DCOM Authentication Fails to use Kerberos, Falls back to NTLM
I have a webservice that is written in Classic ASP. In this web service it attempts to create a VirtualServer.Application object on another server via DCOM. This fails with Permission Denied. However I have another component instantiated in this same webservice
on the same remote server, that is created without problems. This component is a custom-in house component.
The webservice is called from a standalone EXE program that calls it via WinHTTP. It has been verified that WinHTTP is authenticating with Kerberos to the webservice successfully. The user authenticated to the webservice is the Administrator user. The EXE
to webservice authentication step is successful and with kerberos.
I have verified the DCOM permissions on the remote computer with DCOMCNFG. The default limits allow administrators both local and remote activation, both local and remote access, and both local and remote launch. The default component permissions allow
the same. This has been verified. The individual component permissions for the working component are set to defaults. The individual component permissions for the VirtualServer.Application component are also set to defaults. Based upon these settings, the
webservice should be able to instantiate and access the components on the remote computer.
Setting up a Wireshark trace while running both tests, one with the working component and one with the VirtualServer.Application component reveals an intresting behavior. When the webservice is instantiating the working, custom, component, I can see the
request on the wire to the RPCSS endpoint mapper first perform the TCP connect sequence. Then I see it perform the bind request with the appropriate security package, in this case kerberos. After it obtains the endpoint for the working DCOM component, it connects
to the DCOM endpoint authenticating again via Kerberos, and it successfully is able to instantiate and communicate.
On the failing VirtualServer.Application component, I again see the bind request with kerberos go to the RPCC endpoing mapper successfully. However, when it then attempts to connect to the endpoint in the Virtual Server process, it fails to connect because
it only attempts to authenticate with NTLM, which ultimately fails, because the webservice does not have access to the credentials to perform the NTLM hash.
Why is it attempting to authenticate via NTLM?
Additional Information:
Both components run on the same server via DCOM Both components run as Local System on the server Both components are Win32 Service components Both components have the exact same launch/access/activation DCOM permissions
Both Win32 Services are set to run as Local System The permission denied is not a permissions issue as far as I can tell, it is an authentication issue. Permission is denied because NTLM authentication is used with a NULL username instead of Kerberos Delegation
Constrained delegation is setup on the server hosting the webservice. The server hosting the webservice is allowed to delegate to rpcss/dcom-server-name
The server hosting the webservice is allowed to delegate to vssvc/dcom-server-name
The dcom server is allowed to delegate to rpcss/webservice-server The SPN's registered on the dcom server include rpcss/dcom-server-name and vssvc/dcom-server-name as well as the HOST/dcom-server-name related SPNs
The SPN's registered on the webservice-server include rpcss/webservice-server and the HOST/webservice-server related SPNs
Anybody have any Ideas why the attempt to create a VirtualServer.Application object on a remote server is falling back to NTLM authentication causing it to fail and get permission denied?
April 29th, 2011 10:36pm
basically, the VirtualServer.Application is falling back to NTLM because the webservice-server is either not correctly allowed to delegate to the remote server or the clientside component that runs on the webservice-server and tries to access the VirtualServer.Application
object does not support constrained delegation.
several notes:
a) try enabling the "Trust this computer for delegation to any service" for the webservice. This way you eliminate the problem of incorrect or insufficient SPNs defined.
you also may face something else - some components in Windows Server 2008 are obsolete although still present that do not support constrained delegation (an example is Scripting.FileSystemObject), so with the unconstrained delegation you may
isolate such issues
b) for every SPN, define both the short name (such as webservice-server) as well as the FQDN (such as the webservice-server.domain.local).
c) between any tests with delegation, always RESTART the whole webservice-server and log off from the client!!! there are various caches of the tickets including "negative caches" that means that you may just face some "before-restart" temporary conditions
d) also make sure the VirtualServer.Application component is really running under System or Network Service identity on the DCOM server, or you will need to define the target SPNs for a different account
e) if you want to be really sure the issue is Kerberos delegation related, you can always try to enable Basic authentication on the webservice-server which will allow the webservice to fallback to use NTLM
ondrej.
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2011 12:03pm
VirtualServer.Application is the COM components used to interact with Microsoft Virtual Server 2005 R2.
