Solved

COM+ application identity

Posted on 2003-11-13
36
980 Views
Last Modified: 2007-12-19
I am having problems setting the correct user identity for my COM+ application:

************************************************
CONTEXT:

1. I have vb6 dll managed in a COM+ application on a server machine.  The server machine will be running without anyone logged in.

2. I have NOT set any security on the COM+ application

2. I have several clients on other machines that want to access it.

************************************************


I know that i need to set the application identity to "This User".  So that my dll can run when no one is logged in to the server machine.


BUT - What user do i set "this user" to.  BECAUSE - i have just set "This user" to me, and consequently only I can use the clients to call the DLL.  When anyone one else makes a call from the Client to the COM+ Dll - they get a "permission denied" error.


*******************************************************
QUESTION:

SO - Who do i set "This user" to - so that everyone can use the clients to make Calls to the COM+ dll.

*******************************************************

NB - the permission denied is not related to security on the COM+ application as i have removed all of this.

0
Comment
Question by:cocosteel
  • 13
  • 12
  • 9
  • +2
36 Comments
 
LVL 14

Expert Comment

by:ajexpert
ID: 9739169
Hi,
  Just try with interactive user.  The current logged on user option.

ajexpert
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9739176
This user means run dll from this user

Have you set authentication level for calls to none on security tab?
0
 
LVL 15

Expert Comment

by:SRigney
ID: 9739180
I had this problem as well when I created the COM+ component from my machine on the remote machine using Microsoft Management console.

The solution was to destroy the COM+ component.
Log into the COM+ machine and recreate the same component.  The Identity of the component can still be you, but you have to creat the component while being logged into the COM+ server.
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9739186
You can also create everyone role and add everyone onto that role


On each component, bring up property and on security tab, check on everyone role
0
 
LVL 2

Accepted Solution

by:
cero earned 250 total points
ID: 9739812
Hi cocosteel,

You are right, you have to set the app identity to "This user". The user that you have to set up there is a especial user, a user created only for components use. Tell your security team to crate a user with some characteristics:

1. Password never expires.
2. access to necessary databases and access to necessary resources.

When any user invokes your component, that component access necessary resources with the identity set (with the generic user).
If you don't create roles, any user is capable to call the component, so there is no need to do anything else.

regards,

cero

0
 

Author Comment

by:cocosteel
ID: 9740165
thanks for replying i have been testing different scenarioes and this is what i have found the problem:

*****************************************************

-When the Application Identity is set to "this user" and "this user" is one specific individual (Not a user group) Then only that user can access the COM+ application.

*****************************************************

So i think i need to specify "This user" as a group of users.  So that all in this group can access the COM+ application.

SO NOW THE PROBLEM IS:
when i enter a user group as "This user"  - I get an error

"The user account or password is invalid. if you entered a domain account, make sure the name is prefixed with the domain name."

BUT i have prefixed my DOmain account with a Domain i.e   MyDOmain\MyDomainUsers

***************************************
***************************************

SO  How do i specify "This user" as a domain account - but get away with out supplying a password.
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9740300
>>SO  How do i specify "This user" as a domain account - but get away with out supplying a password.


I don't think you can

Use my method and create security role under your com+ package
0
 

Author Comment

by:cocosteel
ID: 9740388
EDDYKT

i have my COM+ application

I have create a role for it " MyUsers"
I have added a user group to this role

Then How do i apply this role to the application identity?

thanks

0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9740470
Go to component

on each compont , bring up properties, on security tab check on myusers role
0
 

Author Comment

by:cocosteel
ID: 9740476
just to clarify my problem is with application identity, not security.
0
 
LVL 2

Expert Comment

by:cero
ID: 9740508

mmm, I don't understand why the approach I gave you (and I always use) doesn't work for you.

Another thing, I doubt that you need to specify "This user" as a group of users.
Also, you must specify the password always, and for specify a windows domain account  use the form:  MyDomain\anUserAccount as you did.

You need to debug what is happening, go to the Administrative tools / Security Policy and audit events such as log in erroneous, after that in the event viewer/security tab see what is going on.

