Solved

COM+ application identity

Posted on 2003-11-13
36
1,024 Views
Last Modified: 2007-12-19
I am having problems setting the correct user identity for my COM+ application:

************************************************
CONTEXT:

1. I have vb6 dll managed in a COM+ application on a server machine.  The server machine will be running without anyone logged in.

2. I have NOT set any security on the COM+ application

2. I have several clients on other machines that want to access it.

************************************************


I know that i need to set the application identity to "This User".  So that my dll can run when no one is logged in to the server machine.


BUT - What user do i set "this user" to.  BECAUSE - i have just set "This user" to me, and consequently only I can use the clients to call the DLL.  When anyone one else makes a call from the Client to the COM+ Dll - they get a "permission denied" error.


*******************************************************
QUESTION:

SO - Who do i set "This user" to - so that everyone can use the clients to make Calls to the COM+ dll.

*******************************************************

NB - the permission denied is not related to security on the COM+ application as i have removed all of this.

0
Comment
Question by:cocosteel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 12
  • 9
  • +2
36 Comments
 
LVL 14

Expert Comment

by:ajexpert
ID: 9739169
Hi,
  Just try with interactive user.  The current logged on user option.

ajexpert
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9739176
This user means run dll from this user

Have you set authentication level for calls to none on security tab?
0
 
LVL 15

Expert Comment

by:SRigney
ID: 9739180
I had this problem as well when I created the COM+ component from my machine on the remote machine using Microsoft Management console.

The solution was to destroy the COM+ component.
Log into the COM+ machine and recreate the same component.  The Identity of the component can still be you, but you have to creat the component while being logged into the COM+ server.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 26

Expert Comment

by:EDDYKT
ID: 9739186
You can also create everyone role and add everyone onto that role


On each component, bring up property and on security tab, check on everyone role
0
 
LVL 2

Accepted Solution

by:
cero earned 250 total points
ID: 9739812
Hi cocosteel,

You are right, you have to set the app identity to "This user". The user that you have to set up there is a especial user, a user created only for components use. Tell your security team to crate a user with some characteristics:

1. Password never expires.
2. access to necessary databases and access to necessary resources.

When any user invokes your component, that component access necessary resources with the identity set (with the generic user).
If you don't create roles, any user is capable to call the component, so there is no need to do anything else.

regards,

cero

0
 

Author Comment

by:cocosteel
ID: 9740165
thanks for replying i have been testing different scenarioes and this is what i have found the problem:

*****************************************************

-When the Application Identity is set to "this user" and "this user" is one specific individual (Not a user group) Then only that user can access the COM+ application.

*****************************************************

So i think i need to specify "This user" as a group of users.  So that all in this group can access the COM+ application.

SO NOW THE PROBLEM IS:
when i enter a user group as "This user"  - I get an error

"The user account or password is invalid. if you entered a domain account, make sure the name is prefixed with the domain name."

BUT i have prefixed my DOmain account with a Domain i.e   MyDOmain\MyDomainUsers

***************************************
***************************************

SO  How do i specify "This user" as a domain account - but get away with out supplying a password.
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9740300
>>SO  How do i specify "This user" as a domain account - but get away with out supplying a password.


I don't think you can

Use my method and create security role under your com+ package
0
 

Author Comment

by:cocosteel
ID: 9740388
EDDYKT

i have my COM+ application

I have create a role for it " MyUsers"
I have added a user group to this role

Then How do i apply this role to the application identity?

thanks

0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9740470
Go to component

on each compont , bring up properties, on security tab check on myusers role
0
 

Author Comment

by:cocosteel
ID: 9740476
just to clarify my problem is with application identity, not security.
0
 
LVL 2

Expert Comment

by:cero
ID: 9740508

mmm, I don't understand why the approach I gave you (and I always use) doesn't work for you.

Another thing, I doubt that you need to specify "This user" as a group of users.
Also, you must specify the password always, and for specify a windows domain account  use the form:  MyDomain\anUserAccount as you did.

You need to debug what is happening, go to the Administrative tools / Security Policy and audit events such as log in erroneous, after that in the event viewer/security tab see what is going on.

First, test without any authentication, clear all security (roles) and in the security tab of the properties window of the componente uncheck every security item, and in the combos, clear any authentication.

After that add security items as required, as I tell in my first comment, the best practice is to use a generic user, and isolate the error.

cero
0
 
LVL 2

Expert Comment

by:cero
ID: 9740546

After you clear roles, the identity is very related to security tab,  
by the way, what is your configuration in the security tab, this can be the determinant??
0
 
LVL 2

Expert Comment

by:cero
ID: 9740551
Sorry, I mean determinant!!
0
 

Author Comment

by:cocosteel
ID: 9741116
hi cero

i missed your first comment before i posted my next one - thats why it seemed like i ignored you!

can i just go quickly clarify your strategy:

> Create a special user for component use that has a password that never expires.

Q: Is this an individual user or a user group?  

- If it is an individual user how will it  represent all of the component users.  

- Or if it is a user group how do i give a user group a password?
(because it seems the application identity "This user" ALWAYS requires a password)


thanks
0
 

Author Comment

by:cocosteel
ID: 9741244
PS My security settings are turned off:

*******************
security tab for application
********************

1.  "enforce access checks for this application" - NOT TICKED

2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available."  Radio button is selected

3. "Authentication level for calls" - NONE

4. "Impersonation level" - Impersonate

***************************
security tab on individual components
***************************

1. "enforce component level access checks" - NOT TICKED

2. "Roles explicity set for selected item(s)"  - MyRole is not ticked


0
 

Author Comment

by:cocosteel
ID: 9746046
is anybody out there!

Here is where i am with this problem:

1.  I thought i needed to set the application identity to "This user" and set it to group of users - because when i set "This user" to an individual - only that individual could access the COM+ application.

2. But then when i tried to set "This user" to a user group - the user group had no password and the application identity required a password.  SO...

3. Then i was advised yesterday that i should set the application identity ("This user") to a user specially created for the COM+ application.  And that the special user should have a password that does not expire.

-THis made sense to me apart from ONE major sticking point:

-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??


BUT What i need is for several users to be able to access the application.

I am really stuck.      

thanks for your time.






0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9747303
>>BUT What i need is for several users to be able to access the application

If you want to do that you have to use security role. That only allow the user that in the role to access your component. Try to turn back to interactive user. IF no body login, it will use SYSTEM as user
0
 

Author Comment

by:cocosteel
ID: 9748173
Hi EDDYKT

thanks for replying

I followed you instructions:  ( ithink they are correct)

1. i changed application identity from "THis user"  to "Interactive User"
2. I added a role to my application
3. i added "everyone" to that role
4. On each component, i checked "enforce component level access checks"  
    the i checked the everyone role for each component.
5. I enforced access checks for this application - on the application's security tab
6. I set "authentication level for calls" = Packet
7. I set Impersonation level = Impersonate

Then i exported a proxy to my client machine and installed it

But when the client tried to instaciate the server component i got


"Automation error
The server process could not be started because the configured identity is incorrect. check the username and password. the application will now be closed"

am i doing something wrong?   it would be such a relief to get this working!

*********************

EDDKYT as an aside - i am really confused about application identity: "this user"
- why is it that only the person specified as "this user" - can instanciate the COM+ application.   even if they have the security to allow them to call the component.


thanks very much




0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9748244
>>why is it that only the person specified as "this user" - can instanciate the COM+ application.   even if they have the security to allow them to call the component.


This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.

In the other words, if you want to find out who initiate the component, you can always get this user even the component starts from user B.

Try to user this user again and see
0
 

Author Comment

by:cocosteel
ID: 9748547
hi

sorry if i am soundind really stupid here.  

>>This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.

-I have just been testing and when i turn off all security and then set app ID "This user" to UserA - then only I can access the component.
-WHen anyone else tries to instanciate the component - they get permission denied.

-Then i set "This user" to my colleague:  USERB and then only USERB could access the component - and USERA got "Permission denied".

So initially i came to the conclusion that only the user specified in "This user" user can instanciate component?