The servers involved are Windows Server 2003 R2 SP3.
I have tried enabling the "allow everything" delegation setting, but that does not resolve the problem.
It seems that the DCOM component hosting service running on the application/dcom server is not allowing kerberos authentication to take place.
WebService-Server is named RIVEN:
C:\network>setspn -L riven
Registered ServicePrincipalNames for CN=RIVEN,OU=Domain Controllers,DC=rivin,DC=net:
http/riven.external.rivin.net
vssrvc/riven.rivin.net
vssrvc/RIVEN
vmrc/riven.rivin.net:5900
vmrc/RIVEN:5900
http/services.i.rivin.net
http/services.rivin.net
exchangeAB/RIVEN
exchangeAB/riven.rivin.net
ldap/riven.rivin.net/DomainDnsZones.rivin.net
ldap/riven.rivin.net/ForestDnsZones.rivin.net
exchangeMDB/riven.rivin.net
exchangeMDB/RIVEN
exchangeRFR/riven.rivin.net
exchangeRFR/RIVEN
SMTP/RIVEN
SMTP/riven.rivin.net
SMTPSVC/RIVEN
SMTPSVC/riven.rivin.net
GC/riven.rivin.net/rivin.net
HOST/riven.rivin.net/rivin.net
HOST/riven.rivin.net/DNI
ldap/1143aa56-4492-4459-873d-fb3b333b0009._msdcs.rivin.net
ldap/riven.rivin.net/DNI
ldap/RIVEN
ldap/riven.rivin.net
ldap/riven.rivin.net/rivin.net
DNS/riven.rivin.net
E3514235-4B06-11D1-AB04-00C04FC2DCD2/1143aa56-4492-4459-873d-fb3b333b0009/rivin.net
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/riven.rivin.net
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/riven.rivin.net
HOST/RIVEN
HOST/riven.rivin.net
Riven's ms-DS-Allowed-To-Delegate-To Attribute:
www/terahnee.rivin.net
www/TERAHNEE
www/terahnee.rivin.net/DNI
www/terahnee.rivin.net/rivin.net
www/amateria.rivin.net
www/AMATERIA
www/riven.rivin.net
www/RIVEN
www/riven.rivin.net/DNI
www/riven.rivin.net/rivin.net
vssrvc/terahnee.rivin.net
vssrvc/TERAHNEE
vssrvc/amateria.rivin.net
vssrvc/AMATERIA
vssrvc/RIVEN
vssrvc/riven.rivin.net
vmrc/terahnee.rivin.net:5900
vmrc/TERAHNEE:5900
vmrc/amateria.rivin.net:5900
vmrc/AMATERIA:5900
vmrc/RIVEN:5900
vmrc/riven.rivin.net:5900
TelevisionManager/terahnee.rivin.net
rpcss/terahnee.rivin.net
rpcss/TERAHNEE
rpcss/terahnee.rivin.net/DNI
rpcss/terahnee.rivin.net/rivin.net
rpcss/amateria.rivin.net
rpcss/AMATERIA
rpcss/riven.rivin.net
rpcss/RIVEN
rpcss/riven.rivin.net/DNI
rpcss/riven.rivin.net/rivin.net
rpc/terahnee.rivin.net
rpc/TERAHNEE
rpc/terahnee.rivin.net/DNI
rpc/terahnee.rivin.net/rivin.net
rpc/amateria.rivin.net
rpc/AMATERIA
rpc/riven.rivin.net
rpc/RIVEN
rpc/riven.rivin.net/DNI
rpc/riven.rivin.net/rivin.net
http/owa.rivin.net
http/owa.i.rivin.net
http/www.rivin.net
