DCOM hell with SP2, Only way out seems to be system wide anonymous login

[George Mills]

I have a DCOM application that needs to run between all combinations of
XP-SP1, XP-SP2, and Win2k

All was fine until XP-SP2.

We can get everything working if we add Remote Acess to Anonymous Login DCOM
Limits.

The Client is a Win32 desktop app. The server is an ATL COM Service.

I keep getting E_ACCESSDENIED on the CoCreateInstanceEX() on Client (when
Anonymous Login is disabled)

The ATL COM service also calls back on a Client Sink interface.

Everything is started manually on both Client and Server.

I want to enable the simplest (most portable) authetication.

Most customers run using an NT Domain. Some do not, And some cross domains.

Previously to XP-SP2 we used CoInitializeSecurity to shutdown all
authetication.
We are not worried about security risks through our applications.

But I don't want to open up the the new Computer wide ACL to Anonymous Login
to allow just our application to run.

I believe I am coming across the wire as anonymous and tried the suggestion
posted below to use NTLM authebtication.

But it still fails.

Note the service is running under the default "System" account.

What am I missing?

======================= OLD POST by someone else ===================

Hi...

To make the client-server communication to be non
anonymous, refer to the help on ::CoInitializeSecurity
function, it describes it pretty good.

Remember that ::CoInitializeSecurity must be called on
both the client and server.
It's some time since I tested it, since I decided to go
for the anonymous logon, but after searching some code I
think these examples will work for you.
--- Server Side ---
SOLE_AUTHENTICATION_SERVICE* pacAuth = new
SOLE_AUTHENTICATION_SERVICE;

pacAuth->dwAuthnSvc = RPC_C_AUTHN_WINNT;
pacAuth->dwAuthzSvc = RPC_C_AUTHZ_NAME;
pacAuth->pPrincipalName = NULL;
pacAuth->hr = S_OK;

::CoInitializeSecurity
(NULL,1,pacAuth,NULL,RPC_C_AUTHN_LEVEL_CONNECT,RPC_C_IMP_L
EVEL_IMPERSONATE,NULL,EOAC_NONE,NULL);


--- Client Side ---
::CoInitializeSecurity(NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, NULL,
EOAC_NONE, NULL);

aiAuthInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
aiAuthInfo.dwAuthzSvc = RPC_C_AUTHZ_NAME;
aiAuthInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CONNECT;
aiAuthInfo.pwszServerPrincName = NULL;
aiAuthInfo.dwImpersonationLevel =
RPC_C_IMP_LEVEL_IMPERSONATE;
aiAuthInfo.pAuthIdentityData = NULL;
aiAuthInfo.dwCapabilities = 0;

siServerInfo.dwReserved1 = 0;
siServerInfo.pwszName = A2W("<Your servername>");
siServerInfo.pAuthInfo = &aiAuthInfo;
siServerInfo.dwReserved2 = 0;

mrmq[0].pIID = &<Your interface ID>;
mrmq[0].pItf = NULL;
mrmq[0].hr = 0;

::CoCreateInstanceEx(<Your classid>, NULL,
CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
&siServerInfo, 1, mrmq);


Regarding Workgroup security... To be able to run with
authenticated users the logins must (as you indicates) be
the same username and password on both the server and
client.

--Rune G

 

[George Mills]

I made some progress on this.
Turns out the group "Everyone" does NOT include Domain Users. This
supposedly changed in XP.
I added Domain Users to the DCOM Computer Limits and to My service and I got
past CoCreateInstanceEx() E_ACCESSDENIED.
Then all my QueryInterface calls got E_ACCESSDENIED. I added
CoSetProxyBlanket call for every interface and it seems to be working.
So if the admin wants anybody they add Anonymous Logon, If they only want
Domain Users they add Domain Users.
I also removed all the suggestions below and pass NULL to
CoCreateInstanceEx() for the authetucation list. And NULL to
CoInitializeSecurty()
This was insane sorting it out.
Is there anything better I could do?

