cocosteel
asked on
COM+ application identity
I am having problems setting the correct user identity for my COM+ application:
**************************
CONTEXT:
1. I have vb6 dll managed in a COM+ application on a server machine. The server machine will be running without anyone logged in.
2. I have NOT set any security on the COM+ application
2. I have several clients on other machines that want to access it.
**************************
I know that i need to set the application identity to "This User". So that my dll can run when no one is logged in to the server machine.
BUT - What user do i set "this user" to. BECAUSE - i have just set "This user" to me, and consequently only I can use the clients to call the DLL. When anyone one else makes a call from the Client to the COM+ Dll - they get a "permission denied" error.
**************************
QUESTION:
SO - Who do i set "This user" to - so that everyone can use the clients to make Calls to the COM+ dll.
**************************
NB - the permission denied is not related to security on the COM+ application as i have removed all of this.
**************************
CONTEXT:
1. I have vb6 dll managed in a COM+ application on a server machine. The server machine will be running without anyone logged in.
2. I have NOT set any security on the COM+ application
2. I have several clients on other machines that want to access it.
**************************
I know that i need to set the application identity to "This User". So that my dll can run when no one is logged in to the server machine.
BUT - What user do i set "this user" to. BECAUSE - i have just set "This user" to me, and consequently only I can use the clients to call the DLL. When anyone one else makes a call from the Client to the COM+ Dll - they get a "permission denied" error.
**************************
QUESTION:
SO - Who do i set "This user" to - so that everyone can use the clients to make Calls to the COM+ dll.
**************************
NB - the permission denied is not related to security on the COM+ application as i have removed all of this.
This user means run dll from this user
Have you set authentication level for calls to none on security tab?
Have you set authentication level for calls to none on security tab?
I had this problem as well when I created the COM+ component from my machine on the remote machine using Microsoft Management console.
The solution was to destroy the COM+ component.
Log into the COM+ machine and recreate the same component. The Identity of the component can still be you, but you have to creat the component while being logged into the COM+ server.
The solution was to destroy the COM+ component.
Log into the COM+ machine and recreate the same component. The Identity of the component can still be you, but you have to creat the component while being logged into the COM+ server.
You can also create everyone role and add everyone onto that role
On each component, bring up property and on security tab, check on everyone role
On each component, bring up property and on security tab, check on everyone role
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for replying i have been testing different scenarioes and this is what i have found the problem:
**************************
-When the Application Identity is set to "this user" and "this user" is one specific individual (Not a user group) Then only that user can access the COM+ application.
**************************
So i think i need to specify "This user" as a group of users. So that all in this group can access the COM+ application.
SO NOW THE PROBLEM IS:
when i enter a user group as "This user" - I get an error
"The user account or password is invalid. if you entered a domain account, make sure the name is prefixed with the domain name."
BUT i have prefixed my DOmain account with a Domain i.e MyDOmain\MyDomainUsers
**************************
**************************
SO How do i specify "This user" as a domain account - but get away with out supplying a password.
**************************
-When the Application Identity is set to "this user" and "this user" is one specific individual (Not a user group) Then only that user can access the COM+ application.
**************************
So i think i need to specify "This user" as a group of users. So that all in this group can access the COM+ application.
SO NOW THE PROBLEM IS:
when i enter a user group as "This user" - I get an error
"The user account or password is invalid. if you entered a domain account, make sure the name is prefixed with the domain name."
BUT i have prefixed my DOmain account with a Domain i.e MyDOmain\MyDomainUsers
**************************
**************************
SO How do i specify "This user" as a domain account - but get away with out supplying a password.
>>SO How do i specify "This user" as a domain account - but get away with out supplying a password.
I don't think you can
Use my method and create security role under your com+ package
I don't think you can
Use my method and create security role under your com+ package
ASKER
EDDYKT
i have my COM+ application
I have create a role for it " MyUsers"
I have added a user group to this role
Then How do i apply this role to the application identity?
thanks
i have my COM+ application
I have create a role for it " MyUsers"
I have added a user group to this role
Then How do i apply this role to the application identity?
thanks
Go to component
on each compont , bring up properties, on security tab check on myusers role
on each compont , bring up properties, on security tab check on myusers role
ASKER
just to clarify my problem is with application identity, not security.
mmm, I don't understand why the approach I gave you (and I always use) doesn't work for you.
Another thing, I doubt that you need to specify "This user" as a group of users.
Also, you must specify the password always, and for specify a windows domain account use the form: MyDomain\anUserAccount as you did.
You need to debug what is happening, go to the Administrative tools / Security Policy and audit events such as log in erroneous, after that in the event viewer/security tab see what is going on.
