DCOM: CoCreateInstanceEx returns E_ACCESSDENIED

dcomSecuritywindows-xp

I'm working on a DCOM application with the server and client on two machines, both of which are running WinXP with Service Pack 2. On both machines, I'm logged in with the same username and password.

When the client on one machine calls CoCreateInstanceEx, asking the other machine to start up the server application, it returns E_ACCESSDENIED.

I tried going into the server app's component properties in dcomcnfg and giving full permisions to everyone for everything, but that didn't help.

What do I need to do to allow this call to succeed?

Update: When the server app is running on a Windows 2000 box, I do not get this error; CoCreateInstanceEx returns S_OK.

Best Answer

Right, so if your Authentication level is set to Default. What is the authentication level set to in the Default Settings? Just out of interest. (although the fact that it works to a 2000 box probably makes that redundant)

EDIT:

Also: I seem to remember doing a lot of rebooting when I used to play/work with DCOM so maybe a quick reboot of both machines when you're happy with the dcomcnfg settings wouldn't go amis either.

Related Solutions

C++ – DCOM CoCreateInstanceEx E_ACCESSDENIED

access is ONE choice under dcom... you also need Launch and Activation settings... I'd hit that next...

Windows – How does impersonation in DCOM work

Answering my own question. After much exploration it became apparent that DCOM has TWO different identification cases:

Authorization for object creation (CoCreateInstanceEx)
Authorization for method calls.

For reasons unknown, #2 doesn't inherit #1 settings. By default it uses the credentials of the client process, hence strange logins.

There are two ways to specify credentials for #2. First one is CoSetProxyBlanket. It sets credentials for a specified proxy (marshaller-unmarshaller) only:

CoCreateInstanceEx(IID_IObject1, /*login, pass*/, obj1); //Success!
//Logged in and recevied IObject1 proxy in obj1

obj1->DoSomething();
//IObject1 proxy in obj1 now tries to login under process credentials.
//Failure! E_ACCESSDENIED

CoSetProxyBlanket(obj1, /*login, pass*/); //Success!
//IObject1 proxy is now authorized.

obj1->DoSomething(); //Success!
obj1->QueryInterface(IID_IObject2, obj2); //Success!

obj2->DoSomethingElse(); //Failure!
//This different proxy for IObject2 have not yet been authorized.

CoSetProxyBlanket(obj2, /*login, pass*/);
//etc.

It's important to note that while CoCreateInstanceEx requires impersonation level to be at least IMPERSONATE, CoSetProxyBlanket doesn't seem to work on anything except IDENTIFY.

Another option is to use CoInitializeSecurity to set default credentials for the whole process. Then you don't have to call CoSetProxyBlanket on every proxy:

CoInitializeSecurity(/* login, pass */);
CoCreateInstanceEx(IID_IUnknown, /*login, pass*/, obj); //Success!
obj->DoSomething(); //Success!

When using CoInitializeSecurity on the client you have to specify asAuthSvc too, even though MSDN says you don't.

The drawback of this method is obviously that if you have several DCOM objects from different PCs you're going to have to specify all the credentials in this call and those are probably going to be tried against every computer every time you open a different proxy.

It also is not reliable when you're running from a DLL (what if a process has different default security?). So, it's probably better to implement a QueryInterface wrapper which CoSetsProxyBlanket before returning from every call.

Best Answer

Related Solutions

C++ – DCOM CoCreateInstanceEx E_ACCESSDENIED

Windows – How does impersonation in DCOM work

Related Topic