Here is a snippet of the code, Error checking removed:

CoInitializeSecurity(NULL, -1, NULL, NULL,RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);

CComPtr<IPBMSeqQMgr> msQMgrComPtr;
CComPtr<IUnknown> spIUnknown;

COSERVERINFO csi = {0, A2W(m_ServerHostNameArray), NULL, 0};
MULTI_QI qi = {&__uuidof(IPBMSeqQMgr), NULL, S_OK};

CoCreateInstanceEx(CLSID_MasterSeq, NULL, CLSCTX_REMOTE_SERVER, &csi, 1,
&qi);
msQMgrComPtr = static_cast<IPBMSeqQMgr *>(qi.pItf);
msQMgrComPtr.QueryInterface(&spIUnknown); // This was REQUIRED !!! I could
not use interface return from QI directly in CoSetProxyBlanket()
CoSetProxyBlanket(spIUnknown, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NAME, NULL,
RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
msQMgrComPtr.QueryInterface(&msInterfacePointers.spIPBMethodValidate);

I have a DCOM application that needs to run between all combinations of
XP-SP1, XP-SP2, and Win2k

All was fine until XP-SP2.

We can get everything working if we add Remote Acess to Anonymous Login
DCOM
Limits.

The Client is a Win32 desktop app. The server is an ATL COM Service.

I keep getting E_ACCESSDENIED on the CoCreateInstanceEX() on Client (when
Anonymous Login is disabled)

The ATL COM service also calls back on a Client Sink interface.

Everything is started manually on both Client and Server.

I want to enable the simplest (most portable) authetication.

Most customers run using an NT Domain. Some do not, And some cross
domains.

Previously to XP-SP2 we used CoInitializeSecurity to shutdown all
authetication.
We are not worried about security risks through our applications.

But I don't want to open up the the new Computer wide ACL to Anonymous
Login
to allow just our application to run.

I believe I am coming across the wire as anonymous and tried the
suggestion
posted below to use NTLM authebtication.

But it still fails.

Note the service is running under the default "System" account.

What am I missing?

======================= OLD POST by someone else ===================

Hi...

To make the client-server communication to be non
anonymous, refer to the help on ::CoInitializeSecurity
function, it describes it pretty good.

Remember that ::CoInitializeSecurity must be called on
both the client and server.
It's some time since I tested it, since I decided to go
for the anonymous logon, but after searching some code I
think these examples will work for you.
--- Server Side ---
SOLE_AUTHENTICATION_SERVICE* pacAuth = new
SOLE_AUTHENTICATION_SERVICE;

pacAuth->dwAuthnSvc = RPC_C_AUTHN_WINNT;
pacAuth->dwAuthzSvc = RPC_C_AUTHZ_NAME;
pacAuth->pPrincipalName = NULL;
pacAuth->hr = S_OK;

::CoInitializeSecurity
(NULL,1,pacAuth,NULL,RPC_C_AUTHN_LEVEL_CONNECT,RPC_C_IMP_L
EVEL_IMPERSONATE,NULL,EOAC_NONE,NULL);


--- Client Side ---
::CoInitializeSecurity(NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, NULL,
EOAC_NONE, NULL);

aiAuthInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
aiAuthInfo.dwAuthzSvc = RPC_C_AUTHZ_NAME;
aiAuthInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CONNECT;
aiAuthInfo.pwszServerPrincName = NULL;
aiAuthInfo.dwImpersonationLevel =
RPC_C_IMP_LEVEL_IMPERSONATE;
aiAuthInfo.pAuthIdentityData = NULL;
aiAuthInfo.dwCapabilities = 0;

siServerInfo.dwReserved1 = 0;
siServerInfo.pwszName = A2W("<Your servername>");
siServerInfo.pAuthInfo = &aiAuthInfo;
siServerInfo.dwReserved2 = 0;

mrmq[0].pIID = &<Your interface ID>;
mrmq[0].pItf = NULL;
mrmq[0].hr = 0;

::CoCreateInstanceEx(<Your classid>, NULL,
CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
&siServerInfo, 1, mrmq);


Regarding Workgroup security... To be able to run with
authenticated users the logins must (as you indicates) be
the same username and password on both the server and
client.

--Rune G

-----Original Message-----
Hi all,

Let me say at first that SP2 is a lot of work for me so far... Our
application worked for NT4 and up and since SP2, there is a lot the be
configured to make it work. I have found the info to configure XP SP2 for
anonymous client-server authentication and it's working.

Now I need to find a way not to use anonymous-logon to make dcom work. Most
of my clients are not on a domain, not even on a same workgroup. Is there a
way to make dcom use connect or something else, without opening everything
for anonymous.

I tried different approach, but the server alway see the client coming with
NT AUTHORITY\ANONYMOUS LOGON SID ...

Even if I set my client side for "connect".

From what I understand.
1. On the client side, Dcom obtains a user name
2. The server authenticate the user
3. Is the user in the list
4. Fail or accept

So if I have on client-server(not a domain) the same user/pass pair, it
should work?