First, test without any authentication, clear all security (roles) and in the security tab of the properties window of the componente uncheck every security item, and in the combos, clear any authentication.
After that add security items as required, as I tell in my first comment, the best practice is to use a generic user, and isolate the error.
cero
After you clear roles, the identity is very related to security tab,
by the way, what is your configuration in the security tab, this can be the determinant??
Sorry, I mean determinant!!
ASKER
hi cero
i missed your first comment before i posted my next one - thats why it seemed like i ignored you!
can i just go quickly clarify your strategy:
> Create a special user for component use that has a password that never expires.
Q: Is this an individual user or a user group?
- If it is an individual user how will it represent all of the component users.
- Or if it is a user group how do i give a user group a password?
(because it seems the application identity "This user" ALWAYS requires a password)
thanks
i missed your first comment before i posted my next one - thats why it seemed like i ignored you!
can i just go quickly clarify your strategy:
> Create a special user for component use that has a password that never expires.
Q: Is this an individual user or a user group?
- If it is an individual user how will it represent all of the component users.
- Or if it is a user group how do i give a user group a password?
(because it seems the application identity "This user" ALWAYS requires a password)
thanks
ASKER
PS My security settings are turned off:
*******************
security tab for application
********************
1. "enforce access checks for this application" - NOT TICKED
2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available." Radio button is selected
3. "Authentication level for calls" - NONE
4. "Impersonation level" - Impersonate
**************************
security tab on individual components
**************************
1. "enforce component level access checks" - NOT TICKED
2. "Roles explicity set for selected item(s)" - MyRole is not ticked
*******************
security tab for application
********************
1. "enforce access checks for this application" - NOT TICKED
2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available." Radio button is selected
3. "Authentication level for calls" - NONE
4. "Impersonation level" - Impersonate
**************************
security tab on individual components
**************************
1. "enforce component level access checks" - NOT TICKED
2. "Roles explicity set for selected item(s)" - MyRole is not ticked
ASKER
is anybody out there!
Here is where i am with this problem:
1. I thought i needed to set the application identity to "This user" and set it to group of users - because when i set "This user" to an individual - only that individual could access the COM+ application.
2. But then when i tried to set "This user" to a user group - the user group had no password and the application identity required a password. SO...
3. Then i was advised yesterday that i should set the application identity ("This user") to a user specially created for the COM+ application. And that the special user should have a password that does not expire.
-THis made sense to me apart from ONE major sticking point:
-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??
BUT What i need is for several users to be able to access the application.
I am really stuck.
thanks for your time.
Here is where i am with this problem:
1. I thought i needed to set the application identity to "This user" and set it to group of users - because when i set "This user" to an individual - only that individual could access the COM+ application.
2. But then when i tried to set "This user" to a user group - the user group had no password and the application identity required a password. SO...
3. Then i was advised yesterday that i should set the application identity ("This user") to a user specially created for the COM+ application. And that the special user should have a password that does not expire.
-THis made sense to me apart from ONE major sticking point:
-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??
BUT What i need is for several users to be able to access the application.
I am really stuck.
thanks for your time.
>>BUT What i need is for several users to be able to access the application
If you want to do that you have to use security role. That only allow the user that in the role to access your component. Try to turn back to interactive user. IF no body login, it will use SYSTEM as user
If you want to do that you have to use security role. That only allow the user that in the role to access your component. Try to turn back to interactive user. IF no body login, it will use SYSTEM as user
ASKER
Hi EDDYKT
thanks for replying
I followed you instructions: ( ithink they are correct)
1. i changed application identity from "THis user" to "Interactive User"
2. I added a role to my application
3. i added "everyone" to that role
4. On each component, i checked "enforce component level access checks"
the i checked the everyone role for each component.
5. I enforced access checks for this application - on the application's security tab
6. I set "authentication level for calls" = Packet
7. I set Impersonation level = Impersonate
Then i exported a proxy to my client machine and installed it
But when the client tried to instaciate the server component i got
"Automation error
The server process could not be started because the configured identity is incorrect. check the username and password. the application will now be closed"
am i doing something wrong? it would be such a relief to get this working!
*********************
EDDKYT as an aside - i am really confused about application identity: "this user"
- why is it that only the person specified as "this user" - can instanciate the COM+ application. even if they have the security to allow them to call the component.
thanks very much
thanks for replying
I followed you instructions: ( ithink they are correct)
1. i changed application identity from "THis user" to "Interactive User"
2. I added a role to my application
3. i added "everyone" to that role
4. On each component, i checked "enforce component level access checks"
the i checked the everyone role for each component.
