Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

COM+ Access denied.

175 views
Skip to first unread message

Santosh Sawant

unread,
Dec 12, 2003, 7:58:17 AM12/12/03
to
Hello Everyone,

I got simple query I had created simple ActiveX DLL in VB6
to do all DB transactions like Execute StoreProc, open
recordset etc. I had registered this DLL on Application
server as Server Application. In properties - Identity I
have set interactive User.

I have install Application proxy for above application on
client machine. Everything works fine if I login as a same
user on Server and Client. But if I login with different
logins then I can do everything apart from executing store
procedure for that I get Error No. 70 - Permission denied.
I am using Oracle9i as a database so there is no issue of
user rights on StoreProc and all.

Can anyone tell, what's are with my settings or
application?

Many thanks in advance.

Regards,
Santosh

Slava Gurevich

unread,
Dec 12, 2003, 8:07:29 AM12/12/03
to
Hi Santosh,

" interactive User" setting is used mostly for debugging. You should
set it to "this user" and specify the user identity which allows your
component to do its work.

At this point you may still experience security issues, so take a look
at the following article, which I think applies to your situation:
http://support.microsoft.com/default.aspx?scid=kb;en-us;266625

Slava Gurevich

Madhav Shidhaye

unread,
Dec 12, 2003, 8:24:11 AM12/12/03
to
Hi Santosh,

I ran into a similar problem last week.

Check if this microsoft knowledge base article solves your
problem :26625

My guess is that your computers in question are not part
of a domain ?

It has to do with authentication levels/security etc...

The important thing is you need to tweak both the client
and the server.

Post back if the problems persist.

Cheers.,

MJS

>.
>

Santosh Sawant

unread,
Dec 12, 2003, 8:34:31 AM12/12/03
to
Hi Slava,

thanks for instance reply. I will try methods mentioned in
link which you provide and if I have any more queries I
will write back.

Many thanks for helping me out.

Regards,
Santosh

>.
>

Santosh Sawant

unread,
Dec 12, 2003, 2:33:25 PM12/12/03
to
Hi Slava,

Thanks a lot for your reply. This has solved my problem I
changed Security setting to None and used AppId registry
setttings.

But since I am new to this technology could you please
tell me what do you mean by following statement:


" interactive User" setting is used mostly for debugging.
You should set it to "this user" and specify the user
identity which allows your component to do its work.

Many thanks in advance.
Have a good weekend.

Regards,
Santosh

>.
>

Santosh Sawant

unread,
Dec 12, 2003, 2:34:38 PM12/12/03
to
Thanks a lot Madhav for your reply. As you mentioned I had
used methods specified in Knowledge base: 266625.

Regards,
Santosh

>.
>

Slava Gurevich

unread,
Dec 12, 2003, 3:29:40 PM12/12/03
to
Hi Santosh ,

Basically if you set the COM+ identity to the "interactive user", The
COM+ application code will run under the security context of the
interactive user identity, which will change to whomever happens to be
logged on interactively at the moment ( if anyone). The COM+ process
will fail to start altogether when no user is logged on interactively
at the computer console. Imagine what happens when the server is
rebooted; it won't server any remote requests until someone logs in.
This is usually not what you'd want.

Take a look at the following article for more info:

PRB: Server Execution Failed When Calling MTS COM Component from ASP
http://support.microsoft.com/default.aspx?scid=kb;en-us;241057

Slava Gurevich


On Fri, 12 Dec 2003 11:33:25 -0800, "Santosh Sawant"

Santosh Sawant

unread,
Dec 15, 2003, 10:00:27 AM12/15/03
to
Thanks a lot Slava for providing such a helpful
information. Now just last question. Ok, if I change my
setting to say local machine Admin from Interactive user
and kept Authentication level to 'None'.

Does that mean same Admin account name password should
exists on all client PCs. Sorry for being such a
dumbo..... Also can you please recommend any COM+ book
which will give all this basic information rather than
advance one.

Many thanks in advance.

Regards,
Santosh

>.
>

Brian Muth

unread,
Dec 15, 2003, 11:10:38 AM12/15/03
to
Never heard of a "basic" book on security. One of the best security books
I'm aware of is:

http://www.amazon.com/exec/obidos/tg/detail/-/0201604426/qid=1071504269/sr=1-5/ref=sr_1_5/102-9149140-3768967?v=glance&s=books

Brian


Slava Gurevich

unread,
Dec 15, 2003, 11:42:50 AM12/15/03
to
In most situations it's not important for the caller identity to match
the COM+ application identity ( with the exceptions of call-backs,
etc). What is important is that the server should be able to either
authenticate the caller, or the security needs to be turned off
altogether.

For the caller to become authenticated as itself in a workgroup
environment, the matching pair account should both exist on the server
machine, and included in one of the COM+ roles allowed access.

Alternatively, you could try disabling COM+ Application security
(uncheck "Enforce access checks for this application").
Unfortunately this doesn't always work because the negotiated
authentication level between the server and the client is the highest
of the two. In practice, you may need to drop the authentication
level on the client by calling CoInitializeSecurity(), or
CoSetProxyBlanket() or similar APIs. ( Declarative change in the
default authentication level setting via dcomcnfg.exe is not a good
choice because it's machine-wide, and will likely break something else
if modified)

Slava Gurevich


On Mon, 15 Dec 2003 07:00:27 -0800, "Santosh Sawant"

Santosh Sawant

unread,
Dec 18, 2003, 9:08:12 AM12/18/03
to
Thanks a lot Brian for replying. Definitely I will go
through this book looks good.

Regards,
Santosh

>.
>

Santosh Sawant

unread,
Dec 18, 2003, 9:10:31 AM12/18/03
to
Once again many thanks Slava, you have clear many of my
doubts.

Regards,
Santosh

>.
>

0 new messages