I probably don't understand this correctly, since I cannot make it work
outside anonymous.

Any help - pointers would be appreciated.

Regards


.

 

[George Mills]

Ok, I tested XP SP2 --> Win2K server and it fails.

It fails only on callback interfaces.

I "new" a COM Atl callback interface object and pass it to the server and it
gets access denied calling back.

I tried putting in CoInitializeSecurity on the client but no go.

I can't use CoSetProxyBlanket on my callback interface, it fails with
E_NOINTERFACE.

My current thought is that I need to make my callback interface a public
registered interface and CoCreate it rather than new it
then set CoSetProxyBlanket on it and pass that object to server.

But this seems way over kill, is there any other way.

I made some progress on this.
Turns out the group "Everyone" does NOT include Domain Users. This
supposedly changed in XP.
I added Domain Users to the DCOM Computer Limits and to My service and I
got past CoCreateInstanceEx() E_ACCESSDENIED.
Then all my QueryInterface calls got E_ACCESSDENIED. I added
CoSetProxyBlanket call for every interface and it seems to be working.
So if the admin wants anybody they add Anonymous Logon, If they only want
Domain Users they add Domain Users.
I also removed all the suggestions below and pass NULL to
CoCreateInstanceEx() for the authetucation list. And NULL to
CoInitializeSecurty()
This was insane sorting it out.
Is there anything better I could do?

Here is a snippet of the code, Error checking removed:

CoInitializeSecurity(NULL, -1, NULL, NULL,RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);

CComPtr<IPBMSeqQMgr> msQMgrComPtr;
CComPtr<IUnknown> spIUnknown;

COSERVERINFO csi = {0, A2W(m_ServerHostNameArray), NULL, 0};
MULTI_QI qi = {&__uuidof(IPBMSeqQMgr), NULL, S_OK};

CoCreateInstanceEx(CLSID_MasterSeq, NULL, CLSCTX_REMOTE_SERVER, &csi, 1,
&qi);
msQMgrComPtr = static_cast<IPBMSeqQMgr *>(qi.pItf);
msQMgrComPtr.QueryInterface(&spIUnknown); // This was REQUIRED !!! I could
not use interface return from QI directly in CoSetProxyBlanket()
CoSetProxyBlanket(spIUnknown, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NAME, NULL,
RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
msQMgrComPtr.QueryInterface(&msInterfacePointers.spIPBMethodValidate);

I have a DCOM application that needs to run between all combinations of
XP-SP1, XP-SP2, and Win2k

All was fine until XP-SP2.

We can get everything working if we add Remote Acess to Anonymous Login
DCOM
Limits.

The Client is a Win32 desktop app. The server is an ATL COM Service.

I keep getting E_ACCESSDENIED on the CoCreateInstanceEX() on Client (when
Anonymous Login is disabled)

The ATL COM service also calls back on a Client Sink interface.

Everything is started manually on both Client and Server.

I want to enable the simplest (most portable) authetication.

Most customers run using an NT Domain. Some do not, And some cross
domains.

Previously to XP-SP2 we used CoInitializeSecurity to shutdown all
authetication.
We are not worried about security risks through our applications.

But I don't want to open up the the new Computer wide ACL to Anonymous
Login
to allow just our application to run.

I believe I am coming across the wire as anonymous and tried the
suggestion
posted below to use NTLM authebtication.

But it still fails.

Note the service is running under the default "System" account.

What am I missing?

======================= OLD POST by someone else ===================

Hi...

To make the client-server communication to be non
anonymous, refer to the help on ::CoInitializeSecurity
function, it describes it pretty good.

Remember that ::CoInitializeSecurity must be called on
both the client and server.
It's some time since I tested it, since I decided to go
for the anonymous logon, but after searching some code I
think these examples will work for you.
--- Server Side ---
SOLE_AUTHENTICATION_SERVICE* pacAuth = new
SOLE_AUTHENTICATION_SERVICE;

pacAuth->dwAuthnSvc = RPC_C_AUTHN_WINNT;
pacAuth->dwAuthzSvc = RPC_C_AUTHZ_NAME;
pacAuth->pPrincipalName = NULL;
pacAuth->hr = S_OK;

::CoInitializeSecurity
(NULL,1,pacAuth,NULL,RPC_C_AUTHN_LEVEL_CONNECT,RPC_C_IMP_L
EVEL_IMPERSONATE,NULL,EOAC_NONE,NULL);


