Re: DCOM security question
Currently I am using the following on the server, the client does NOT call
hr = sd.InitializeFromThreadToken();
if( FAILED(hr) )
hr = sd.Allow("Everyone", COM_RIGHTS_EXECUTE);
hr = CoInitializeSecurity( sd, -1, NULL, NULL,
This seems to work OK as long as I am supplying credentials in the
CoCreateIstanceEx call. The problem is how all the parameters relate to each
other depending on the level of security you need.
With the above code I believe I can restrict any user to belong to a
specified group, this only means that the caller is a valid user in the
"Brian Muth" <firstname.lastname@example.org> wrote in message
"Scott" <email@example.com> wrote in message
I have a CPP/ATL service that exposes 3 interfaces. These interfaces are
excessible as long as the client and server are on the same domain.
As soon as the client tries to access the service from out side the
they get an access is denied error. In most cases this would be OK, but
the current time I need to be able to service clients outside the domain.
Mostly the client used CoCreateInstanceEx and the server does a
hr = CoInitializeSecurity( NULL, NULL, NULL, NULL
, NULL, NULL, NULL
, EOAC_APPID, NULL);
Netmonitoring the the hand shake it appears that Kerberos is now getting
involved, where I always thought that DCOM used NTLM.
Then we tried to force windows NTLM as follows:
sas.dwAuthnSvc = RPC_C_AUTHN_WINNT;
sas.dwAuthzSvc = 0;
sas.pPrincipalName = NULL;
sas.hr = S_OK;
hr = CoInitializeSecurity( NULL, 1, &sas, NULL,
This gave us basically the same results.
After trying several variations it became obvious that there is much more
consider when doing this.
Is there a fairly simple way to allow users from other domains into this
In the past users from other domains that had the same userid and
as a domain account would be allowed in. This would at least give some
security to the connection.
At this point I just need client access for other domains with some idea
how to tighten things down as we need to.
Where can I get some basic information on this to get started?
DCOM security is a two-way agreement between both the client _and_ the
server. The server sets the low level mark and the client sets the high
level mark. So you need to tell us what level security the server is
requestion. Does the server also call CoInitializeSecurity? If so, what
are the parameters?