Windows NT Setup
Windows NT Networking
Network Security
Windows Programming

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:jimwasson
Comment Utility
You should be able to set this up pretty easily with dcomcfg.  When you run dcomcfg you can either edit your default security permissions and have the component use the default or you can configure the component individually (since you're on a network you most likely want to do that). You need to set up both the "Launch" and the "Access" permissions.  You should find your component in the listbox on the "Applications" tab.  Find your component and select it and then hit the "Properties..." button.  Then go to the "Security" tab and select the "Use custom access permissions" radio button and then selec the "Edit" button.  You should see a listbox with those user entities allowed to access the component -- the type of access should be "Allow Access".  You can add additional users by clicking the "Add" button and selecting the additional users from the Add Users dialog, adding them using that dialog's "Add" button.  After clicking "OK" there, you should see that the additional names have been added.
0
 
LVL 7

Accepted Solution

by:
jimwasson earned 200 total points
Comment Utility
There is also an issue with how the authentication is done.  If you don't have a domain controller, or are using a Novell network, I believe that you will have to have identical accounts set up on the server and the client machines -- to the point of having the exact same username and the exact same (case sensitive) passwords.  We have a similar situation and the above fixes it.  If a solution without using identical accounts on the client and server machines I'd love to hear it.
0
 
LVL 3

Author Comment

by:aphillips
Comment Utility
Thanks jim.  Unfortunately I have tried all the permission settings in DCOMCNFG (many times actually in combination with other settings), on both client and server.

As you said, without a domain controller we can get it to work if we have identical accounts set up on both machines.  But we wanted to allow anyone on the network to connect to it without the onerous restriction of having them have an account on the service machine.

Since my last post we have also discovered another thing.  We can get it to work in a domain if the service is set up on the domain controller, and the user has a domain account. BUT we can't get the thing to work at all if the service is on a machine in the domain but not on the domain controller itself even with a domain account and a local accounts on both machines all with the same name and password.

Using a service across the network really should be as easy as sharing a disk.  I have spent over a week trying to get this to work and understand NT security.  It really is another MS mess.

0
 
LVL 3

Author Comment

by:aphillips
Comment Utility
I never got completely what I wanted but we got it working with a domain controller, which was decided was acceptable.

One bug that was found was that the impersonation level in the call to CoInitializeSecurity() was RPC_C_IMP_LEVEL_DEFAULT rather than RPC_C_IMP_LEVEL_IMPERSONATE.  This had been correct at some stage but had been changed in an attempt to get it working and not changed back.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As more and more people are shifting to the latest .Net frameworks, the windows presentation framework is gaining importance by the day. Many people are now turning to WPF controls to provide a rich user experience. I have been using WPF controls fo…
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now