http/www.i.rivin.net
http/TERAHNEE
http/terahnee.rivin.net/DNI
http/terahnee.rivin.net/rivin.net
http/terahnee.rivin.net
http/amateria.rivin.net
http/AMATERIA
http/riven.rivin.net
http/RIVEN
http/riven.rivin.net/DNI
http/riven.rivin.net/rivin.net
http/riven.external.rivin.net
http/services.rivin.net
http/services.i.rivin.net
HOST/terahnee.rivin.net
HOST/TERAHNEE
HOST/terahnee.rivin.net/DNI
HOST/terahnee.rivin.net/rivin.net
HOST/amateria.rivin.net
HOST/AMATERIA
HOST/riven.rivin.net
HOST/RIVEN
HOST/riven.rivin.net/DNI
HOST/riven.rivin.net/rivin.net
dcom/terahnee.rivin.net
dcom/TERAHNEE
dcom/terahnee.rivin.net/DNI
dcom/terahnee.rivin.net/rivin.net
dcom/amateria.rivin.net
dcom/AMATERIA
dcom/riven.rivin.net
dcom/RIVEN
dcom/riven.rivin.net/DNI
dcom/riven.rivin.net/rivin.net
cifs/terahnee.rivin.net
cifs/TERAHNEE
cifs/terahnee.rivin.net/DNI
cifs/terahnee.rivin.net/rivin.net
cifs/amateria.rivin.net
cifs/AMATERIA
cifs/riven.rivin.net
cifs/RIVEN
cifs/riven.rivin.net/DNI
cifs/riven.rivin.net/rivin.net
Application Server where the DCOM component VirtualServer.Application is instantiated on:
C:\network>setspn -L terahnee
Registered ServicePrincipalNames for CN=TERAHNEE,OU=Domain Controllers,DC=rivin,DC=net:
vssrvc/TERAHNEE
vssrvc/terahnee.rivin.net
vmrc/TERAHNEE:5900
vmrc/terahnee.rivin.net:5900
TelevisionManager/terahnee.rivin.net
http/owa.i.rivin.net
http/www.i.rivin.net
http/owa.rivin.net
http/www.rivin.net
http/terahnee.rivin.net
IMAP4/terahnee.rivin.net
IMAP4/TERAHNEE
IMAP/terahnee.rivin.net
IMAP/TERAHNEE
exchangeAB/terahnee.rivin.net
exchangeAB/TERAHNEE
POP3/terahnee.rivin.net
POP3/TERAHNEE
ldap/terahnee.rivin.net/DomainDnsZones.rivin.net
ldap/terahnee.rivin.net/ForestDnsZones.rivin.net
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/terahnee.rivin.net
SmtpSvc/terahnee.rivin.net
SmtpSvc/TERAHNEE
SMTP/terahnee.rivin.net
SMTP/TERAHNEE
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/terahnee.rivin.net
HOST/terahnee.rivin.net/rivin.net
GC/terahnee.rivin.net/rivin.net
DNS/terahnee.rivin.net
ldap/terahnee.rivin.net/DNI
ldap/2472f694-331d-4e0b-9688-0b6501e3e4f2._msdcs.rivin.net
HOST/terahnee.rivin.net/DNI
ldap/terahnee.rivin.net/rivin.net
ldap/terahnee.rivin.net
ldap/TERAHNEE
E3514235-4B06-11D1-AB04-00C04FC2DCD2/2472f694-331d-4e0b-9688-0b6501e3e4f2/rivin.net
HOST/TERAHNEE
HOST/terahnee.rivin.net
Terahnee's msDS-Allowed-To-Delegate-To attribute:
HOST/amateria.rivin.net
HOST/AMATERIA
rpcss/AMATERIA
rpcss/RIVEN
rpcss/riven.rivin.net