First, test without any authentication, clear all security (roles) and in the security tab of the properties window of the componente uncheck every security item, and in the combos, clear any authentication.

After that add security items as required, as I tell in my first comment, the best practice is to use a generic user, and isolate the error.

cero
0
 
LVL 2

Expert Comment

by:cero
ID: 9740546

After you clear roles, the identity is very related to security tab,  
by the way, what is your configuration in the security tab, this can be the determinant??
0
 
LVL 2

Expert Comment

by:cero
ID: 9740551
Sorry, I mean determinant!!
0
 

Author Comment

by:cocosteel
ID: 9741116
hi cero

i missed your first comment before i posted my next one - thats why it seemed like i ignored you!

can i just go quickly clarify your strategy:

> Create a special user for component use that has a password that never expires.

Q: Is this an individual user or a user group?  

- If it is an individual user how will it  represent all of the component users.  

- Or if it is a user group how do i give a user group a password?
(because it seems the application identity "This user" ALWAYS requires a password)


thanks
0
 

Author Comment

by:cocosteel
ID: 9741244
PS My security settings are turned off:

*******************
security tab for application
********************

1.  "enforce access checks for this application" - NOT TICKED

2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available."  Radio button is selected

3. "Authentication level for calls" - NONE

4. "Impersonation level" - Impersonate

***************************
security tab on individual components
***************************

1. "enforce component level access checks" - NOT TICKED

2. "Roles explicity set for selected item(s)"  - MyRole is not ticked


0
 

Author Comment

by:cocosteel
ID: 9746046
is anybody out there!

Here is where i am with this problem:

1.  I thought i needed to set the application identity to "This user" and set it to group of users - because when i set "This user" to an individual - only that individual could access the COM+ application.

2. But then when i tried to set "This user" to a user group - the user group had no password and the application identity required a password.  SO...

3. Then i was advised yesterday that i should set the application identity ("This user") to a user specially created for the COM+ application.  And that the special user should have a password that does not expire.

-THis made sense to me apart from ONE major sticking point:

-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??


BUT What i need is for several users to be able to access the application.

I am really stuck.      

thanks for your time.






0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9747303
>>BUT What i need is for several users to be able to access the application

If you want to do that you have to use security role. That only allow the user that in the role to access your component. Try to turn back to interactive user. IF no body login, it will use SYSTEM as user
0
 

Author Comment

by:cocosteel
ID: 9748173
Hi EDDYKT

thanks for replying

I followed you instructions:  ( ithink they are correct)

1. i changed application identity from "THis user"  to "Interactive User"
2. I added a role to my application
3. i added "everyone" to that role
4. On each component, i checked "enforce component level access checks"  
    the i checked the everyone role for each component.
5. I enforced access checks for this application - on the application's security tab
6. I set "authentication level for calls" = Packet
7. I set Impersonation level = Impersonate

Then i exported a proxy to my client machine and installed it

But when the client tried to instaciate the server component i got


"Automation error
The server process could not be started because the configured identity is incorrect. check the username and password. the application will now be closed"

am i doing something wrong?   it would be such a relief to get this working!

*********************

EDDKYT as an aside - i am really confused about application identity: "this user"
- why is it that only the person specified as "this user" - can instanciate the COM+ application.   even if they have the security to allow them to call the component.


thanks very much




0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 26

Expert Comment

by:EDDYKT
ID: 9748244
>>why is it that only the person specified as "this user" - can instanciate the COM+ application.   even if they have the security to allow them to call the component.


This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.

In the other words, if you want to find out who initiate the component, you can always get this user even the component starts from user B.

Try to user this user again and see
0
 

Author Comment

by:cocosteel
ID: 9748547
hi

sorry if i am soundind really stupid here.  

>>This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.

-I have just been testing and when i turn off all security and then set app ID "This user" to UserA - then only I can access the component.
-WHen anyone else tries to instanciate the component - they get permission denied.

-Then i set "This user" to my colleague:  USERB and then only USERB could access the component - and USERA got "Permission denied".

So initially i came to the conclusion that only the user specified in "This user" user can instanciate component?