But if this is incorrect - why can i access the component when i am "This user" and my colleague can only access the component when he is "This user"








0
 
LVL 2

Expert Comment

by:cero
ID: 9748576
Hi cocoostel,

I'm not agree with set to interactive user, only for testing purposes.
When you set "this user", you are telling to COM+ that the componente will use the permissions set to "this user", that's not telling nothing about who has permission to call the componente, that's establish with roles.

I strongly recommend to  activate securtity policies and in the event viewer/security check to see what exact permission is being denegated.


I check my components and this is the configuration. (With a generic user set as "this user")

*******************
security tab for application
********************

1.  "enforce access checks for this application" - NOT TICKED  
(OK)

2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available."  Radio button is selected
(OK)

3. "Authentication level for calls" - NONE
(PACKET)

4. "Impersonation level" - Impersonate
(OK)
***************************
security tab on individual components
***************************

1. "enforce component level access checks" - NOT TICKED

2. "Roles explicity set for selected item(s)"  - MyRole is not ticked

Well, this is the same, in my case 1 is TICKED and in 2. there is no role in the list..

Also, in General TAB is a server application, its OK??


About your question
"-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??"

Again, setting to "this user" is only to set  permissions that the component will use, nothing about what user is capable to call the component.

For setting what users will be enabled to call the component you set roles and do the permission or delete roles.

You can disable roles at all  (I  do that) or you can create a role, and add all your group of users to that role.

I'll recommend to prove both approachs.

cero

0
 
LVL 2

Expert Comment

by:cero
ID: 9748683
cocoostel:

What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??

Have you tested using a simple client?

The question is, are you sure that the permission denied is for calling the component or is inside the code, maybe a database authentication.

Again, I'll recommend to do the security policy thing and check in the event viewer what is the exact permission being denegated.

cero.
0
 

Author Comment

by:cocosteel
ID: 9749468
cero:

>>What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??

1. Extracts data from xml and puts into a SQL db
2. Moves some files about on the server

But quess what -
-i followed your advice and just did a simple server - put it on
the server machine
-set me as the application identity
-added security for me and my collegue - exported the proxy.
- AND IT RAN FOR ME AND MY COLLEAGUE !!! FANTASTIC

So you and EDDKYTwere absolutely correct about the application identity having no influence on the client accessing the server.  I just couldnt see it.

It looks like the permission problem is caused just after the client instanciates the server (which is running under my ID)  - and then the client trys to set a property on the server.

This is the property code in the COM+ application

'****************************************
Public IParseInterface As ParseInterfaceV1.IParseInterface

Public Property Set Interface(ByVal objdata As ParseInterfaceV1.IParseInterface)

Set IParseInterface = objdata

End Property
'****************************************

The client sets it like this :

'****************************************
Set objReporterFile = CreateObject("ParseServer.CReportFile") ' New CReportFile

Set objReportFile.Interface = Me   ' THIS IS WHERE I GET PERMISSION DENIED.
'****************************************

(The interface ParseInterfaceV1.IParseInterface is a dll that is registered on the client and the server and used to send custom events from server to client.)


-------------------------------------------

So for some reason the client does not have the permission to set an interface on the server.  

   






0
 
LVL 26

Assisted Solution

by:EDDYKT
EDDYKT earned 250 total points
ID: 9749592
I will use object or variant instead

ie
Public Property Set Interface(ByVal objdata As object)

dim obj As ParseInterfaceV1.IParseInterface
set obj = objdata
0
 
LVL 2

Expert Comment

by:cero
ID: 9749715
mmm

When you ran your code, and set the "this user" for you,  you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??

so, the problem doesn't not seem to be in the code, right? because the code ran correctly, but fails with permissions.

About the interface

>>(The interface ParseInterfaceV1.IParseInterface is a dll that is registered on the client and the server and used to send custom events from server to client.)

how registered?? in COM+,  with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??

I'll strongly recommend to do the policy thing and see the event viewer, again.

cero
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9749764
>>how registered?? in COM+,  with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??


