Access denied: how to set DCOM securityproperly?
Josef Kohout
allow running of sever as well as client on any Windows platform (including
even Win 95), I turned off the security used in the application:
HKCR\AppID\{MyServerID}\AuthenticationLevel=RPC_C_AUTH_LEVEL_NONE
HKCR\AppID\{MyServerID}\LaunchPermission=[EveryOne,Interactive,System]
HKCR\AppID\{MyServerID}\AccessPermission=[EveryOne,Interactive,System]
HKCR\AppID\{MyServerID}\RunAs="Interactive User"
in server I used:
HRESULT hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (FAILED(hr)) return hr;
hr = ::CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
and in client I used:
HRESULT hr = CoInitialize(NULL);
if (FAILED(hr)) return hr;
hr = ::CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
then I connected to the server:
MULTI_QI mq;
mq.pIID = &__uuidof(IMyIface);
mq.pItf = NULL;
mq.hr = S_OK;
COSERVERINFO csi, *pcsi=NULL;
memset(&csi, 0, sizeof(COSERVERINFO));
csi.pwszName = {Address}
pcsi = &csi;
COAUTHINFO dcomsec;
dcomsec.dwAuthnSvc = RPC_C_AUTHN_NONE;
dcomsec.dwAuthzSvc = RPC_C_AUTHZ_NONE;
dcomsec.pwszServerPrincName = NULL;
dcomsec.dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE;
dcomsec.dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE;
dcomsec.pAuthIdentityData = NULL;
dcomsec.dwCapabilities = EOAC_NONE;
csi.pAuthInfo = &dcomsec;
HRESULT hr = ::CoCreateInstanceEx(MyCLSID, NULL, CLSCTX_ALL, pcsi, 1, &mq);
It had worked well until WindowsXP SP2 was released. I managed somehow to
configure WinXP to continue support execution of DCOM without security. At
the beginning of June, however, probably Microsoft released another patch
and I'm no longer able to run my application on Windows XP SP2. I decided,
therefore, to modify my code to incorporate the security but my attempt to
do it has failed with E_ACCESS_DENIED. Having two machines with WindowsXP
SP2, I did the following steps:
1. On machine A, I add server.exe into the list of exceptions in Windows
Firewall and I also enabled port 135
2. On machine B, I add client.exe into the list of exceptions in Kerio
Firewall and I also enabled port 135
3. I created new user MyUser on machine A with rights SE_BATCH_LOGON_NAME
and SE_DENY_INTERACTIVE_LOGON_NAME
4. I registered server on machine A as follows:
HKCR\AppID\{MyServerID}\AuthenticationLevel=RPC_C_AUTH_LEVEL_CONNECT
HKCR\AppID\{MyServerID}\LaunchPermission=[MyUser,Administrators,Interactive,System];
Interactive and System users have only local launch and local activation
rights
HKCR\AppID\{MyServerID}\AccessPermission=[MyUser,Self,Everyone,System,ANONYMOUS
LOGON]; System user has only local access right
HKCR\AppID\{MyServerID}\RunAs="MyUser"
HKLM\Software\Microsoft\Ole\MachineLaunchRestriction=[MyUser,Administrators,EveryOne];
EveryOne group has only
local rights.
HKLM\Software\Microsoft\Ole\MachineAccessRestriction=[MyUser,EveryOne,
ANONYMOUS LOGON]; all have full access rights.
5. In both server and client code I commented calling of
::CoInitializeSecurity
6. I modified the connection as follows
MULTI_QI mq;
mq.pIID = &__uuidof(IMyIface);
mq.pItf = NULL;
mq.hr = S_OK;
COSERVERINFO csi, *pcsi=NULL;
memset(&csi, 0, sizeof(COSERVERINFO));
csi.pwszName = {Address}
pcsi = &csi;
COAUTHIDENTITY AuthIdentity;
AuthIdentity.User = MyUser;
AuthIdentity.Password = MyUserPassw;
AuthIdentity.UserLength = wcslen(AuthIdentity.User);
AuthIdentity.PasswordLength = wcslen(AuthIdentity.Password);
AuthIdentity.Domain = csi.pwszName;
AuthIdentity.DomainLength = wcslen(csi.pwszName);
AuthIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
COAUTHINFO dcomsec;
dcomsec.dwAuthnSvc = RPC_C_AUTHN_WINNT;
dcomsec.dwAuthzSvc = RPC_C_AUTHZ_NONE;
dcomsec.pwszServerPrincName = NULL;
dcomsec.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CONNECT;
dcomsec.dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE;
dcomsec.pAuthIdentityData = &AuthIdentity;
dcomsec.dwCapabilities = EOAC_NONE;
csi.pAuthInfo = &dcomsec;
HRESULT hr = ::CoCreateInstanceEx(MyCLSID, NULL, CLSCTX_ALL, pcsi, 1, &mq);
----------------
the result of CoCreateInstanceEx is S_OK, server is lauched and activated,
it runs under MyUser account. When I, however, wants to call any function on
returned interface, e.g.
pIface->PingMe()
I receive E_ACCESS_DENIED error.
What's wrong? Can anybody help me with how to set DCOM properly?
Thanks
JK