5. I enforced access checks for this application - on the application's security tab
6. I set "authentication level for calls" = Packet
7. I set Impersonation level = Impersonate
Then i exported a proxy to my client machine and installed it
But when the client tried to instaciate the server component i got
"Automation error
The server process could not be started because the configured identity is incorrect. check the username and password. the application will now be closed"
am i doing something wrong? it would be such a relief to get this working!
*********************
EDDKYT as an aside - i am really confused about application identity: "this user"
- why is it that only the person specified as "this user" - can instanciate the COM+ application. even if they have the security to allow them to call the component.
thanks very much
>>why is it that only the person specified as "this user" - can instanciate the COM+ application. even if they have the security to allow them to call the component.
This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.
In the other words, if you want to find out who initiate the component, you can always get this user even the component starts from user B.
Try to user this user again and see
This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.
In the other words, if you want to find out who initiate the component, you can always get this user even the component starts from user B.
Try to user this user again and see
ASKER
hi
sorry if i am soundind really stupid here.
>>This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.
-I have just been testing and when i turn off all security and then set app ID "This user" to UserA - then only I can access the component.
-WHen anyone else tries to instanciate the component - they get permission denied.
-Then i set "This user" to my colleague: USERB and then only USERB could access the component - and USERA got "Permission denied".
So initially i came to the conclusion that only the user specified in "This user" user can instanciate component?
But if this is incorrect - why can i access the component when i am "This user" and my colleague can only access the component when he is "This user"
sorry if i am soundind really stupid here.
>>This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.
-I have just been testing and when i turn off all security and then set app ID "This user" to UserA - then only I can access the component.
-WHen anyone else tries to instanciate the component - they get permission denied.
-Then i set "This user" to my colleague: USERB and then only USERB could access the component - and USERA got "Permission denied".
So initially i came to the conclusion that only the user specified in "This user" user can instanciate component?
But if this is incorrect - why can i access the component when i am "This user" and my colleague can only access the component when he is "This user"
Hi cocoostel,
I'm not agree with set to interactive user, only for testing purposes.
When you set "this user", you are telling to COM+ that the componente will use the permissions set to "this user", that's not telling nothing about who has permission to call the componente, that's establish with roles.
I strongly recommend to activate securtity policies and in the event viewer/security check to see what exact permission is being denegated.
I check my components and this is the configuration. (With a generic user set as "this user")
*******************
security tab for application
********************
1. "enforce access checks for this application" - NOT TICKED
(OK)
2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available." Radio button is selected
(OK)
3. "Authentication level for calls" - NONE
(PACKET)
4. "Impersonation level" - Impersonate
(OK)
**************************
security tab on individual components
**************************
1. "enforce component level access checks" - NOT TICKED
2. "Roles explicity set for selected item(s)" - MyRole is not ticked
Well, this is the same, in my case 1 is TICKED and in 2. there is no role in the list..
Also, in General TAB is a server application, its OK??
About your question
"-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??"
Again, setting to "this user" is only to set permissions that the component will use, nothing about what user is capable to call the component.
For setting what users will be enabled to call the component you set roles and do the permission or delete roles.
You can disable roles at all (I do that) or you can create a role, and add all your group of users to that role.
I'll recommend to prove both approachs.
cero
I'm not agree with set to interactive user, only for testing purposes.
When you set "this user", you are telling to COM+ that the componente will use the permissions set to "this user", that's not telling nothing about who has permission to call the componente, that's establish with roles.
I strongly recommend to activate securtity policies and in the event viewer/security check to see what exact permission is being denegated.
I check my components and this is the configuration. (With a generic user set as "this user")
*******************
security tab for application
********************
1. "enforce access checks for this application" - NOT TICKED
(OK)
2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available." Radio button is selected
(OK)
3. "Authentication level for calls" - NONE
(PACKET)
4. "Impersonation level" - Impersonate
(OK)
**************************
security tab on individual components
**************************
1. "enforce component level access checks" - NOT TICKED
2. "Roles explicity set for selected item(s)" - MyRole is not ticked
Well, this is the same, in my case 1 is TICKED and in 2. there is no role in the list..
Also, in General TAB is a server application, its OK??
About your question
"-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??"
Again, setting to "this user" is only to set permissions that the component will use, nothing about what user is capable to call the component.
For setting what users will be enabled to call the component you set roles and do the permission or delete roles.
You can disable roles at all (I do that) or you can create a role, and add all your group of users to that role.
I'll recommend to prove both approachs.
cero
cocoostel:
What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??