But if this is incorrect - why can i access the component when i am "This user" and my colleague can only access the component when he is "This user"








0
 
LVL 2

Expert Comment

by:cero
ID: 9748576
Hi cocoostel,

I'm not agree with set to interactive user, only for testing purposes.
When you set "this user", you are telling to COM+ that the componente will use the permissions set to "this user", that's not telling nothing about who has permission to call the componente, that's establish with roles.

I strongly recommend to  activate securtity policies and in the event viewer/security check to see what exact permission is being denegated.


I check my components and this is the configuration. (With a generic user set as "this user")

*******************
security tab for application
********************

1.  "enforce access checks for this application" - NOT TICKED  
(OK)

2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available."  Radio button is selected
(OK)

3. "Authentication level for calls" - NONE
(PACKET)

4. "Impersonation level" - Impersonate
(OK)
***************************
security tab on individual components
***************************

1. "enforce component level access checks" - NOT TICKED

2. "Roles explicity set for selected item(s)"  - MyRole is not ticked

Well, this is the same, in my case 1 is TICKED and in 2. there is no role in the list..

Also, in General TAB is a server application, its OK??


About your question
"-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??"

Again, setting to "this user" is only to set  permissions that the component will use, nothing about what user is capable to call the component.

For setting what users will be enabled to call the component you set roles and do the permission or delete roles.

You can disable roles at all  (I  do that) or you can create a role, and add all your group of users to that role.

I'll recommend to prove both approachs.

cero

0
 
LVL 2

Expert Comment

by:cero
ID: 9748683
cocoostel:

What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??

Have you tested using a simple client?

The question is, are you sure that the permission denied is for calling the component or is inside the code, maybe a database authentication.

Again, I'll recommend to do the security policy thing and check in the event viewer what is the exact permission being denegated.

cero.
0
 

Author Comment

by:cocosteel
ID: 9749468
cero:

>>What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??

1. Extracts data from xml and puts into a SQL db
2. Moves some files about on the server

But quess what -
-i followed your advice and just did a simple server - put it on
the server machine
-set me as the application identity
-added security for me and my collegue - exported the proxy.
- AND IT RAN FOR ME AND MY COLLEAGUE !!! FANTASTIC

So you and EDDKYTwere absolutely correct about the application identity having no influence on the client accessing the server.  I just couldnt see it.

It looks like the permission problem is caused just after the client instanciates the server (which is running under my ID)  - and then the client trys to set a property on the server.

This is the property code in the COM+ application

'****************************************
Public IParseInterface As ParseInterfaceV1.IParseInterface

Public Property Set Interface(ByVal objdata As ParseInterfaceV1.IParseInterface)

Set IParseInterface = objdata

End Property
'****************************************

The client sets it like this :

'****************************************
Set objReporterFile = CreateObject("ParseServer.CReportFile") ' New CReportFile

Set objReportFile.Interface = Me   ' THIS IS WHERE I GET PERMISSION DENIED.
'****************************************

(The interface ParseInterfaceV1.IParseInterface is a dll that is registered on the client and the server and used to send custom events from server to client.)


-------------------------------------------

So for some reason the client does not have the permission to set an interface on the server.  

   






0
 
LVL 26

Assisted Solution

by:EDDYKT
EDDYKT earned 250 total points
ID: 9749592
I will use object or variant instead

ie
Public Property Set Interface(ByVal objdata As object)

dim obj As ParseInterfaceV1.IParseInterface
set obj = objdata
0
 
LVL 2

Expert Comment

by:cero
ID: 9749715
mmm

When you ran your code, and set the "this user" for you,  you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??

so, the problem doesn't not seem to be in the code, right? because the code ran correctly, but fails with permissions.

About the interface

>>(The interface ParseInterfaceV1.IParseInterface is a dll that is registered on the client and the server and used to send custom events from server to client.)

how registered?? in COM+,  with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??

I'll strongly recommend to do the policy thing and see the event viewer, again.

cero
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9749764
>>how registered?? in COM+,  with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??


