Problems with security requirements in Windows WorkGroups.

[womin]

Hello everybody,

I have a .NET C# client-server application that is being used in two
machines with Windows XP installed. Both the client and the server are
executed into users of a Work Group.

I am using .NET Remoting to connect the client and the server with a TCP
channel. The registration of the channel is made by using the following code:

"ChannelServices.RegisterChannel(channel, true);"

Where "channel" is a TCP channel. The ensureSecurity option is set to "true"
in order to ensure the channel encryption.

Both the client and sever must send objects to each other (usually using a
proxy).

The problem is, although this environment works well in most of the cases, I
have an example where I obtain the following error text when the server tries
to access the client proxy (the error is displayed in the client):

"A remote side security requirement was not fulfilled during authentication.
Try increase the ProtectionLevel and/or ImpersonationLevel".

It is important to remark that the (.NET Remoting) proxies have right
permissions when accessing the server from the client.

After that, I have proved making the following change to the TCP channel:

"ChannelServices.RegisterChannel(channel, false);"

That is, setting "false" the ensureSecurity option. So this means (as the
Microsoft documentation says) that the channel will be encrypted only in case
it is possible. So in this case the error is resolved because although the
server does not have the proper client credentials, the channel will not be
encrypted.

Finally, my question: I mandatory need to ensure the encryption of the
channel, and I need to know which could be the problem with the impersonation
and credentials in the wrong example. Is it machine configuration dependant?
Which is the reason for having two environment apparently identical (Windows
XP, WorkGroup, same users) but with different behavors?

Could you please give me some help about my problem?

Thanks a lot in advance.

Regards,

Domingo.

 

[Steven Cheng]

Hi Domingo,

From your description, I got that you're encountering some security error
when using .net remoting to communicate between client , server
application, correct?

Based on my experience, this general error message could be caused by many
things such as user identity not supplied, or the client and server
channel's security setting not match.....

As for the error, what's the innerException, generally the inner exception
may provide some further information. Also, for non-domain machines that
need to communicate under windows authentication, you need to use a
duplicated account(with same username/password) on both sides. If
convenient, you can try creating a simplified client/server project
pair(with a very simple remoting class) to demonstrate the problem. And you
can send me the package so that I can also perform some tests on my side.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

 

[womin]

Hello Steven, first of all, thank you for your quick answer.

Yes, of course I have a security error as you can read in the error message
I obtain:

"A remote side security requirement was not fulfilled during authentication.
Try increase the ProtectionLevel and/or ImpersonationLevel".

(No Inner Exception is thrown)

I can give you some code generated for the error purpose. It consists in a
small chat application between a client (ChatClient) and a server
(ChatServer). By the way, how should I send you the code? I can not find a
way in my web news interface...

I am executing the example in two machines with Windows XP, the same users
and passwords in both machines and belonging to a WorkGroup.

When I try to use the TCP channel I get the error (with NO inner exception
messages) I have written above.

Thanks again and regards,

Domingo.

 

[Steven Cheng]

Thanks for your reply Domingo,

You can reach me through the following email:

"stcheng" + "@" + "microsoft.com"

Best regards,

Steven Cheng
Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we

can improve the support we provide to you. Please feel free to let my
manager know what you think of

the level of service provided. You can send feedback directly to my manager
at: (e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

From: =?Utf-8?B?d29taW4=?= <[email protected]>
References: <[email protected]>

 

[womin]

Hi again, Steven.

I have sent you an email some days ago with the example code to the address
you wrote me below. Did you receive it? If not, please let me know to try to
send it again.

Thank you very much, sincerally,

Domingo.

 

[Steven Cheng]

Hi Domingo,

I've got the email. Seems it is origially routered to an incorrect folder
which made me miss it. I'll perform some test on it and let you know my
results.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------

From: =?Utf-8?B?d29taW4=?= <[email protected]>
References: <[email protected]>

<[email protected]>

 

[Steven Cheng]

Hi Domingo,

I have performed some tests on the projects, so far I've tried running it
on multiple machines (such as XP or windows 2k3 server). I have domain
environment, so I use local accounts to run both of them and here is the
result:

** with duplicated account(same username/password), it works

** with a normal local account(only exists on client machine), it fails.

I'll try establising a non-domain environment to see whether it differs. It
may take some further time since all my existing local test environment are
in domain.

Steven Cheng
Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

 

[visual_devel]

Ok Steven, I will wait until you test a non-domain environment (remember I
tested a WorkGroup).

Thanks,

Domingo.

 

[Steven Cheng]

Hi Domingo,

After testing on two workgroup(non-domain) machines, I've repro the
problem. I'll do some further research on this and let you know as soon as
I get any new update.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

From: =?Utf-8?B?dmlzdWFsX2RldmVs?= <[email protected]>
References: <[email protected]>

<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>

 

[Steven Cheng]

Hi Domingo,

After further research, I've got some information that may help on this
issue. For two non-domain computers(with local accounts) scenario in
remoting, you can check the following setting in windows Local security
policy:

**launch secpol.msc or use the following path to open local security
setting

"control panel-->administrative tools-->local security policy"

**In the opened mmc console, locate "Local Policies--> Security Options"
node in left view

** in the right view, find the following setting item:

Network access: Sharing and security model for local accounts

the setting could be set to "guest only". If so, switch it to "classic"

reboot the machine and test again to see whether it works. In my local
test environment, I used two windows XP boxes, after changed the above mode
to "classic" on both ones, the local accounts works for non-domain
environment remoting.

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

 

[Steven Cheng [MSFT]]

Hi Domingo,

Does the suggestion in previous message help on this issue?

Best regards,

Steven Cheng
Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[visual_devel]

Hello, Steven,

do you know anything else about my problem?

Thanks,

Domingo.