Have you tested using a simple client?
The question is, are you sure that the permission denied is for calling the component or is inside the code, maybe a database authentication.
Again, I'll recommend to do the security policy thing and check in the event viewer what is the exact permission being denegated.
cero.
What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??
Have you tested using a simple client?
The question is, are you sure that the permission denied is for calling the component or is inside the code, maybe a database authentication.
Again, I'll recommend to do the security policy thing and check in the event viewer what is the exact permission being denegated.
cero.
ASKER
cero:
>>What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??
1. Extracts data from xml and puts into a SQL db
2. Moves some files about on the server
But quess what -
-i followed your advice and just did a simple server - put it on
the server machine
-set me as the application identity
-added security for me and my collegue - exported the proxy.
- AND IT RAN FOR ME AND MY COLLEAGUE !!! FANTASTIC
So you and EDDKYTwere absolutely correct about the application identity having no influence on the client accessing the server. I just couldnt see it.
It looks like the permission problem is caused just after the client instanciates the server (which is running under my ID) - and then the client trys to set a property on the server.
This is the property code in the COM+ application
'*************************
Public IParseInterface As ParseInterfaceV1.IParseInt
Public Property Set Interface(ByVal objdata As ParseInterfaceV1.IParseInt
Set IParseInterface = objdata
End Property
'*************************
The client sets it like this :
'*************************
Set objReporterFile = CreateObject("ParseServer.
Set objReportFile.Interface = Me ' THIS IS WHERE I GET PERMISSION DENIED.
'*************************
(The interface ParseInterfaceV1.IParseInt
--------------------------
So for some reason the client does not have the permission to set an interface on the server.
>>What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??
1. Extracts data from xml and puts into a SQL db
2. Moves some files about on the server
But quess what -
-i followed your advice and just did a simple server - put it on
the server machine
-set me as the application identity
-added security for me and my collegue - exported the proxy.
- AND IT RAN FOR ME AND MY COLLEAGUE !!! FANTASTIC
So you and EDDKYTwere absolutely correct about the application identity having no influence on the client accessing the server. I just couldnt see it.
It looks like the permission problem is caused just after the client instanciates the server (which is running under my ID) - and then the client trys to set a property on the server.
This is the property code in the COM+ application
'*************************
Public IParseInterface As ParseInterfaceV1.IParseInt
Public Property Set Interface(ByVal objdata As ParseInterfaceV1.IParseInt
Set IParseInterface = objdata
End Property
'*************************
The client sets it like this :
'*************************
Set objReporterFile = CreateObject("ParseServer.
Set objReportFile.Interface = Me ' THIS IS WHERE I GET PERMISSION DENIED.
'*************************
(The interface ParseInterfaceV1.IParseInt
--------------------------
So for some reason the client does not have the permission to set an interface on the server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
mmm
When you ran your code, and set the "this user" for you, you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??
so, the problem doesn't not seem to be in the code, right? because the code ran correctly, but fails with permissions.
About the interface
>>(The interface ParseInterfaceV1.IParseInt
how registered?? in COM+, with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??
I'll strongly recommend to do the policy thing and see the event viewer, again.
cero
When you ran your code, and set the "this user" for you, you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??
so, the problem doesn't not seem to be in the code, right? because the code ran correctly, but fails with permissions.
About the interface
>>(The interface ParseInterfaceV1.IParseInt
how registered?? in COM+, with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??
I'll strongly recommend to do the policy thing and see the event viewer, again.
cero
>>how registered?? in COM+, with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??
You can do export from the COM+ package with Application proxy enable to .msi file and then run on the client machine
You can do export from the COM+ package with Application proxy enable to .msi file and then run on the client machine
EDDYKT:
I'm asking cocoostel for another dll, where ParseInterfaceV1.IParseInt
cero.
I'm asking cocoostel for another dll, where ParseInterfaceV1.IParseInt
cero.
ASKER
cero:
1. >>When you ran your code, and set the "this user" for you, you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??
--when i ran the simple COM+ server both my colleague and I could access it from the client.
--When i ran the my real XML parsing COM+ server - both of us could instaciate it but only the user specified as "This user" could set the interface. The other got "permission denied".
**************************
2. >>how registered?? in COM+, with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??
One copy of the interface is registered on the server (with regsvr32.exe) and one copy of the interface is registered on the client (with regsvr32.exe). Then in the COM+ application the server component has this Parseinterface as an early bound reference.
**************************
Perhaps this suggests that "this user" on the COM+ application does not have enough permissions to talk to the ParseInterface. Only when the client is the same user as "this user" does that combination give enough permissions to talk to the interface. When the client is not this user "this user" cannot muster enough permissions to talk to the interface.
