COM+ Transient Subscription permissions

[Matt Sidare]

How do give a user permission to programatically save
changes the COMAdmin.COMAdminCatalog object. The script
needs to add a transientsubscription. I can do this as
administrator but I need to add the transientsubscription
with out being administrator. Is there a way to create
TransientSubscriptions with out being administrator?

every thing works well until I call oTSCol.SaveChanges I
get a permission denied error.
THis is the code I use:

Dim oCOMAdminCatalog As COMAdmin.COMAdminCatalog
Dim oTSCol As COMAdminCatalogCollection
Dim oSubscription As ICatalogObject



Set oCOMAdminCatalog = CreateObject
("COMAdmin.COMAdminCatalog.1")


' Get the transientsubscription collection
Set oTSCol = oCOMAdminCatalog.GetCollection
("TransientSubscriptions")
oTSCol.Populate
Set oSubscription = oTSCol.Add

' set some properties needed for the subscription
oSubscription.Value("SubscriberInterface") = objref
oSubscription.Value("EventCLSID") = clsid
oSubscription.Value("Name") = "a Transient Subscription"
& oSubscription.Value("ID")

' save the changes
oTSCol.SaveChanges

 

[Seaver]

Dear Matt,

Thank you for your posting.

According to your post, you wonder whether Administrator permission is a
must to modifiy COMAdmin.COMAdminCatalog object in COM+.

If I have misunderstood your concern please don't hesitate to let me know.

Windows 2000 security principals are identified with a two-level name made
up of the security authority and then the user name. The security authority
is either the workstation (for a standalone Windows 2000 Workstation
environment) or the domain if your machine that's running Windows 2000
Workstation is a member of a domain.

Even when in a Windows 2000 Server domain, machines running Windows 2000
Workstation continue to be their own security authorities with
(potentially) local- only accounts; however, they "trust" (are willing to
pass along security requests to) the domain controls of the domain in which
they reside.

Therefore you need to have Administrator permission to implement the
modification of COMAdmin.COMAdminCatalog object in COM+.

Sincerely,

Seaver Ren

Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

 

[Matt Sidare]

Seaver Ren,
Thank-you for your response. I just have a few with
respect to you response, if you dont mind.
I can create a proxy for the COM+ event how does this
play a role?
Are there any books that cover COM+ security and
configuration?

 

[Seaver]

Dear Matt,

I am glad to hear from you.

1. For Proxy's functioning role in COM+, proxy resides in the address space
of the calling process and acts as a surrogate for the remote object. From
the perspective of the calling object, the proxy is the object. Typically,
the proxy's role is to package the interface parameters for calls to
methods in its object interfaces. The proxy packages the parameters into a
message buffer and passes the buffer onto the channel, which handles the
transport between processes. The proxy is implemented as an aggregate, or
composite, object. It contains a system-provided, manager piece called the
proxy manager and one or more interface-specific components called
interface proxies. The number of interface proxies equals the number of
object interfaces that have been exposed to that particular client. To the
client complying with the component object model, the proxy appears to be
the real object.

Note: With custom marshaling, the proxy can be implemented similarly or it
can communicate directly with the object without using a stub.

Each interface proxy is a component object that implements the marshaling
code for one of the object's interfaces. The proxy represents the object
for which it provides marshaling code. Each proxy also implements the
IRpcProxyBuffer interface. Although the object interface represented by the
proxy is public, the IRpcProxyBuffer implementation is private and is used
internally within the proxy. The proxy manager keeps track of the interface
proxies and also contains the public implementation of the controlling
IUnknown interface for the aggregate. Each interface proxy can exist in a
separate DLL that is loaded when the interface it supports is materialized
to the client.

2. For books related to COM+ Security, you may refer to the following
books. Links below have provided their brief introductions and sample
chapters.

Understanding COM+
http://www.microsoft.com/mspress/books/index/3282.asp

Enhanced Security Options of Win2k/COM+
http://www.amazon.com/exec/obidos/tg/detail/-/B0000692OB/qid=1058838036/sr=8
-2/ref=sr_8_2/102-2695190-2707353?v=glance&s=books&n=507846

Configuring and Deploying COM+ Applications using .NET
http://www.amazon.com/exec/obidos/tg/detail/-/B00006FCUY/qid=1058838082/sr=1
-1/ref=sr_1_1/102-2695190-2707353?v=glance&s=books

Hope them help!

Sincerely,

Seaver

 

[Matt Sidare]

Seaver,

Thanks again for your response.

I have added a com+ Application on computer A. I
exported the proxy and installed it on computer B.
I get the following error after I transiently subscribe
to the event.

The COM+ Event System failed to fire the
MeasurementComplete method on subscription {EA041CCD-CEBB-
4130-9DFF-B2D3AEB12B31}. The subscriber returned HRESULT
8000401A.

Which is CO_E_RUNAS_LOGON_FAIL

What could cause this problem?

 

[Seaver]

Dear Matt,

The ID "EA041CCD-CEBB-4130-9DFF-B2D3AEB12B31" represents specific program
or service.

Before we perform any troubleshooting step, please launch Registry Editor,
input "EA041CCD" as keyword to search whole registry. Thus the specific
program/service's identity will be determined. Contact me with the result.

Similar issue is described in the following article for your information:

319590 Event ID 4354 May Appear in Event Viewer
http://support.microsoft.com/?id=319590

Sincerely,

Seaver

 

[Matt Sidare]

Seaver,
Thank-you for all of your help.
"EA041CCD-CEBB-4130-9DFF-B2D3AEB12B31" is a transient
subscription added by the client on the remote computer.
I believe my problem is correctly configuring the
security settings on the com+ application.

I think I need the following information:
1)How should I set the security in the COM+ Application
if the server machine is not on a domain and I want
anyone who wants to subscribe to the event be able to
subscribe?

1a)What should the Authentication level be?None?
(the Authentication on property page of the com+
application in the component services)

1b)What should the Impersonation level be? Deligate?
(the Authentication on property page of the com+
application in the component services)

1c)What about rolls, do I need to add any?

2)Do I need to set the DCOM settings on the client or the
server computer?

 

[Matt Sidare]

I have found the answer to my third question! It is a
bug. I found the following article in my MSDN library
(oct 2001)

BUG: ICatalogCollection::SaveChanges Fails with
ACCESS_DENIED When Trying to Subscribe to Events

 

[Seaver]

Dear Matt,

Note that if the computer does not belong to a domain, it's a computer in
workgroup and won't have general server function including administration
and authentication.

To allow anonymous subscription, you may refer to the suggestions listed in
the following article, and then install Windows 2000 SP4 directly.

324397 Failfast Occurs If the Authentication Level of a COM+ Server Package
Is
http://support.microsoft.com/?id=324397

About the questions regarding Authentication level, Impersonation level and
DCOM settings, please finish reading the following article:

158508 COM Security Frequently Asked Questions
http://support.microsoft.com/?id=158508

266717 HOWTO: Create a DCOM Client/Server Application by Using Visual Basic
http://support.microsoft.com/?id=266717

268550 HOWTO: Use Dcomcnfg for a Visual Basic DCOM Client/Server Application
http://support.microsoft.com/?id=268550

161837 HOWTO: Create a DCOM Client/Server Application
http://support.microsoft.com/?id=161837

266625 HOWTO: Enable DCOM to Work in a Peer-to-Peer Network
http://support.microsoft.com/?id=266625

Hope them help!

Regards,

Seaver