You can do export from the COM+ package with Application proxy enable to .msi file and then run on the client machine
0
 
LVL 2

Expert Comment

by:cero
ID: 9750332
EDDYKT:

I'm asking cocoostel for another dll, where ParseInterfaceV1.IParseInterface resides, we don't have information about that...

cero.
0
 

Author Comment

by:cocosteel
ID: 9753133
cero:

1. >>When you ran your code, and set the "this user" for you,  you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??

--when i ran the simple COM+ server both my colleague and I could access it from the client.

--When i ran the my real XML parsing COM+ server - both of us could instaciate it but only the user specified as "This user" could set the interface.  The other got "permission denied".

**********************************************

2. >>how registered?? in COM+,  with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??

One copy of the interface is registered on the server (with regsvr32.exe) and one copy of the interface is registered on the client (with regsvr32.exe).  Then in the COM+ application the server component has this Parseinterface as an early bound reference.

***********************************************

Perhaps this suggests that "this user" on the COM+ application does not have enough permissions to talk to the ParseInterface.  Only when the client is the same user as "this user" does that combination give enough permissions to talk to the interface.  When the client is not this user "this user" cannot muster enough permissions to talk to the interface.
0
 
LVL 2

Expert Comment

by:cero
ID: 9754604
Yeah, I think we are in the ok direction...
Maybe the permission is on the client.

BTW, you and your colleague are administrators in your corresponding computers??

Have you test the app switching machines??, I mean, you with your account from your colleague machine.

I'll recommend to give full permissions to you and your colleague in the local machines (clients) only for testing purposes.

Maybe the dll needs access in the local machine (the client) to some resources, like access to the registry or a directory, in the server it seems there is no problem...

Machine Clients are W2k prof??

Hey, what don't do the policy thing??
0
 
LVL 2

Expert Comment

by:cero
ID: 9754612
BTW, why the second dll couldn't be a com+ server installed in the server?? and register only clients in each machine??
0
 

Author Comment

by:cocosteel
ID: 9758020
hi cero

>>Hey, what don't do the policy thing??   what is the policy thing?


>>BTW, why the second dll couldn't be a com+ server installed in the server?? and register only clients in each machine??

do you mean install the Parseinterface.dll into its own COM+ application next to the Main dll.  This may reduce the problems with permissions?  Then use regsvr32.exe for the parseinterface.dll ONLY on the client machines.

thanks

0
 
LVL 2

Expert Comment

by:cero
ID: 9761053
hi cocoostel,

The policy thing: in a previous comment....
>>You need to debug what is happening, go to the Administrative tools / Security Policy and audit events such as log in erroneous, after that in the event viewer/security tab see what is going on.

About the second point, the ParseInterface, I don't know your complete architecture, but, yes you could install the ParseInterface in it's own dll and create a proxy client application from this and install that proxy in each client, not using regsvr32.

Do that if it's prossible and give us your feedback

regards,

cero
0
 
LVL 2

Expert Comment

by:cero
ID: 9761060
This last approach definitively reduce your administrative tasks such as permissions.
0
 

Author Comment

by:cocosteel
ID: 9762941
HALLELUJAH!!!!

IT ACTUALLY WORKS.

The solution is an equal  combination of

1. Cero' idea to create a generic application identity with lots of permissions

and

2. EDDKYT's suggestion to  use object datatype when setting my server interface

I tried one without the other it didnt work - so it is an even split.

Thankyou for your help it has been 1ST CLASS, i really appreciate it.


ps sorry one of you didnt get all the points but it was genuinely a team effort


0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9763067
Glad we can help. Good luck

8->
0
 
LVL 2

Expert Comment

by:cero
ID: 9771073
me too, glad we can help you!

cero


0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

There are many ways to remove duplicate entries in an SQL or Access database. Most make you temporarily insert an ID field, make a temp table and copy data back and forth, and/or are slow. Here is an easy way in VB6 using ADO to remove duplicate row…
When trying to find the cause of a problem in VBA or VB6 it's often valuable to know what procedures were executed prior to the error. You can use the Call Stack for that but it is often inadequate because it may show procedures you aren't intereste…
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now