1. >>When you ran your code, and set the "this user" for you, you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??
--when i ran the simple COM+ server both my colleague and I could access it from the client.
--When i ran the my real XML parsing COM+ server - both of us could instaciate it but only the user specified as "This user" could set the interface. The other got "permission denied".
**************************
2. >>how registered?? in COM+, with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??
One copy of the interface is registered on the server (with regsvr32.exe) and one copy of the interface is registered on the client (with regsvr32.exe). Then in the COM+ application the server component has this Parseinterface as an early bound reference.
**************************
Perhaps this suggests that "this user" on the COM+ application does not have enough permissions to talk to the ParseInterface. Only when the client is the same user as "this user" does that combination give enough permissions to talk to the interface. When the client is not this user "this user" cannot muster enough permissions to talk to the interface.
Yeah, I think we are in the ok direction...
Maybe the permission is on the client.
BTW, you and your colleague are administrators in your corresponding computers??
Have you test the app switching machines??, I mean, you with your account from your colleague machine.
I'll recommend to give full permissions to you and your colleague in the local machines (clients) only for testing purposes.
Maybe the dll needs access in the local machine (the client) to some resources, like access to the registry or a directory, in the server it seems there is no problem...
Machine Clients are W2k prof??
Hey, what don't do the policy thing??
Maybe the permission is on the client.
BTW, you and your colleague are administrators in your corresponding computers??
Have you test the app switching machines??, I mean, you with your account from your colleague machine.
I'll recommend to give full permissions to you and your colleague in the local machines (clients) only for testing purposes.
Maybe the dll needs access in the local machine (the client) to some resources, like access to the registry or a directory, in the server it seems there is no problem...
Machine Clients are W2k prof??
Hey, what don't do the policy thing??
BTW, why the second dll couldn't be a com+ server installed in the server?? and register only clients in each machine??
ASKER
hi cero
>>Hey, what don't do the policy thing?? what is the policy thing?
>>BTW, why the second dll couldn't be a com+ server installed in the server?? and register only clients in each machine??
do you mean install the Parseinterface.dll into its own COM+ application next to the Main dll. This may reduce the problems with permissions? Then use regsvr32.exe for the parseinterface.dll ONLY on the client machines.
thanks
>>Hey, what don't do the policy thing?? what is the policy thing?
>>BTW, why the second dll couldn't be a com+ server installed in the server?? and register only clients in each machine??
do you mean install the Parseinterface.dll into its own COM+ application next to the Main dll. This may reduce the problems with permissions? Then use regsvr32.exe for the parseinterface.dll ONLY on the client machines.
thanks
hi cocoostel,
The policy thing: in a previous comment....
>>You need to debug what is happening, go to the Administrative tools / Security Policy and audit events such as log in erroneous, after that in the event viewer/security tab see what is going on.
About the second point, the ParseInterface, I don't know your complete architecture, but, yes you could install the ParseInterface in it's own dll and create a proxy client application from this and install that proxy in each client, not using regsvr32.
Do that if it's prossible and give us your feedback
regards,
cero
The policy thing: in a previous comment....
>>You need to debug what is happening, go to the Administrative tools / Security Policy and audit events such as log in erroneous, after that in the event viewer/security tab see what is going on.
About the second point, the ParseInterface, I don't know your complete architecture, but, yes you could install the ParseInterface in it's own dll and create a proxy client application from this and install that proxy in each client, not using regsvr32.
Do that if it's prossible and give us your feedback
regards,
cero
This last approach definitively reduce your administrative tasks such as permissions.
ASKER
HALLELUJAH!!!!
IT ACTUALLY WORKS.
The solution is an equal combination of
1. Cero' idea to create a generic application identity with lots of permissions
and
2. EDDKYT's suggestion to use object datatype when setting my server interface
I tried one without the other it didnt work - so it is an even split.
Thankyou for your help it has been 1ST CLASS, i really appreciate it.
ps sorry one of you didnt get all the points but it was genuinely a team effort
IT ACTUALLY WORKS.
The solution is an equal combination of
1. Cero' idea to create a generic application identity with lots of permissions
and
2. EDDKYT's suggestion to use object datatype when setting my server interface
I tried one without the other it didnt work - so it is an even split.
Thankyou for your help it has been 1ST CLASS, i really appreciate it.
ps sorry one of you didnt get all the points but it was genuinely a team effort
Glad we can help. Good luck
8->
8->
me too, glad we can help you!
cero
cero
Just try with interactive user. The current logged on user option.
ajexpert