What do you mean by "programmatic: No CoIniatize..() calls can be made as it
is service." A service can certainly call CoIntialize(Ex) and
CoIntializeSecurity. If this service houses COM objects then CoIntialize(Ex)
has to be called. If CoIntializeSecurity is not being called then the COM
infrastructure will automatically call it for you when the first interesting
use of COM occurs. If I were you I would call CoIntializeSecurity
specifically with the settings suggested by Keith Brown.

Did you create this service with ATL?

John

-----Original Message-----
From: Max Surace [mailto:maxsuraceALTAVISTA.COM]
Sent: Thursday, January 10, 2002 12:34 PM
To: DCOMDISCUSS.MICROSOFT.COM
Subject: Re: COM-basd service under Local System Account

OK, here it is the scenario:

COM server:
---------------
OS: Win2K, also tried on WinXP
EXE server, running as service under Local System account
COM server is 'Both'
DCOM config settings in registry:
App Autnetication level = None
App Access permission: Everyone, System
App Launch permission: Everyone, System
App Identity: System Account
system's impersonation level:
Impersonate
default protocol: TCP/IP (top priority)

programmatic: No CoIniatize..() calls can be made as it is service. But all
configs have been setup to reflect what is required for turning off
security.

Client:
--------

OS: WinXP
domain: different from server, and both do not trust each other
Calls made:

HRESULT hr = CoInitializeEx (NULL, COINIT_MULTITHREADED);
hr = CoInitializeSecurity( 0, -1, 0, 0, RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IDENTIFY, 0, 0, 0 );

and then

COAUTHINFO co = { RPC_C_AUTHN_NONE, RPC_C_AUTHZ_NONE,
0,RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IMPERSONATE,0, EOAC_NONE };

cs.pAuthInfo = &co;
cs.pwszName = strName.AllocSysString ();
MULTI_QI mq;
mq.pIID = &IID_IClient;
mq.hr=0;
mq.pItf=0;

hr = ::CoCreateInstanceEx (CLSID_Client, NULL, CLSCTX_REMOTE_SERVER , &cs,
1, &mq );

hr = pClient->CallAnyMethod();

//here it fails with 'Access denied'

the security event log at server says:

The logon to account: MyClientLoggedOnAccount
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: MyClientMachineName
 failed. The error code was: 3221225572

The question is: why is my logged on account from client is being
authenticated at the server??? I have turned off security at all levels, as
far as I know.

HTH

On Thu, 10 January 2002, Brian Muth wrote:

>
> I believe that if you have turned off authentication in your activation
> request, you shouldn't be seeing any authentication overhead at all. I'm
> suspicious that you have not successfully turned all the dials as
> suggested in K. Brown's security faq.
>
> Can you provide more info on your settings? Is your server object
> running as a service or an executable? Under what account? What is your
> DCOMCNFG settings? What does your server object do, in general terms?
>
> Reading between the lines, I'm guessing that your server is running
> Win2000. Is your client as well?
>
> > -----Original Message-----
> > From: Max Surace [mailto:maxsuraceALTAVISTA.COM]
> > Sent: Thursday, January 10, 2002 11:06 AM
> > To: DCOMDISCUSS.MICROSOFT.COM
> > Subject: Re: COM-basd service under Local System Account
> >
> > I did that, and I can see that server always tries to authenticate
> > incoming call and fails the logon attempt. This is the root of the
> > problem. Why server wants to authenticate incoming call, if I have
> > explicitly configured and programmed both the client and server not to
> > worry about security?
> >
> > regards
> >
> >
> >
> > On Thu, 10 January 2002, Joakim Karlsson wrote:
> >
> > >
> > > Hi Max,
> > >
> > > Try and turn on auditing on the server machine (both for success and
> > failure). This might give you a clue as to who your server thinks is
> > trying to access your component and if any privilege has been
> violated.
> > >
> > > HTH
> > >
> > > Regards,
> > > Joakim
> > >
> > > ----------------------------------------------------------------
> > > Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
> > > contains important info. Save time, search the archives at
> > > http://discuss.microsoft.com/archives/index.html .
> > > To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM
> >
> >
> > Find the best deals on the web at AltaVista Shopping!
> > http://www.shopping.altavista.com
> >
> > ----------------------------------------------------------------
> > Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
> > contains important info. Save time, search the archives at
> > http://discuss.microsoft.com/archives/index.html .
> > To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM
>
> ----------------------------------------------------------------
> Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
> contains important info. Save time, search the archives at
> http://discuss.microsoft.com/archives/index.html .
> To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]