Click here to get back home

DCOM access denied error on Windows 2003 server SP1
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
DCOM access denied error on Windows 2003 server SP1 Alan Lait 01-13-2006
Posted by Alan Lait on January 13, 2006, 10:35 am
Please log in for more thread options
 I am trying to resolve a problem with an old DCOM-based application, running
on Windows 2003 server with SP1 installed.

The client and server components of the application use anonymous access and
no authentication, which is obviously rather insecure but they were written
a number of years ago in VB6. Although they run happily when installed on
Windows 2003 server prior to SP1, the additional DCOM security features in
SP1 cause an "access denied" error when connecting the client to the server.
It may be of some note that the server components issue events to the
client, so there are call-backs being set up there too, but it's the initial
connect that's causing the problem.

All of the server components are set (via Component Services) to run with an
Authentication Level of None, they are launched by a separate process on the
server (wierd, but that's the way it works) so the launch permissions from
the client aren't a problem, and the access permissions list includes the
Everyone account, so all client accounts should be allowed.

The client components are configured with an impersonation level of
Anonymous, so the call-backs from the server should be accepted regardless.

That all worked OK before SP1, with the client running on XP or 2000, so in
order to relax the security added in SP1 we have changed the following on
the 2003 server:

Edited the security limits (via the COM Security tab in Component Services)
to ensure that Local Access and Remote Access is enabled for the Everyone
and ANONYMOUS LOGON accounts (not sure if that's totally necessary but we're
clutching at straws a bit here)

What else needs to be done (other than rewriting the application to use
security properly, which isn't an option at the moment) ?

Any help much appreciated.
Alan



Posted by Roger Abell [MVP] on January 14, 2006, 1:07 am
Please log in for more thread options
 Please review the thread in this newsgroup
started on Jan 6 with subject
DCOM access denied after SP1 applied

--
Roger

>I am trying to resolve a problem with an old DCOM-based application,
>running on Windows 2003 server with SP1 installed.
>
> The client and server components of the application use anonymous access
> and no authentication, which is obviously rather insecure but they were
> written a number of years ago in VB6. Although they run happily when
> installed on Windows 2003 server prior to SP1, the additional DCOM
> security features in SP1 cause an "access denied" error when connecting
> the client to the server. It may be of some note that the server
> components issue events to the client, so there are call-backs being set
> up there too, but it's the initial connect that's causing the problem.
>
> All of the server components are set (via Component Services) to run with
> an Authentication Level of None, they are launched by a separate process
> on the server (wierd, but that's the way it works) so the launch
> permissions from the client aren't a problem, and the access permissions
> list includes the Everyone account, so all client accounts should be
> allowed.
>
> The client components are configured with an impersonation level of
> Anonymous, so the call-backs from the server should be accepted
> regardless.
>
> That all worked OK before SP1, with the client running on XP or 2000, so
> in order to relax the security added in SP1 we have changed the following
> on the 2003 server:
>
> Edited the security limits (via the COM Security tab in Component
> Services) to ensure that Local Access and Remote Access is enabled for the
> Everyone and ANONYMOUS LOGON accounts (not sure if that's totally
> necessary but we're clutching at straws a bit here)
>
> What else needs to be done (other than rewriting the application to use
> security properly, which isn't an option at the moment) ?
>
> Any help much appreciated.
> Alan
>



Similar ThreadsPosted
DCOM access denied after SP1 applied January 6, 2006, 3:46 pm
Questions about the artical "DCOM Security Enhancements" for Windows Server 2003 SP1 January 15, 2006, 9:47 pm
Re: Windows 2003: Folder Access Denied October 25, 2005, 10:13 pm
Windows 2003: Folder Access Denied October 24, 2005, 9:06 am
Access to NT4 File Ressources denied from Windows 2003 System April 7, 2006, 2:49 am
FAX Error in Windows 2003 Server September 21, 2006, 2:24 am
Windows domain user is sometimes denied access to server share October 2, 2006, 5:07 am
Local Security Policy MMC secpol.msc error on Windows Server 2003 March 9, 2007, 10:01 am
Server 2003 sp1 - DCOM 'Edit Limits' button disabled June 17, 2005, 2:42 pm
FTP Access On A Windows 2003 Server November 8, 2005, 4:26 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap