Permission Denied When Accessing COM+ Component as Plain D..

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

I've got a problem running COM+ components on Windows 2003 that I
haven't seen perviously.

If I log into the client workstation as a domain administrator, I can
access the COM+ component absolutely fine. However, if I access it
logged in as an ordinary domain user I get a permission denied 70
error. Otherwise, users can get access to the server fine and use
shares on it. I've been through all the motions for this.

- The workstations and the server are a part of an Active Directory set
up and authenticate against it.
- I've created roles for domain users against my COM+ components to
ensure declarative security for them.

In the event log I've got authentication sucesses for the domain users
from the workstations I'm using, so no failures there and nothing that
would indicate any kind of other failure. None of my COM+ components
implement programmatic security, or even have an Initialize routine.
They're very, very simple components.

I've been through everything I can think of. The only remaining thing I
can think of is if a setting in AD is stopping access, but I have
absolutely no idea what that might be because it could be just about
anything. I think I've exhausted everything in Component Services, but
if anyone has any other ideas that would be great because I can't
believe I'm the only one to see an error 70 like this.

Thanks a lot.


--
segedunumPosted from http://www.pcreview.co.uk/ newsgroup access
2 answers Last reply
More about permission denied accessing component plain
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    If your W2k3 is now at SP1, have you reviewed the SP1 release
    note information, as it, like SP2 for XP, introduced new hardening
    for RPC and DCOM. Now, you said COM+ but it sure sounded
    like the users may be remote when attempting this, so . . .

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "segedunum" <segedunum.1rsupz@> wrote in message
    news:TLedncgfpIfTv1DfRVn_vg@giganews.com...
    >
    > Hi All,
    >
    > I've got a problem running COM+ components on Windows 2003 that I
    > haven't seen perviously.
    >
    > If I log into the client workstation as a domain administrator, I can
    > access the COM+ component absolutely fine. However, if I access it
    > logged in as an ordinary domain user I get a permission denied 70
    > error. Otherwise, users can get access to the server fine and use
    > shares on it. I've been through all the motions for this.
    >
    > - The workstations and the server are a part of an Active Directory set
    > up and authenticate against it.
    > - I've created roles for domain users against my COM+ components to
    > ensure declarative security for them.
    >
    > In the event log I've got authentication sucesses for the domain users
    > from the workstations I'm using, so no failures there and nothing that
    > would indicate any kind of other failure. None of my COM+ components
    > implement programmatic security, or even have an Initialize routine.
    > They're very, very simple components.
    >
    > I've been through everything I can think of. The only remaining thing I
    > can think of is if a setting in AD is stopping access, but I have
    > absolutely no idea what that might be because it could be just about
    > anything. I think I've exhausted everything in Component Services, but
    > if anyone has any other ideas that would be great because I can't
    > believe I'm the only one to see an error 70 like this.
    >
    > Thanks a lot.
    >
    >
    > --
    > segedunumPosted from http://www.pcreview.co.uk/ newsgroup access
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    It's not exactly a server I'm in complete control of, but yes, it is SP1
    (didn't look - whoops) and yes they are of course remote through DCOM
    (crossing my COMs). In the release notes of SP1 we see this:

    -By default, all DCOM interfaces in Windows Server 2003 SP1 are
    configured to grant remote access permissions, remote launch
    permissions, and remote activation permissions only to
    administrators.-

    http://support.microsoft.com/kb/889101

    Doh. When I get access to the server again (tomorrow probably) I'll
    change this over to the required users, see what happens and post back.
    Since this is a setting I haven't thought about changing (never needed
    to before) it's a fairly safe bet this is it. This is another small
    thing to chalk up on the long list of things to look for when you get
    error 70s.


    --
    segedunumPosted from http://www.pcreview.co.uk/ newsgroup access
Ask a new question

Read More

Windows Server 2003 Security Workstations Domain Components Windows