Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

COM security on workstations

Posted on 2003-12-04
8
Medium Priority
?
776 Views
Last Modified: 2012-05-04
I'm noticing vastly different COM behavior on the same machines when they are on a network with a domain and when they are on a network without a domain. They remain configured as workstations and are not explicitly joined to the domain at any point, but COM seems to behave much nicer when they're on the network with the domain.

I initialize my remote servers in the following way:

      USES_CONVERSION;
      COAUTHINFO cai={RPC_C_AUTHN_NONE,RPC_C_AUTHZ_NONE,NULL,RPC_C_AUTHN_LEVEL_NONE,RPC_C_IMP_LEVEL_IMPERSONATE,NULL,EOAC_NONE};
      COSERVERINFO csi={0,T2W((_TCHAR*)m_masterIpAddress),&cai,0};
      MULTI_QI qi={&IID_IPeerCommunications,NULL,S_OK};
      if(FAILED(hr=CoCreateInstanceEx(CLSID_AudioDistributionSrvObj, NULL, CLSCTX_REMOTE_SERVER, &csi, 1, &qi)))
      {
         _stprintf(logMsg,_T("Failed to create Master server instance %s error %d"),(_TCHAR*)m_masterHostName, hr);
         Log(logMsg);
         break;
      }
      qi.pItf->AddRef();
      m_spMasterPeerCom.Attach(static_cast<IPeerCommunications*>(qi.pItf));

This code has always been rock solid when used on computers connected to a network with a domain hierarchy. What's going wrong when they're all connected to their own hub as workstations without a domain?
0
Comment
Question by:newcomguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 9

Expert Comment

by:_ys_
ID: 9876686
I'll assume that you've already checked the obvious:
You are able to ping the server using it's ip address from a non-networked client.

What is the nature of the COM server - is it in-proc/out-of-process? is it permanently loaded (via an NT service or other construct)?
0
 
LVL 1

Author Comment

by:newcomguy
ID: 9876697
I most certainly have checked the obvious. :) Never hurts to confirm that, though.

It's an out-of-process server that is permanently loaded as a service.
0
 
LVL 2

Expert Comment

by:MattWare
ID: 9876910
Have you tried changing your domain in an SEC_WINNT_AUTH_IDENTITY_W structure and then using CoInitializeSecurity?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:newcomguy
ID: 9878133
How can I use CoInitializeSecurity to trick the hosts into thinking they're running on a network with a domain?

Is that even my problem?
0
 
LVL 4

Accepted Solution

by:
YuriPutivsky earned 500 total points
ID: 9878390
A few years ago I used to use the follow code to avoid COM security problems
 // This provides a NULL DACL
HRESULT hr = CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
And it worked.

 
0
 
LVL 9

Expert Comment

by:_ys_
ID: 9880984
>It's an out-of-process server that is permanently loaded as a service.
Problem lies here.

Specifying RPC_C_AUTHN_LEVEL_NONE is all and good for server objects activated by clients themselves. But yours is a permanently loaded service. So, even though you specify RPC_C_AUTHN_LEVEL_NONE, the server is using RPC_C_AUTHN_LEVEL_CONNECT for all method calls [call security] - the default minimum threshold.

Call CoInitializeSecurity, specifying RPC_C_AUTHN_LEVEL_NONE, from within the _server_ - as early as possible (immediately after CoInitializeEx( ) is as good a place as any). Don't forget that CoInitializeEx and CoInitializeSecurity will have to be called on every thread within the server.

If you're creating multiple objects you may want to call CoInitializeSecurity within the client threads as well, rather then passing the COAUTHINFO structure - either or.
0
 
LVL 1

Author Comment

by:newcomguy
ID: 9882021
Alright, who gets the points? Yuri told me what to call and _ys_ told me where to call it.
0
 
LVL 9

Expert Comment

by:_ys_
ID: 9882258
We'll assume that everything is working then.

There is an option to split points - but I've never asked a question so I don't know how.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unlike C#, C++ doesn't have native support for sealing classes (so they cannot be sub-classed). At the cost of a virtual base class pointer it is possible to implement a pseudo sealing mechanism The trick is to virtually inherit from a base class…
Written by John Humphreys C++ Threading and the POSIX Library This article will cover the basic information that you need to know in order to make use of the POSIX threading library available for C and C++ on UNIX and most Linux systems.   [s…
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question