--- Client Side ---
::CoInitializeSecurity(NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, NULL,
EOAC_NONE, NULL);

aiAuthInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
aiAuthInfo.dwAuthzSvc = RPC_C_AUTHZ_NAME;
aiAuthInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CONNECT;
aiAuthInfo.pwszServerPrincName = NULL;
aiAuthInfo.dwImpersonationLevel =
RPC_C_IMP_LEVEL_IMPERSONATE;
aiAuthInfo.pAuthIdentityData = NULL;
aiAuthInfo.dwCapabilities = 0;

siServerInfo.dwReserved1 = 0;
siServerInfo.pwszName = A2W("<Your servername>");
siServerInfo.pAuthInfo = &aiAuthInfo;
siServerInfo.dwReserved2 = 0;

mrmq[0].pIID = &<Your interface ID>;
mrmq[0].pItf = NULL;
mrmq[0].hr = 0;

::CoCreateInstanceEx(<Your classid>, NULL,
CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
&siServerInfo, 1, mrmq);


Regarding Workgroup security... To be able to run with
authenticated users the logins must (as you indicates) be
the same username and password on both the server and
client.

--Rune G

-----Original Message-----
Hi all,

Let me say at first that SP2 is a lot of work for me so far... Our
application worked for NT4 and up and since SP2, there is a lot the be
configured to make it work. I have found the info to configure XP SP2 for
anonymous client-server authentication and it's working.

Now I need to find a way not to use anonymous-logon to make dcom work. Most
of my clients are not on a domain, not even on a same workgroup. Is there a
way to make dcom use connect or something else, without opening everything
for anonymous.

I tried different approach, but the server alway see the client coming with
NT AUTHORITY\ANONYMOUS LOGON SID ...

Even if I set my client side for "connect".

From what I understand.
1. On the client side, Dcom obtains a user name
2. The server authenticate the user
3. Is the user in the list
4. Fail or accept

So if I have on client-server(not a domain) the same user/pass pair, it
should work?

I probably don't understand this correctly, since I cannot make it work
outside anonymous.

Any help - pointers would be appreciated.

Regards


.

 

[George Mills]

The Saga continues.

I was in error below I was testing XP SP2 --> XP SP1 (not Win2k).

Anyway it's pretty much the same problem though.

After much reading I've convinced that my plan below would not solve the
problem because my callback object would still be in-proc and have no Proxy.

So I tried using a Domain Account on running the service and it all works.

Is there any way to give permission to a non domain service (i.e. "Local
System" on a Domain Computer) to call me back !!!

Prior to SP2 a "Local System" service was allowed to impersonate the client
credentials and now no longer allowed.

This seems incredibly complex to ask users and administrators to setup to
allow our remote console application to work without decreasing security.

Ok, I tested XP SP2 --> Win2K server and it fails.

It fails only on callback interfaces.

I "new" a COM Atl callback interface object and pass it to the server and
it gets access denied calling back.

I tried putting in CoInitializeSecurity on the client but no go.

I can't use CoSetProxyBlanket on my callback interface, it fails with
E_NOINTERFACE.

My current thought is that I need to make my callback interface a public
registered interface and CoCreate it rather than new it
then set CoSetProxyBlanket on it and pass that object to server.

But this seems way over kill, is there any other way.

I made some progress on this.
Turns out the group "Everyone" does NOT include Domain Users. This
supposedly changed in XP.
I added Domain Users to the DCOM Computer Limits and to My service and I
got past CoCreateInstanceEx() E_ACCESSDENIED.
Then all my QueryInterface calls got E_ACCESSDENIED. I added
CoSetProxyBlanket call for every interface and it seems to be working.
So if the admin wants anybody they add Anonymous Logon, If they only want
Domain Users they add Domain Users.
I also removed all the suggestions below and pass NULL to
CoCreateInstanceEx() for the authetucation list. And NULL to
CoInitializeSecurty()
This was insane sorting it out.
Is there anything better I could do?

Here is a snippet of the code, Error checking removed:

CoInitializeSecurity(NULL, -1, NULL, NULL,RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);

CComPtr<IPBMSeqQMgr> msQMgrComPtr;
CComPtr<IUnknown> spIUnknown;

COSERVERINFO csi = {0, A2W(m_ServerHostNameArray), NULL, 0};
MULTI_QI qi = {&__uuidof(IPBMSeqQMgr), NULL, S_OK};

CoCreateInstanceEx(CLSID_MasterSeq, NULL, CLSCTX_REMOTE_SERVER, &csi, 1,
&qi);
msQMgrComPtr = static_cast<IPBMSeqQMgr *>(qi.pItf);
msQMgrComPtr.QueryInterface(&spIUnknown); // This was REQUIRED !!! I
could not use interface return from QI directly in CoSetProxyBlanket()
CoSetProxyBlanket(spIUnknown, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NAME, NULL,
RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE);
msQMgrComPtr.QueryInterface(&msInterfacePointers.spIPBMethodValidate);

I have a DCOM application that needs to run between all combinations of
XP-SP1, XP-SP2, and Win2k

All was fine until XP-SP2.

