Re: DCOM security question
Brian,
Currently I am using the following on the server, the client does NOT call
CoInitializeSecurity.
CSecurityDescriptor sd;
hr = sd.InitializeFromThreadToken();
if( FAILED(hr) )
{
}
hr = sd.Allow("Everyone", COM_RIGHTS_EXECUTE);
hr = CoInitializeSecurity( sd, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_CONNECT,
RPC_C_IMP_LEVEL_IDENTIFY,
NULL,
EOAC_NONE,
NULL);
This seems to work OK as long as I am supplying credentials in the
CoCreateIstanceEx call. The problem is how all the parameters relate to each
other depending on the level of security you need.
With the above code I believe I can restrict any user to belong to a
specified group, this only means that the caller is a valid user in the
domain.
"Brian Muth" <bmuth@mvps.org> wrote in message
news:%23Fp1UJiqIHA.4904@TK2MSFTNGP03.phx.gbl...
"Scott" <snorberg@newsgroups.nospam> wrote in message
news:9FFF0A97-541C-42A5-BD06-340A50C0C54D@microsoft.com...
I have a CPP/ATL service that exposes 3 interfaces. These interfaces are
all
excessible as long as the client and server are on the same domain.
As soon as the client tries to access the service from out side the
domain
they get an access is denied error. In most cases this would be OK, but
for
the current time I need to be able to service clients outside the domain.
Mostly the client used CoCreateInstanceEx and the server does a
CoInitializeSecurity
hr = CoInitializeSecurity( NULL, NULL, NULL, NULL
, NULL, NULL, NULL
, EOAC_APPID, NULL);
Netmonitoring the the hand shake it appears that Kerberos is now getting
involved, where I always thought that DCOM used NTLM.
Then we tried to force windows NTLM as follows:
SOLE_AUTHENTICATION_SERVICE sas;
sas.dwAuthnSvc = RPC_C_AUTHN_WINNT;
sas.dwAuthzSvc = 0;
sas.pPrincipalName = NULL;
sas.hr = S_OK;
hr = CoInitializeSecurity( NULL, 1, &sas, NULL,
RPC_C_AUTHN_LEVEL_CONNECT,
RPC_C_IMP_LEVEL_IDENTIFY, NULL,
EOAC_NONE, NULL);
This gave us basically the same results.
After trying several variations it became obvious that there is much more
to
consider when doing this.
Is there a fairly simple way to allow users from other domains into this
service?
In the past users from other domains that had the same userid and
password
as a domain account would be allowed in. This would at least give some
security to the connection.
At this point I just need client access for other domains with some idea
of
how to tighten things down as we need to.
Where can I get some basic information on this to get started?
--
Scott
DCOM security is a two-way agreement between both the client _and_ the
server. The server sets the low level mark and the client sets the high
level mark. So you need to tell us what level security the server is
requestion. Does the server also call CoInitializeSecurity? If so, what
are the parameters?