DCOM access denied error on Windows 2003 server SP1

DCOM access denied error on Windows 2003 server SP1
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
DCOM access denied error on Windows 2003 server SP1 Alan Lait 01-16-2006
Posted by Alan Lait on January 16, 2006, 9:09 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I am trying to resolve a problem with an old DCOM-based application, running
on Windows 2003 server with SP1 installed.

The client and server components of the application use anonymous access and
no authentication, which is obviously rather insecure but they were written
a number of years ago in VB6. Although they run happily when installed on
Windows 2003 server prior to SP1, the additional DCOM security features in
SP1 cause an "access denied" error when connecting the client to the server.
It may be of some note that the server components issue events to the
client, so there are call-backs being set up there too, but it's the initial
connect that's causing the problem.

All of the server components are set (via Component Services) to run with an
Authentication Level of None, they are launched by a separate process on the
server (wierd, but that's the way it works) so the launch permissions from
the client aren't a problem, and the access permissions list includes the
Everyone account, so all client accounts should be allowed.

The client components are configured with an impersonation level of
Anonymous, so the call-backs from the server should be accepted regardless.

That all worked OK before SP1, with the client running on XP or 2000, so in
order to relax the security added in SP1 we have changed the following on
the 2003 server:

Edited the security limits (via the COM Security tab in Component Services)
to ensure that Local Access and Remote Access is enabled for the Everyone
and ANONYMOUS LOGON accounts (not sure if that's totally necessary but we're
clutching at straws a bit here)

What else needs to be done (other than rewriting the application to use
security properly, which isn't an option at the moment) ?

Any help much appreciated.
Alan



Posted by Roger Abell [MVP] on January 17, 2006, 1:02 am
If you were  Registered and logged in, you could reply and use other advanced thread options
http://support.microsoft.com/search/default.aspx?qu=dcom+sp1


>I am trying to resolve a problem with an old DCOM-based application,
>running
> on Windows 2003 server with SP1 installed.
>
> The client and server components of the application use anonymous access
> and
> no authentication, which is obviously rather insecure but they were
> written
> a number of years ago in VB6. Although they run happily when installed on
> Windows 2003 server prior to SP1, the additional DCOM security features in
> SP1 cause an "access denied" error when connecting the client to the
> server.
> It may be of some note that the server components issue events to the
> client, so there are call-backs being set up there too, but it's the
> initial
> connect that's causing the problem.
>
> All of the server components are set (via Component Services) to run with
> an
> Authentication Level of None, they are launched by a separate process on
> the
> server (wierd, but that's the way it works) so the launch permissions from
> the client aren't a problem, and the access permissions list includes the
> Everyone account, so all client accounts should be allowed.
>
> The client components are configured with an impersonation level of
> Anonymous, so the call-backs from the server should be accepted
> regardless.
>
> That all worked OK before SP1, with the client running on XP or 2000, so
> in
> order to relax the security added in SP1 we have changed the following on
> the 2003 server:
>
> Edited the security limits (via the COM Security tab in Component
> Services)
> to ensure that Local Access and Remote Access is enabled for the Everyone
> and ANONYMOUS LOGON accounts (not sure if that's totally necessary but
> we're
> clutching at straws a bit here)
>
> What else needs to be done (other than rewriting the application to use
> security properly, which isn't an option at the moment) ?
>
> Any help much appreciated.
> Alan
>
>


Similar ThreadsPosted
Sever 2000 to Server 2003 access denied March 23, 2006, 11:02 am
WMI / DCOM 'ACCESS DENIED' February 28, 2007, 7:29 am
0x80072ee2 error message in Windows 2003 server August 10, 2005, 6:10 am
Error: 0x800700005 access denied when creating a new task June 19, 2007, 11:51 am
Don't have create access in Windows 2003 server August 21, 2008, 2:06 pm
Access is denied Error - Calling CIOMD.dll objects from ASP.NET1.1 August 29, 2008, 10:30 am
Allow access to Task Scheduler in Windows 2003 server July 14, 2006, 2:30 pm
Windows 2003 DCOM October 17, 2005, 11:00 pm
Certificate Error on 2003 server November 14, 2005, 2:23 pm
VPN error 718 timeout while server event viewer grants user access August 28, 2008, 11:54 pm

The site map in XML format XML site map

Contact Us | Privacy Policy