views:

1313

answers:

7

I'm working on a DCOM application with the server and client on two machines, both of which are running WinXP with Service Pack 2. On both machines, I'm logged in with the same username and password.

When the client on one machine calls CoCreateInstanceEx, asking the other machine to start up the server application, it returns E_ACCESSDENIED.

I tried going into the server app's component properties in dcomcnfg and giving full permisions to everyone for everything, but that didn't help.

What do I need to do to allow this call to succeed?

Update: When the server app is running on a Windows 2000 box, I do not get this error; CoCreateInstanceEx returns S_OK.

+1  A: 

Three things to check:

1) Go back to dcomcnfg and make try making sure that not just the access security but also the "launch permissions" section contains the appropriate security users or groups.

2) Ensure that the Authentication Level is set to something else other than "None"

3) Also check that the location on disk that the component is located is actually accessible to the account configured in the security permissions you set.

EDIT:

One more: Are you calling CoInitialiseSecurity() first too? That rings a bell!

EDIT2:

Based on your update: Try dropping the firewalls completely on both XP machines and see if that makes a difference. You may need to let DCOM through explicitly.

Shaun Austin
A: 

@Shaun Austin: Thanks, but those are all fine already:

1) Everything is allowed for everyone in Launch, Access, and Configuration Permissions.

2) Authentication Level is set to Default.

3) On the client-side computer, logged in with the same username and password, I can access the location of the component on the server-side disk.

Update:

Yes, CoInitializeSecurity is called when each application starts up:

CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_NONE, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);

Firewalls are down on both machines.

MOE37x3
+2  A: 

Right, so if your Authentication level is set to Default. What is the authentication level set to in the Default Settings? Just out of interest. (although the fact that it works to a 2000 box probably makes that redundant)

EDIT:

Also: I seem to remember doing a lot of rebooting when I used to play/work with DCOM so maybe a quick reboot of both machines when you're happy with the dcomcnfg settings wouldn't go amis either.

Shaun Austin
A: 

@Shaun Austin II:

The global default Authentication Level is set to Connect, and the Default Impersonation Level is set to Identify.

Update:

... and I tried rebooting, and the problem remains. Thanks for all of your advice, but I'm still missing something.

MOE37x3
A: 

What is the flavor of your Windows 2000 box, btw? Professional, Server, Adv Server...

Also, is there a difference between domain membership between the two (one on a domain, the other not, different domains, etc...?)

One more thing - DCOM errors will appear in the System event log at times - especially for object creation - did you check there for clues?

Eli
A: 

I had the exact same problem. The problem happens in machines that have XP SP2+ OS or newer.

I solved it using the following steps:

  1. Verify that both client and server computers are on the same domain.

  2. You need to use the same user in both computers, or, if you want to use different users in client and server you need to make sure that both client and server users have privliges on both computers (in particular - make sure that they are members of Distributed COM users group.

  3. open Componenet services MMC (run dcomcnfg).

  4. Go to My Computer->Properties->Default Properties and make sure that Default Impersenation Level is "Identify"

  5. Go to COM Security tab, in both in Access permissions and Launch and activation permissions go to Edit Limits, and add Local and Remote access permissions to the client and server users of your COM application

  6. Make sure that you have a firewall exception in port 135 for your application...

I hope this helps you!

Shai Rubinshtein
A: 

If the PCs aren't both members of the same domain, you need to also given launch & access permissions to "ANONYMOUS LOGON". "Everyone" does not include this.

Taneli Waltari