G
George Mills
I have a DCOM application that needs to run between all combinations of
XP-SP1, XP-SP2, and Win2k
All was fine until XP-SP2.
We can get everything working if we add Remote Acess to Anonymous Login DCOM
Limits.
The Client is a Win32 desktop app. The server is an ATL COM Service.
I keep getting E_ACCESSDENIED on the CoCreateInstanceEX() on Client (when
Anonymous Login is disabled)
The ATL COM service also calls back on a Client Sink interface.
Everything is started manually on both Client and Server.
I want to enable the simplest (most portable) authetication.
Most customers run using an NT Domain. Some do not, And some cross domains.
Previously to XP-SP2 we used CoInitializeSecurity to shutdown all
authetication.
We are not worried about security risks through our applications.
But I don't want to open up the the new Computer wide ACL to Anonymous Login
to allow just our application to run.
I believe I am coming across the wire as anonymous and tried the suggestion
posted below to use NTLM authebtication.
But it still fails.
Note the service is running under the default "System" account.
What am I missing?
======================= OLD POST by someone else ===================
Hi...
To make the client-server communication to be non
anonymous, refer to the help on ::CoInitializeSecurity
function, it describes it pretty good.
Remember that ::CoInitializeSecurity must be called on
both the client and server.
It's some time since I tested it, since I decided to go
for the anonymous logon, but after searching some code I
think these examples will work for you.
--- Server Side ---
SOLE_AUTHENTICATION_SERVICE* pacAuth = new
SOLE_AUTHENTICATION_SERVICE;
pacAuth->dwAuthnSvc = RPC_C_AUTHN_WINNT;
pacAuth->dwAuthzSvc = RPC_C_AUTHZ_NAME;
pacAuth->pPrincipalName = NULL;
pacAuth->hr = S_OK;
::CoInitializeSecurity
(NULL,1,pacAuth,NULL,RPC_C_AUTHN_LEVEL_CONNECT,RPC_C_IMP_L
EVEL_IMPERSONATE,NULL,EOAC_NONE,NULL);
--- Client Side ---
::CoInitializeSecurity(NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, NULL,
EOAC_NONE, NULL);
aiAuthInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
aiAuthInfo.dwAuthzSvc = RPC_C_AUTHZ_NAME;
aiAuthInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CONNECT;
aiAuthInfo.pwszServerPrincName = NULL;
aiAuthInfo.dwImpersonationLevel =
RPC_C_IMP_LEVEL_IMPERSONATE;
aiAuthInfo.pAuthIdentityData = NULL;
aiAuthInfo.dwCapabilities = 0;
siServerInfo.dwReserved1 = 0;
siServerInfo.pwszName = A2W("<Your servername>");
siServerInfo.pAuthInfo = &aiAuthInfo;
siServerInfo.dwReserved2 = 0;
mrmq[0].pIID = &<Your interface ID>;
mrmq[0].pItf = NULL;
mrmq[0].hr = 0;
::CoCreateInstanceEx(<Your classid>, NULL,
CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
&siServerInfo, 1, mrmq);
Regarding Workgroup security... To be able to run with
authenticated users the logins must (as you indicates) be
the same username and password on both the server and
client.
--Rune G
XP-SP1, XP-SP2, and Win2k
All was fine until XP-SP2.
We can get everything working if we add Remote Acess to Anonymous Login DCOM
Limits.
The Client is a Win32 desktop app. The server is an ATL COM Service.
I keep getting E_ACCESSDENIED on the CoCreateInstanceEX() on Client (when
Anonymous Login is disabled)
The ATL COM service also calls back on a Client Sink interface.
Everything is started manually on both Client and Server.
I want to enable the simplest (most portable) authetication.
Most customers run using an NT Domain. Some do not, And some cross domains.
Previously to XP-SP2 we used CoInitializeSecurity to shutdown all
authetication.
We are not worried about security risks through our applications.
But I don't want to open up the the new Computer wide ACL to Anonymous Login
to allow just our application to run.
I believe I am coming across the wire as anonymous and tried the suggestion
posted below to use NTLM authebtication.
But it still fails.
Note the service is running under the default "System" account.
What am I missing?
======================= OLD POST by someone else ===================
Hi...
To make the client-server communication to be non
anonymous, refer to the help on ::CoInitializeSecurity
function, it describes it pretty good.
Remember that ::CoInitializeSecurity must be called on
both the client and server.
It's some time since I tested it, since I decided to go
for the anonymous logon, but after searching some code I
think these examples will work for you.
--- Server Side ---
SOLE_AUTHENTICATION_SERVICE* pacAuth = new
SOLE_AUTHENTICATION_SERVICE;
pacAuth->dwAuthnSvc = RPC_C_AUTHN_WINNT;
pacAuth->dwAuthzSvc = RPC_C_AUTHZ_NAME;
pacAuth->pPrincipalName = NULL;
pacAuth->hr = S_OK;
::CoInitializeSecurity
(NULL,1,pacAuth,NULL,RPC_C_AUTHN_LEVEL_CONNECT,RPC_C_IMP_L
EVEL_IMPERSONATE,NULL,EOAC_NONE,NULL);
--- Client Side ---
::CoInitializeSecurity(NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IDENTIFY, NULL,
EOAC_NONE, NULL);
aiAuthInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
aiAuthInfo.dwAuthzSvc = RPC_C_AUTHZ_NAME;
aiAuthInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CONNECT;
aiAuthInfo.pwszServerPrincName = NULL;
aiAuthInfo.dwImpersonationLevel =
RPC_C_IMP_LEVEL_IMPERSONATE;
aiAuthInfo.pAuthIdentityData = NULL;
aiAuthInfo.dwCapabilities = 0;
siServerInfo.dwReserved1 = 0;
siServerInfo.pwszName = A2W("<Your servername>");
siServerInfo.pAuthInfo = &aiAuthInfo;
siServerInfo.dwReserved2 = 0;
mrmq[0].pIID = &<Your interface ID>;
mrmq[0].pItf = NULL;
mrmq[0].hr = 0;
::CoCreateInstanceEx(<Your classid>, NULL,
CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER,
&siServerInfo, 1, mrmq);
Regarding Workgroup security... To be able to run with
authenticated users the logins must (as you indicates) be
the same username and password on both the server and
client.
--Rune G