We can get everything working if we add Remote Acess to Anonymous Login
DCOM
Limits.

The Client is a Win32 desktop app. The server is an ATL COM Service.

I keep getting E_ACCESSDENIED on the CoCreateInstanceEX() on Client
(when
Anonymous Login is disabled)

The ATL COM service also calls back on a Client Sink interface.

Everything is started manually on both Client and Server.

I want to enable the simplest (most portable) authetication.

Most customers run using an NT Domain. Some do not, And some cross
domains.

Previously to XP-SP2 we used CoInitializeSecurity to shutdown all
authetication.
We are not worried about security risks through our applications.

But I don't want to open up the the new Computer wide ACL to Anonymous
Login
to allow just our application to run.

I believe I am coming across the wire as anonymous and tried the
suggestion
posted below to use NTLM authebtication.

But it still fails.

Note the service is running under the default "System" account.

What am I missing?

======================= OLD POST by someone else ===================

Hi...

To make the client-server communication to be non
anonymous, refer to the help on ::CoInitializeSecurity
function, it describes it pretty good.

Remember that ::CoInitializeSecurity must be called on
both the client and server.
It's some time since I tested it, since I decided to go
for the anonymous logon, but after searching some code I
think these examples will work for you.
--- Server Side ---
SOLE_AUTHENTICATION_SERVICE* pacAuth = new
SOLE_AUTHENTICATION_SERVICE;

pacAuth->dwAuthnSvc = RPC_C_AUTHN_WINNT;
pacAuth->dwAuthzSvc = RPC_C_AUTHZ_NAME;
pacAuth->pPrincipalName = NULL;
pacAuth->hr = S_OK;

::CoInitializeSecurity
(NULL,1,pacAuth,NULL,RPC_C_AUTHN_LEVEL_CONNECT,RPC_C_IMP_L
EVEL_IMPERSONATE,NULL,EOAC_NONE,NULL);


--- Client Side ---
::CoInitializeSecurity(NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, NULL,
EOAC_NONE, NULL);

aiAuthInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
aiAuthInfo.dwAuthzSvc = RPC_C_AUTHZ_NAME;
aiAuthInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CONNECT;
aiAuthInfo.pwszServerPrincName = NULL;
aiAuthInfo.dwImpersonationLevel =
RPC_C_IMP_LEVEL_IMPERSONATE;
aiAuthInfo.pAuthIdentityData = NULL;
aiAuthInfo.dwCapabilities = 0;

siServerInfo.dwReserved1 = 0;
siServerInfo.pwszName = A2W("<Your servername>");
siServerInfo.pAuthInfo = &aiAuthInfo;
siServerInfo.dwReserved2 = 0;

mrmq[0].pIID = &<Your interface ID>;
mrmq[0].pItf = NULL;
mrmq[0].hr = 0;

::CoCreateInstanceEx(<Your classid>, NULL,
CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
&siServerInfo, 1, mrmq);


Regarding Workgroup security... To be able to run with
authenticated users the logins must (as you indicates) be
the same username and password on both the server and
client.

--Rune G

-----Original Message-----
Hi all,

Let me say at first that SP2 is a lot of work for me so
far... Our
application worked for NT4 and up and since SP2, there
is a lot the be
configured to make it work. I have found the info to
configure XP SP2 for
anonymous client-server authentication and it's working.

Now I need to find a way not to use anonymous-logon to
make dcom work. Most
of my clients are not on a domain, not even on a same
workgroup. Is there a
way to make dcom use connect or something else, without
opening everything
for anonymous.

I tried different approach, but the server alway see the
client coming with
NT AUTHORITY\ANONYMOUS LOGON SID ...

Even if I set my client side for "connect".

From what I understand.
1. On the client side, Dcom obtains a user name
2. The server authenticate the user
3. Is the user in the list
4. Fail or accept

So if I have on client-server(not a domain) the same
user/pass pair, it
should work?

I probably don't understand this correctly, since I
cannot make it work
outside anonymous.

Any help - pointers would be appreciated.

Regards


.