You can do export from the COM+ package with Application proxy enable to .msi file and then run on the client machine
0
 
LVL 2

Expert Comment

by:cero
ID: 9750332
EDDYKT:

I'm asking cocoostel for another dll, where ParseInterfaceV1.IParseInterface resides, we don't have information about that...

cero.
0
 

Author Comment

by:cocosteel
ID: 9753133
cero:

1. >>When you ran your code, and set the "this user" for you,  you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??

--when i ran the simple COM+ server both my colleague and I could access it from the client.

--When i ran the my real XML parsing COM+ server - both of us could instaciate it but only the user specified as "This user" could set the interface.  The other got "permission denied".

**********************************************

2. >>how registered?? in COM+,  with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??

One copy of the interface is registered on the server (with regsvr32.exe) and one copy of the interface is registered on the client (with regsvr32.exe).  Then in the COM+ application the server component has this Parseinterface as an early bound reference.

***********************************************

Perhaps this suggests that "this user" on the COM+ application does not have enough permissions to talk to the ParseInterface.  Only when the client is the same user as "this user" does that combination give enough permissions to talk to the interface.  When the client is not this user "this user" cannot muster enough permissions to talk to the interface.
0
 
LVL 2

Expert Comment

by:cero
ID: 9754604
Yeah, I think we are in the ok direction...
Maybe the permission is on the client.

BTW, you and your colleague are administrators in your corresponding computers??

Have you test the app switching machines??, I mean, you with your account from your colleague machine.

I'll recommend to give full permissions to you and your colleague in the local machines (clients) only for testing purposes.

Maybe the dll needs access in the local machine (the client) to some resources, like access to the registry or a directory, in the server it seems there is no problem...

Machine Clients are W2k prof??

Hey, what don't do the policy thing??
0
 
LVL 2

Expert Comment

by:cero
ID: 9754612
BTW, why the second dll couldn't be a com+ server installed in the server?? and register only clients in each machine??
0
 

Author Comment

by:cocosteel
ID: 9758020
hi cero

>>Hey, what don't do the policy thing??   what is the policy thing?


>>BTW, why the second dll couldn't be a com+ server installed in the server?? and register only clients in each machine??

do you mean install the Parseinterface.dll into its own COM+ application next to the Main dll.  This may reduce the problems with permissions?  Then use regsvr32.exe for the parseinterface.dll ONLY on the client machines.

thanks

0
 
LVL 2

Expert Comment

by:cero
ID: 9761053
hi cocoostel,

The policy thing: in a previous comment....
>>You need to debug what is happening, go to the Administrative tools / Security Policy and audit events such as log in erroneous, after that in the event viewer/security tab see what is going on.

About the second point, the ParseInterface, I don't know your complete architecture, but, yes you could install the ParseInterface in it's own dll and create a proxy client application from this and install that proxy in each client, not using regsvr32.

Do that if it's prossible and give us your feedback

regards,

cero
0
 
LVL 2

Expert Comment

by:cero
ID: 9761060
This last approach definitively reduce your administrative tasks such as permissions.
0
 

Author Comment

by:cocosteel
ID: 9762941
HALLELUJAH!!!!

IT ACTUALLY WORKS.

The solution is an equal  combination of

1. Cero' idea to create a generic application identity with lots of permissions

and

2. EDDKYT's suggestion to  use object datatype when setting my server interface

I tried one without the other it didnt work - so it is an even split.

Thankyou for your help it has been 1ST CLASS, i really appreciate it.


ps sorry one of you didnt get all the points but it was genuinely a team effort


0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9763067
Glad we can help. Good luck

8->
0
 
LVL 2

Expert Comment

by:cero
ID: 9771073
me too, glad we can help you!

cero


0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’ve seen a number of people looking for examples of how to access web services from VB6.  I’ve been using a test harness I built in VB6 (using many resources I found online) that I use for small projects to work out how to communicate with web serv…
Introduction In a recent article (http://www.experts-exchange.com/A_7811-A-Better-Concatenate-Function.html) for the Excel community, I showed an improved version of the Excel Concatenate() function.  While writing that article I realized that no o…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…
Suggested Courses
Course of the Month11 days, 10 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question