Hi, I have a DCOM client/server pair I developed using a toolkit that does not itself seem to care about security. So I tried to configure everything myself using dcomcnfg on client and server computers and add necessary access control code in the server program. There are identical user accounts on client and server machine. For authentication and impersonation levels I used "connect" and "impersonate". Launch and activation of the server works like a charm. Now I want to determine from within the server code which user account is currently accessing the servers items so I can restrict specific items to specific users. Problem is: I never get to the user id. From other posts I read that I should use APIs like CoImpersonateClient and CoQueryClientBlanket. I tried both but everything I try fails. Here are some testing details: Client on XPSP2, server on Win2K Calling CoImpersonateClient in the server code fails with RPC_S_CANNOT_SUPPORT (0x800706E4) Calling CoQueryClientBlanket in the server code fails with RPC_S_BINDING_HAS_NO_AUTH 0x800706D2 Client on Win2K, server on Win2K Calling CoImpersonateClient in the server code fails with 0x800706e5 (No security context is available to allow impersonation.) Calling CoQueryClientBlanket in the server code fails with RPC_S_INVALID_AUTH_IDENTITY 0x800706D5 Running both client and server on my XPSP2 development machine I don't get an error but the client always is "NT Authority/Anonymous logon"? Why do I not get my own user name here? I have already spent hours reading earlier posts but these errors don't seem to come up too often. So any comment is really appreciated! Nick
"nicolasr" wrote in message news:%23s4pr%23tUHHA.4028@TK2MSFTNGP02.phx.gbl... > Hi, > > I have a DCOM client/server pair I developed using > a toolkit that does not itself seem to care about security. > So I tried to configure everything myself using dcomcnfg on > client and server computers and add necessary access control > code in the server program. > > There are identical user accounts on client and server machine. > For authentication and impersonation levels I used "connect" > and "impersonate". Is the client and the server in the same domain? Or are you using a workgroup? > Launch and activation of the server works like a charm. > Now I want to determine from within the server code which user > account is currently accessing the servers items so I can restrict > specific items to specific users. > > Problem is: I never get to the user id. From other posts I > read that I should use APIs like CoImpersonateClient and > CoQueryClientBlanket. I tried both but everything I try fails. > > Here are some testing details: > > Client on XPSP2, server on Win2K > > Calling CoImpersonateClient in the server code fails with > RPC_S_CANNOT_SUPPORT (0x800706E4) > Calling CoQueryClientBlanket in the server code fails with > RPC_S_BINDING_HAS_NO_AUTH 0x800706D2 > > > Client on Win2K, server on Win2K > > Calling CoImpersonateClient in the server code fails with > 0x800706e5 (No security context is available to allow impersonation.) > > Calling CoQueryClientBlanket in the server code fails with > RPC_S_INVALID_AUTH_IDENTITY 0x800706D5 > > Running both client and server on my XPSP2 development > machine I don't get an error but the client always is > "NT Authority/Anonymous logon"? > Why do I not get my own user name here? > Clearly the server is not impersonating the client. Remember the client needs to give permission to the server to impersonate. On the client side Call CoInitializeSecurity(), preferably right after CoInitialize(), using RPC_C_AUTHN_LEVEL_CONNECT and RPC_C_IMP_LEVEL_IMPERSONATE. Brian
Hi and thanks for your reply. >> There are identical user accounts on client and server machine. >> For authentication and impersonation levels I used "connect" >> and "impersonate". > > Is the client and the server in the same domain? Or are you using a > workgroup? > Win2K client and Win2K server are in a workgroup. The XP client is connected via VPN to the same network. >> Running both client and server on my XPSP2 development >> machine I don't get an error but the client always is >> "NT Authority/Anonymous logon"? >> Why do I not get my own user name here? >> > > Clearly the server is not impersonating the client. > > Remember the client needs to give permission to the server to impersonate. > On the client side Call CoInitializeSecurity(), preferably right after > CoInitialize(), using RPC_C_AUTHN_LEVEL_CONNECT and > RPC_C_IMP_LEVEL_IMPERSONATE. > I actually tried that already but as I notice now I failed to correctly check the return value which was always RPC_E_TOO_LATE . Now I moved the call right at the beginning of my WinMain and boom! everything works! Thanks for that. I have to add two things: First, I thought that calling CoInitializeSecurity() would be an optional alternative to configuring registry settings via dcomconfg.exe. It seems that my settings never got applied though. I have another example DCOM client/server pair that I built from scratch following a book about DCOM. These two always worked without calling CoInitalizeSecurity(). So from all that I conclude that probably the toolkit I use for my actual client/server generates security related code that always overwrites registry settings. My own CoInitializeSecurity() call in WinMain() now seems to fix that. thanks for your help, Nicolas
