Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1039
  • Last Modified:

COM+ application identity

I am having problems setting the correct user identity for my COM+ application:

************************************************
CONTEXT:

1. I have vb6 dll managed in a COM+ application on a server machine.  The server machine will be running without anyone logged in.

2. I have NOT set any security on the COM+ application

2. I have several clients on other machines that want to access it.

************************************************


I know that i need to set the application identity to "This User".  So that my dll can run when no one is logged in to the server machine.


BUT - What user do i set "this user" to.  BECAUSE - i have just set "This user" to me, and consequently only I can use the clients to call the DLL.  When anyone one else makes a call from the Client to the COM+ Dll - they get a "permission denied" error.


*******************************************************
QUESTION:

SO - Who do i set "This user" to - so that everyone can use the clients to make Calls to the COM+ dll.

*******************************************************

NB - the permission denied is not related to security on the COM+ application as i have removed all of this.

0
cocosteel
Asked:
cocosteel
  • 13
  • 12
  • 9
  • +2
2 Solutions
 
ajexpertCommented:
Hi,
  Just try with interactive user.  The current logged on user option.

ajexpert
0
 
EDDYKTCommented:
This user means run dll from this user

Have you set authentication level for calls to none on security tab?
0
 
SRigneyCommented:
I had this problem as well when I created the COM+ component from my machine on the remote machine using Microsoft Management console.

The solution was to destroy the COM+ component.
Log into the COM+ machine and recreate the same component.  The Identity of the component can still be you, but you have to creat the component while being logged into the COM+ server.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
EDDYKTCommented:
You can also create everyone role and add everyone onto that role


On each component, bring up property and on security tab, check on everyone role
0
 
ceroCommented:
Hi cocosteel,

You are right, you have to set the app identity to "This user". The user that you have to set up there is a especial user, a user created only for components use. Tell your security team to crate a user with some characteristics:

1. Password never expires.
2. access to necessary databases and access to necessary resources.

When any user invokes your component, that component access necessary resources with the identity set (with the generic user).
If you don't create roles, any user is capable to call the component, so there is no need to do anything else.

regards,

cero

0
 
cocosteelAuthor Commented:
thanks for replying i have been testing different scenarioes and this is what i have found the problem:

*****************************************************

-When the Application Identity is set to "this user" and "this user" is one specific individual (Not a user group) Then only that user can access the COM+ application.

*****************************************************

So i think i need to specify "This user" as a group of users.  So that all in this group can access the COM+ application.

SO NOW THE PROBLEM IS:
when i enter a user group as "This user"  - I get an error

"The user account or password is invalid. if you entered a domain account, make sure the name is prefixed with the domain name."

BUT i have prefixed my DOmain account with a Domain i.e   MyDOmain\MyDomainUsers

***************************************
***************************************

SO  How do i specify "This user" as a domain account - but get away with out supplying a password.
0
 
EDDYKTCommented:
>>SO  How do i specify "This user" as a domain account - but get away with out supplying a password.


I don't think you can

Use my method and create security role under your com+ package
0
 
cocosteelAuthor Commented:
EDDYKT

i have my COM+ application

I have create a role for it " MyUsers"
I have added a user group to this role

Then How do i apply this role to the application identity?

thanks

0
 
EDDYKTCommented:
Go to component

on each compont , bring up properties, on security tab check on myusers role
0
 
cocosteelAuthor Commented:
just to clarify my problem is with application identity, not security.
0
 
ceroCommented:

mmm, I don't understand why the approach I gave you (and I always use) doesn't work for you.

Another thing, I doubt that you need to specify "This user" as a group of users.
Also, you must specify the password always, and for specify a windows domain account  use the form:  MyDomain\anUserAccount as you did.

You need to debug what is happening, go to the Administrative tools / Security Policy and audit events such as log in erroneous, after that in the event viewer/security tab see what is going on.

First, test without any authentication, clear all security (roles) and in the security tab of the properties window of the componente uncheck every security item, and in the combos, clear any authentication.

After that add security items as required, as I tell in my first comment, the best practice is to use a generic user, and isolate the error.

cero
0
 
ceroCommented:

After you clear roles, the identity is very related to security tab,  
by the way, what is your configuration in the security tab, this can be the determinant??
0
 
ceroCommented:
Sorry, I mean determinant!!
0
 
cocosteelAuthor Commented:
hi cero

i missed your first comment before i posted my next one - thats why it seemed like i ignored you!

can i just go quickly clarify your strategy:

> Create a special user for component use that has a password that never expires.

Q: Is this an individual user or a user group?  

- If it is an individual user how will it  represent all of the component users.  

- Or if it is a user group how do i give a user group a password?
(because it seems the application identity "This user" ALWAYS requires a password)


thanks
0
 
cocosteelAuthor Commented:
PS My security settings are turned off:

*******************
security tab for application
********************

1.  "enforce access checks for this application" - NOT TICKED

2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available."  Radio button is selected

3. "Authentication level for calls" - NONE

4. "Impersonation level" - Impersonate

***************************
security tab on individual components
***************************

1. "enforce component level access checks" - NOT TICKED

2. "Roles explicity set for selected item(s)"  - MyRole is not ticked


0
 
cocosteelAuthor Commented:
is anybody out there!

Here is where i am with this problem:

1.  I thought i needed to set the application identity to "This user" and set it to group of users - because when i set "This user" to an individual - only that individual could access the COM+ application.

2. But then when i tried to set "This user" to a user group - the user group had no password and the application identity required a password.  SO...

3. Then i was advised yesterday that i should set the application identity ("This user") to a user specially created for the COM+ application.  And that the special user should have a password that does not expire.

-THis made sense to me apart from ONE major sticking point:

-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??


BUT What i need is for several users to be able to access the application.

I am really stuck.      

thanks for your time.






0
 
EDDYKTCommented:
>>BUT What i need is for several users to be able to access the application

If you want to do that you have to use security role. That only allow the user that in the role to access your component. Try to turn back to interactive user. IF no body login, it will use SYSTEM as user
0
 
cocosteelAuthor Commented:
Hi EDDYKT

thanks for replying

I followed you instructions:  ( ithink they are correct)

1. i changed application identity from "THis user"  to "Interactive User"
2. I added a role to my application
3. i added "everyone" to that role
4. On each component, i checked "enforce component level access checks"  
    the i checked the everyone role for each component.
5. I enforced access checks for this application - on the application's security tab
6. I set "authentication level for calls" = Packet
7. I set Impersonation level = Impersonate

Then i exported a proxy to my client machine and installed it

But when the client tried to instaciate the server component i got


"Automation error
The server process could not be started because the configured identity is incorrect. check the username and password. the application will now be closed"

am i doing something wrong?   it would be such a relief to get this working!

*********************

EDDKYT as an aside - i am really confused about application identity: "this user"
- why is it that only the person specified as "this user" - can instanciate the COM+ application.   even if they have the security to allow them to call the component.


thanks very much




0
 
EDDYKTCommented:
>>why is it that only the person specified as "this user" - can instanciate the COM+ application.   even if they have the security to allow them to call the component.


This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.

In the other words, if you want to find out who initiate the component, you can always get this user even the component starts from user B.

Try to user this user again and see
0
 
cocosteelAuthor Commented:
hi

sorry if i am soundind really stupid here.  

>>This user means the component will start to run as this use you specified. It doesn't mean only this user allows to start the component.

-I have just been testing and when i turn off all security and then set app ID "This user" to UserA - then only I can access the component.
-WHen anyone else tries to instanciate the component - they get permission denied.

-Then i set "This user" to my colleague:  USERB and then only USERB could access the component - and USERA got "Permission denied".

So initially i came to the conclusion that only the user specified in "This user" user can instanciate component?

But if this is incorrect - why can i access the component when i am "This user" and my colleague can only access the component when he is "This user"








0
 
ceroCommented:
Hi cocoostel,

I'm not agree with set to interactive user, only for testing purposes.
When you set "this user", you are telling to COM+ that the componente will use the permissions set to "this user", that's not telling nothing about who has permission to call the componente, that's establish with roles.

I strongly recommend to  activate securtity policies and in the event viewer/security check to see what exact permission is being denegated.


I check my components and this is the configuration. (With a generic user set as "this user")

*******************
security tab for application
********************

1.  "enforce access checks for this application" - NOT TICKED  
(OK)

2. "security level - perform access checks at the process and component level security property will be included on the object context. The COM+ security call context is available."  Radio button is selected
(OK)

3. "Authentication level for calls" - NONE
(PACKET)

4. "Impersonation level" - Impersonate
(OK)
***************************
security tab on individual components
***************************

1. "enforce component level access checks" - NOT TICKED

2. "Roles explicity set for selected item(s)"  - MyRole is not ticked

Well, this is the same, in my case 1 is TICKED and in 2. there is no role in the list..

Also, in General TAB is a server application, its OK??


About your question
"-If i specify the application identity as a specially created user - Then surely only that user will be able to access my COM+ application??"

Again, setting to "this user" is only to set  permissions that the component will use, nothing about what user is capable to call the component.

For setting what users will be enabled to call the component you set roles and do the permission or delete roles.

You can disable roles at all  (I  do that) or you can create a role, and add all your group of users to that role.

I'll recommend to prove both approachs.

cero

0
 
ceroCommented:
cocoostel:

What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??

Have you tested using a simple client?

The question is, are you sure that the permission denied is for calling the component or is inside the code, maybe a database authentication.

Again, I'll recommend to do the security policy thing and check in the event viewer what is the exact permission being denegated.

cero.
0
 
cocosteelAuthor Commented:
cero:

>>What's the component do?? access a database with integrated security or something?? or call another component or the component is called from another?? or do some authentication??

1. Extracts data from xml and puts into a SQL db
2. Moves some files about on the server

But quess what -
-i followed your advice and just did a simple server - put it on
the server machine
-set me as the application identity
-added security for me and my collegue - exported the proxy.
- AND IT RAN FOR ME AND MY COLLEAGUE !!! FANTASTIC

So you and EDDKYTwere absolutely correct about the application identity having no influence on the client accessing the server.  I just couldnt see it.

