Connection Point Problems with NT Service

57 views
Skip to first unread message

Uma Sundaram

unread,
Jun 30, 2000, 3:00:00 AM6/30/00
to

Client & Server (ATL DCOM Remote Server supporting a proprietary
interface and Connection Point) have been functioning well until I
switched the server to an NT service.

Other things being the same (security for the c & S have not been
modified) now that the server is an NT service, the client gets an
"Access Denied" (0x80070005) error on calling AtlAdvise to hook up to
the connection point.

Anyone has an insight into this problem?
Does an NT Service need special perms for the outgoing interface?

Appreciate any responses.
Thanks!
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions are mine, not my employer's
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Uma Sundaram Software Engineer
Nonstop Solutions http://www.nonstop.com)
e-mail:uma_su...@nonstop.com tel (770)261 0851
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Sent via Deja.com http://www.deja.com/
Before you buy.

Alexander Nickolov

unread,
Jun 30, 2000, 3:00:00 AM6/30/00
to
The service must not run under the LocalSystem account, because
it has absolutely no network credentials.

--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD
email: agnic...@geocities.com
MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

"Uma Sundaram" <umamah...@my-deja.com> wrote in message
news:8jj4hc$u50$1...@nnrp1.deja.com...

kbc...@my-deja.com

unread,
Jul 3, 2000, 3:00:00 AM7/3/00
to
As Alexander points out, the client need permissions to access the
server. When you run the service under the Local System Account, then
there is no permissions beyond the boundary of your current machine.
Additionally, you are likely to run into the reverse situation also.
When the server attempts to call the client you will find that the
server may not have permission to call you client's interface. In
callbacks, the client becomes the server and vice versa.

I have solved this problem myself by either disabling DCOM security
entirely, see DCOMCNFG, or by running the two processes w/ the same
user id.
--
Randy Charles Morin [MVP] - http://www.kbcafe.com/
Author of "Programming Windows Services"
http://www.amazon.com/exec/obidos/ASIN/047138576X/kbcafe

In article <8jj4hc$u50$1...@nnrp1.deja.com>,

Uma Sundaram

unread,
Jul 6, 2000, 3:00:00 AM7/6/00
to
In article <8jqg85$pdf$1...@nnrp1.deja.com>,

umamah...@my-deja.com wrote:
> As Alexander points out, the client need permissions to access the
> server. When you run the service under the Local System Account, then
> there is no permissions beyond the boundary of your current machine.
> Additionally, you are likely to run into the reverse situation also.
> When the server attempts to call the client you will find that the
> server may not have permission to call you client's interface. In
> callbacks, the client becomes the server and vice versa.
>


> I have solved this problem myself by either disabling DCOM security
> entirely, see DCOMCNFG, or by running the two processes w/ the same
> user id.

If you can, please explain how to disable DCOM security entirely.
I can only see that I can turn the authentication to none. As far as
impersonation is concerned, it is either the system a/c or a specific
user for the local service.

Is there a way you can have DCOM security and still have the DCOM
server as an NT service?

Thanks!

> --
> Randy Charles Morin [MVP] - http://www.kbcafe.com/
> Author of "Programming Windows Services"
> http://www.amazon.com/exec/obidos/ASIN/047138576X/kbcafe

--

Uma Sundaram

unread,
Jul 6, 2000, 3:00:00 AM7/6/00
to
Is there any MSDN literature that deals with issues of DCOM server as
NT service. (Installation, registration, security etc)

Thanks!

In article <#60uXGu4$GA.1720@cpmsftngp05>,


"Alexander Nickolov" <agnic...@geocities.com> wrote:
> The service must not run under the LocalSystem account, because
> it has absolutely no network credentials.

--

kbc...@my-deja.com

unread,
Jul 8, 2000, 3:00:00 AM7/8/00
to
Setting the Authentication level to none is disabling the DCOM
security. You do not have to modify the impersonation setting. Yes you
can have DCOM security enabled w/ a DCOM service, but you have to
absorb the pain of configuring you service and clients correctly. With
callback, this is quite difficult. Your best bet is to run the DCOM
Service and the clients using the same userid. This minimizes the
amount of configuration required. These subjects are addressed in a
book I co-authored called "COM/DCOM Unleashed" and my latest
book "Programming Windows Services".

