Sign in with
Sign up | Sign in
Your question

Permission Denied When Accessing COM+ Component as Plain D..

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
July 7, 2005 5:31:50 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

I've got a problem running COM+ components on Windows 2003 that I
haven't seen perviously.

If I log into the client workstation as a domain administrator, I can
access the COM+ component absolutely fine. However, if I access it
logged in as an ordinary domain user I get a permission denied 70
error. Otherwise, users can get access to the server fine and use
shares on it. I've been through all the motions for this.

- The workstations and the server are a part of an Active Directory set
up and authenticate against it.
- I've created roles for domain users against my COM+ components to
ensure declarative security for them.

In the event log I've got authentication sucesses for the domain users
from the workstations I'm using, so no failures there and nothing that
would indicate any kind of other failure. None of my COM+ components
implement programmatic security, or even have an Initialize routine.
They're very, very simple components.

I've been through everything I can think of. The only remaining thing I
can think of is if a setting in AD is stopping access, but I have
absolutely no idea what that might be because it could be just about
anything. I think I've exhausted everything in Component Services, but
if anyone has any other ideas that would be great because I can't
believe I'm the only one to see an error 70 like this.

Thanks a lot.


--
segedunumPosted from http://www.pcreview.co.uk/ newsgroup access
Anonymous
a b 8 Security
July 7, 2005 5:31:51 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If your W2k3 is now at SP1, have you reviewed the SP1 release
note information, as it, like SP2 for XP, introduced new hardening
for RPC and DCOM. Now, you said COM+ but it sure sounded
like the users may be remote when attempting this, so . . .

--
Roger Abell
Microsoft MVP (Windows Security)

"segedunum" <segedunum.1rsupz@> wrote in message
news:TLedncgfpIfTv1DfRVn_vg@giganews.com...
>
> Hi All,
>
> I've got a problem running COM+ components on Windows 2003 that I
> haven't seen perviously.
>
> If I log into the client workstation as a domain administrator, I can
> access the COM+ component absolutely fine. However, if I access it
> logged in as an ordinary domain user I get a permission denied 70
> error. Otherwise, users can get access to the server fine and use
> shares on it. I've been through all the motions for this.
>
> - The workstations and the server are a part of an Active Directory set
> up and authenticate against it.
> - I've created roles for domain users against my COM+ components to
> ensure declarative security for them.
>
> In the event log I've got authentication sucesses for the domain users
> from the workstations I'm using, so no failures there and nothing that
> would indicate any kind of other failure. None of my COM+ components
> implement programmatic security, or even have an Initialize routine.
> They're very, very simple components.
>
> I've been through everything I can think of. The only remaining thing I
> can think of is if a setting in AD is stopping access, but I have
> absolutely no idea what that might be because it could be just about
> anything. I think I've exhausted everything in Component Services, but
> if anyone has any other ideas that would be great because I can't
> believe I'm the only one to see an error 70 like this.
>
> Thanks a lot.
>
>
> --
> segedunumPosted from http://www.pcreview.co.uk/ newsgroup access
>
Anonymous
a b 8 Security
July 7, 2005 7:34:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It's not exactly a server I'm in complete control of, but yes, it is SP1
(didn't look - whoops) and yes they are of course remote through DCOM
(crossing my COMs). In the release notes of SP1 we see this:

-By default, all DCOM interfaces in Windows Server 2003 SP1 are
configured to grant remote access permissions, remote launch
permissions, and remote activation permissions only to
administrators.-

http://support.microsoft.com/kb/889101

Doh. When I get access to the server again (tomorrow probably) I'll
change this over to the required users, see what happens and post back.
Since this is a setting I haven't thought about changing (never needed
to before) it's a fairly safe bet this is it. This is another small
thing to chalk up on the long list of things to look for when you get
error 70s.


--
segedunumPosted from http://www.pcreview.co.uk/ newsgroup access
!