It looks like the permission problem is caused just after the client instanciates the server (which is running under my ID)  - and then the client trys to set a property on the server.

This is the property code in the COM+ application

'****************************************
Public IParseInterface As ParseInterfaceV1.IParseInterface

Public Property Set Interface(ByVal objdata As ParseInterfaceV1.IParseInterface)

Set IParseInterface = objdata

End Property
'****************************************

The client sets it like this :

'****************************************
Set objReporterFile = CreateObject("ParseServer.CReportFile") ' New CReportFile

Set objReportFile.Interface = Me   ' THIS IS WHERE I GET PERMISSION DENIED.
'****************************************

(The interface ParseInterfaceV1.IParseInterface is a dll that is registered on the client and the server and used to send custom events from server to client.)


-------------------------------------------

So for some reason the client does not have the permission to set an interface on the server.  

   






0
 
EDDYKTCommented:
I will use object or variant instead

ie
Public Property Set Interface(ByVal objdata As object)

dim obj As ParseInterfaceV1.IParseInterface
set obj = objdata
0
 
ceroCommented:
mmm

When you ran your code, and set the "this user" for you,  you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??

so, the problem doesn't not seem to be in the code, right? because the code ran correctly, but fails with permissions.

About the interface

>>(The interface ParseInterfaceV1.IParseInterface is a dll that is registered on the client and the server and used to send custom events from server to client.)

how registered?? in COM+,  with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??

I'll strongly recommend to do the policy thing and see the event viewer, again.

cero
0
 
EDDYKTCommented:
>>how registered?? in COM+,  with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??


You can do export from the COM+ package with Application proxy enable to .msi file and then run on the client machine
0
 
ceroCommented:
EDDYKT:

I'm asking cocoostel for another dll, where ParseInterfaceV1.IParseInterface resides, we don't have information about that...

cero.
0
 
cocosteelAuthor Commented:
cero:

1. >>When you ran your code, and set the "this user" for you,  you execute it correctly, it's OK?
And when you set "this user" for your colleague execute it correctly ok??

--when i ran the simple COM+ server both my colleague and I could access it from the client.

--When i ran the my real XML parsing COM+ server - both of us could instaciate it but only the user specified as "This user" could set the interface.  The other got "permission denied".

**********************************************

2. >>how registered?? in COM+,  with users set? or is a dll registered with regsvr32, what user is executing this dll in the client?? in the server??

One copy of the interface is registered on the server (with regsvr32.exe) and one copy of the interface is registered on the client (with regsvr32.exe).  Then in the COM+ application the server component has this Parseinterface as an early bound reference.

***********************************************

Perhaps this suggests that "this user" on the COM+ application does not have enough permissions to talk to the ParseInterface.  Only when the client is the same user as "this user" does that combination give enough permissions to talk to the interface.  When the client is not this user "this user" cannot muster enough permissions to talk to the interface.
0
 
ceroCommented:
Yeah, I think we are in the ok direction...
Maybe the permission is on the client.

BTW, you and your colleague are administrators in your corresponding computers??

Have you test the app switching machines??, I mean, you with your account from your colleague machine.

I'll recommend to give full permissions to you and your colleague in the local machines (clients) only for testing purposes.

Maybe the dll needs access in the local machine (the client) to some resources, like access to the registry or a directory, in the server it seems there is no problem...

Machine Clients are W2k prof??

Hey, what don't do the policy thing??
0
 
ceroCommented:
BTW, why the second dll couldn't be a com+ server installed in the server?? and register only clients in each machine??
0
 
cocosteelAuthor Commented:
hi cero

>>Hey, what don't do the policy thing??   what is the policy thing?


>>BTW, why the second dll couldn't be a com+ server installed in the server?? and register only clients in each machine??

do you mean install the Parseinterface.dll into its own COM+ application next to the Main dll.  This may reduce the problems with permissions?  Then use regsvr32.exe for the parseinterface.dll ONLY on the client machines.

thanks

0
 
ceroCommented:
hi cocoostel,

The policy thing: in a previous comment....
>>You need to debug what is happening, go to the Administrative tools / Security Policy and audit events such as log in erroneous, after that in the event viewer/security tab see what is going on.

About the second point, the ParseInterface, I don't know your complete architecture, but, yes you could install the ParseInterface in it's own dll and create a proxy client application from this and install that proxy in each client, not using regsvr32.

Do that if it's prossible and give us your feedback

regards,

cero
0
 
ceroCommented:
This last approach definitively reduce your administrative tasks such as permissions.
0
 
cocosteelAuthor Commented:
HALLELUJAH!!!!

IT ACTUALLY WORKS.

The solution is an equal  combination of

1. Cero' idea to create a generic application identity with lots of permissions

and

2. EDDKYT's suggestion to  use object datatype when setting my server interface

I tried one without the other it didnt work - so it is an even split.

Thankyou for your help it has been 1ST CLASS, i really appreciate it.


ps sorry one of you didnt get all the points but it was genuinely a team effort


0
 
EDDYKTCommented:
Glad we can help. Good luck

8->
0
 
ceroCommented:
me too, glad we can help you!

cero


0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 13
  • 12
  • 9
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now