--
Randy Charles Morin [MVP] - http://www.kbcafe.com/
Author of "Programming Windows Services"
http://www.amazon.com/exec/obidos/ASIN/047138576X/kbcafe

In article <8k2r5g$g1v$1...@nnrp1.deja.com>,


Uma Sundaram <umamah...@my-deja.com> wrote:
> If you can, please explain how to disable DCOM security entirely.
> I can only see that I can turn the authentication to none. As far as
> impersonation is concerned, it is either the system a/c or a specific
> user for the local service.
>
> Is there a way you can have DCOM security and still have the DCOM
> server as an NT service?
>
> Thanks!
>

Sent via Deja.com http://www.deja.com/
Before you buy.

kbc...@my-deja.com

unread,
Jul 8, 2000, 3:00:00 AM7/8/00
to
Sources of DCOM/NT Service information
COM security FAQ
http://support.microsoft.com/support/kb/articles/Q158/5/08.asp
Richard Grimes' book Professional DCOM Programming
http://www.amazon.com/exec/obidos/ASIN/186100060X/kbcafe
Kevin Miller's book Professional NT Services
http://www.amazon.com/exec/obidos/ASIN/1861001304/kbcafe
My books COM/DCOM Unleashed
http://www.amazon.com/exec/obidos/ASIN/0672313529/kbcafe
and Programming Windows Services
http://www.amazon.com/exec/obidos/ASIN/047138576X/kbcafe
Alexander Nickolov's postings
Girish Bharadwaj's postings

--
Randy Charles Morin [MVP] - http://www.kbcafe.com/
Author of "Programming Windows Services"
http://www.amazon.com/exec/obidos/ASIN/047138576X/kbcafe

In article <8k2rch$gap$1...@nnrp1.deja.com>,


Uma Sundaram <umamah...@my-deja.com> wrote:
> Is there any MSDN literature that deals with issues of DCOM server as
> NT service. (Installation, registration, security etc)
>
> Thanks!
>
> In article <#60uXGu4$GA.1720@cpmsftngp05>,
> "Alexander Nickolov" <agnic...@geocities.com> wrote:
> > The service must not run under the LocalSystem account, because
> > it has absolutely no network credentials.
>

Sent via Deja.com http://www.deja.com/
Before you buy.

Uma Sundaram

unread,
Jul 11, 2000, 3:00:00 AM7/11/00
to

> Setting the Authentication level to none is disabling the DCOM
> security. You do not have to modify the impersonation setting.

Both above conditions are satisfied for Authen & Impersonation.
Security : Access/Launch perm to everyone (both on the C&S)

Besides, I have programmatically dsiabled security by calling
CoIniatizeSecurity()

AtlAdvise call from the client fails with 0x80070005 - access denied.

Back to Square-1 (Sigh...)

Just as to recap, the server is a (DCOM) Nt Service with connection
point for a callback intf implemented in the client.
Both C & S run on NT 4.0.

(I can't use the same user-id technique as the C & S are independent NT
servers and not in a domain OR belong to different domains -- for now
the case is they are _not_ in any domain)

I have seen the FAQs -- they are not of help for this situation.
Any help is appreciated.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions are mine, not my employer's
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Uma Sundaram Software Engineer
Nonstop Solutions http://www.nonstop.com)
e-mail:uma_su...@nonstop.com tel (770)261 0851
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Uma Sundaram

unread,
Jul 11, 2000, 3:00:00 AM7/11/00
to
The service is not running under LocalSystem a/c. Authentication set to
none. Security set to everyone/launch everyone/access. Security has
been turned off using CoInitializeSecurity.

Any Ideas?

In article <#60uXGu4$GA.1720@cpmsftngp05>,
"Alexander Nickolov" <agnic...@geocities.com> wrote:
> The service must not run under the LocalSystem account, because
> it has absolutely no network credentials.
>

> --
> =====================================
> Alexander Nickolov
> Microsoft MVP [VC], MCSD
> email: agnic...@geocities.com
> MVP VC FAQ: http://www.mvps.org/vcfaq
> =====================================
>
> "Uma Sundaram" <umamah...@my-deja.com> wrote in message
> news:8jj4hc$u50$1...@nnrp1.deja.com...
> >
> >

> > Client & Server (ATL DCOM Remote Server supporting a proprietary
> > interface and Connection Point) have been functioning well until I
> > switched the server to an NT service.
> >
> > Other things being the same (security for the c & S have not been
> > modified) now that the server is an NT service, the client gets an
> > "Access Denied" (0x80070005) error on calling AtlAdvise to hook up
to
> > the connection point.
> >
> > Anyone has an insight into this problem?
> > Does an NT Service need special perms for the outgoing interface?
> >
> > Appreciate any responses.
> > Thanks!
> > --

--

Uma Sundaram

unread,
Jul 18, 2000, 3:00:00 AM7/18/00
to
Here is an update to how I solved this problem :

Though authentication is set to none and impersonation omitted in
DCOMCNFG, the service assumes system account (as can be seen in
ControlPanel applet services/start-up params)

The catch is to programmatically disable security AND designate SOME
user. The later seems to be a dummy, so as the SCM won't assume system
account. How bizarre!

Reply all
Reply to author
Forward
0 new messages