rpcss/riven.rivin.net/DNI
rpcss/riven.rivin.net/rivin.net
rpcss/amateria.rivin.net
vmrc/AMATERIA:5900
vmrc/amateria.rivin.net:5900
vmrc/riven.rivin.net:5900
vmrc/RIVEN:5900
MSSQLSvc/riven:1433
MSSQLSvc/riven.rivin.net
MSSQLSvc/riven
MSSQLSvc/riven.rivin.net:1433
cifs/riven.rivin.net/rivin.net
cifs/riven.rivin.net/DNI
cifs/RIVEN
http/riven.external.rivin.net
cifs/riven.rivin.net
HOST/RIVEN
HOST/riven.rivin.net/DNI
HOST/riven.rivin.net/rivin.net
HOST/riven.rivin.net
http/services.rivin.net
http/services.i.rivin.net
cifs/MYST
cifs/myst.rivin.net
vssrvc/RIVEN
vssrvc/riven.rivin.net
vssrvc/AMATERIA
vssrvc/amateria.rivin.net
http/RIVEN
http/riven.rivin.net
http/riven.rivin.net/rivin.net
http/riven.rivin.net/DNI
Service information about Virtual Server function: (this is the service that the webservice fails to connect to DCOM components in)
U:\>sc \\terahnee qc "Virtual Server"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Virtual Server
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "D:\virtualServer\vssrvc.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Virtual Server
DEPENDENCIES : RpcSs
: vmh
: vmm
SERVICE_START_NAME : LocalSystem
Service information about the service that works: (this is the service that the webservice IS able to connect to DCOM components in)
U:\>sc \\terahnee qc "TelevisionManager"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: TelevisionManager
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k MediaSystem
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Television A/V Capture and Streaming Service
DEPENDENCIES : DelaySvc1
SERVICE_START_NAME : LocalSystem
Authentication Headers as provided to the webservice by the client:
Cache-Control: no-cache
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Authorization: Negotiate YIIM8AYGKwYBBQUCoIIM5DCCDOCgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCDLYEggyyYIIMrgYJKoZIhvcSAQICAQBuggydMIIMmaADAgEFoQMCAQ6iBwMFACAAAACjggvAYYILvDCCC7igAwIBBaELGwlSSVZJTi5ORVSiKzApoAMCAQKhIjAgGwRIVFRQGxhyaXZlbi5leHRlcm5hbC5yaXZpbi5uZXSjggt1MIILcaADAgEXoQMCATqiggtjBIILX9fdl09GRP4RJsC/3qOvuLXBvlQqovr8AuWFa/onw7xZ9tJlqn0ASmcA5Sdpcu4YopVjRNpFI0QSNtWCFIw57XcYMqz6i4MN/g8Uxat7G3kyEBkMktPYy5uYn8RFn96nLp8C9Y/rzYuQCVGP/bvcPZBHAmoAE9upObglz56PgPY+Qjlabhc8x9AXTBwDy+nKcS6OCH/4ZmagBDHAzSL8+R0hJllBIYz+FISOp2pkw/XyTpfJokJ0XII4PSe5EcPZxdefDFUTIE+ecoOvImuXW69w39c1Ua3AMEq1Yy9vhyJGuFAWoCtgTerNnCN3RssIUuO7Y/6eOvoZ0/8d6eAliZeGvpnGcPA58fC4oYX3X6qKfenuDgCiDVEME8TgRdhHR1lQo74UFvBu+QLDPvkTgvcwpOMK3ogr0ZJSTI7iGzT8deuxdp0ukjy+VcAWJ5NcUJPSVkRrN/BW2u+VENx7rddpmcoS7IKGAX/tJQU5VMXcD+T5K9UoDETPUsvGGyFNq6963UUx8qq8v/DAtVABbOk+vWclpoUmjhQmsGFH+Sc0OLqfeIy1Gwv93hVVfK68j1LarVkdNE9BYZTHJC74ZCni5hxGC6y8S2AeetsY5gS1D9+V08qN06XMJNNjCl1z5eaVKH5lyjcIoFRb2uBW8JirhgRxpZijI5qg6mbYW8O0uKcWrmqWfRzwrPcXUcaQGlX1txgwCnXpfwaExwfWwmu7CJimDmAA+LEBygV1ii9JyBaBx2CBXP9+n6Q0ccXagJekv5nMb4GKcabsYnRN87vzcJ6EOwtLR27ZQOQ7kkE3mZ0Y/sTXvdhw8qxBhPPP24iRD09QS9OPDMWQiw4SUfHNW6ZqJGcrxSD4RKbO4dDcdQl88mkmfgScVVKt9QLcmX3a+GlvqzFkeeFhi9ZGu2roiqibphfZ6ZvfHbtQlEh3wZkEYweCgOFbSXu3QYNEsdFzLtAwGCT3/xc9m5catqSSIy7NqehAiiG0v+cJO1Px+SuPr/7I4MPMuCZFE0EJ/AjSJa5s8T1qO0Uig81z912kmK9fvOpmDBMBGO9ClgPBSej0MM2NmJfyzeh7LQ8jE6WageZuyclvrnljlXfblwpKZjZ12Bs/qEfQeXw41HgxFZdxt9LyOauFX5rULH8kvnyU2uTwB7Ayl1XaIZF5GDYTq/O78LtJrvWAfafm3mE8M2Lqz94LPmn3AqG7m+wtBhddK1s1QRUmtYFaPBStdJCV1vfaHA9uGACn5JMUZPY6yB2JBDXvul9yDQ57hec0HEnr9XIto0DkvM4UGz03m6iOCu3BEpeceKedPoOa6/sgkTkvS+EWnOqU7XpZ+JVd2JzIcspRnwoVxlr9Sh2qnsCSn8MBb9BtJ0Efj8Uev/UtsIDy0Lvn1cGehYnCJDL8UDVKmWt/zkTA/sQ4XoJTVJLLiGj6g2ExyYVsYxpjBri6QRhRgu5XsDFu6zQlcGekse8Jd9DZP3jkJfwPmVnohvf3dZ+smVkJ0HpO1l70Yz2/+5wh+PDUekKnKWqXEW9eX0bMH0qnSs7x/FV4/mFibm5urdy9YzxANoA8VurQQjU3L2junoc9ZXvOVIudRbaZxE48g3UdAkUufMoIAVTGACFqDDyPT+4za3EJoyrZp4P1WXDXCjtVQSjvQ+ftraTX0PUXRvmwcnPTK5mHE1FEAV72T1BLkQKG1IpJoeo93lqyx+nIr/eI8dhQSGBZz8C5cZ2Rcs53T8FLOb5MK1N2U8cPv3Zk+M+fRI/xdtsWaIOpz3kJn16SYsyeZCEzyp8eqvybsDkspIbmQbuLvICpwMR5FPlU6poxffU8CAZHryK5nKLiCD0BjBxKPzvuBAwyWjTzMWDB0Zchve14j/+87n0Jl3hVxMh1ISHMPee26O2lRCG4Yw7jZD5KrQLn34T2peGemFZ9ckypNv7ut+J2UaszVtL5Q/nEsTsCFN/cDx+ODRJbXKU7K+3vUiDcNhLa8UIoPABxzTGVr7evaGCIzDrnxY4qYCH7ichvUt0Wt2VEVQcyglX6V7bidMmRJ8HSB5mZ+JmFAKBlS78KzedcPj/wksLdasu+oE8AgT0MjcIb7+qY498XWt15fNvK1DhdBWQBoEHDwaOApkv7z3Fc/y0OBi9qjMcn+NXWPYJXLXkTDu/dWVaM833nJL3Xnqu4iKCgMJeasiW33RPa64rlz7BleBvzKk1B86U3+4viYaeU1AXZ0UTetqQKrIlMsq7MMaha9lBqr5eGVFGlhHF9stPO5lJKcjCxcx411H61cjQgrrXrlPtoULKi7S9qlcfUjuoYB+UoiGhGLoslYWRPi6hnYB+y9h36zUZKzycJbFv6XRio+Sar/hIPyJDnJrbNndpGUW4xqxIKswVfpLpyNhpIK78FToghpmrMzrMh6gh5fVF87ThpDjmfRmueHEN6NEyyfKAq0FehCFxHaM3zQxptG8KzortjlyPXPIRT3TbfmxDtFQSYCL7B4BW728BTo3Ido5Zau/GTpW5r+dOO7Q1yZccMqFvGBQJfsyneAtDUaucJsmfpcNU/sW9154o5rVvQ4s9MWDN/Ulp+9vqV90TU8mhpy0h5/jEaK5FSZ5yey+ymeKdw7DW92GbAJxCSCcuWKIOLrAyEm/F1BDagLQvVa50H2kWozu1qBi+EyZsdI5i2KxtYSBEk1GP33JcX/RaY9zn8zSONIumqzKO/dZOuVNwP4JNhhB5nGf7F0pnnvPVrwyvnRovMhyF+o7SGpdW+vMopSBlxLUnGn76Kki9x5Pfh74oOqR36t6v/L5dUnWElCdHCrNYJRQTx3ZlDAOXOqfrkhWV+lb4M6UoOei7VWi0TLVMNf1l3bQOy0O+Go3Tlnw5Mn0Ywzi2KHFd3xsuxYuxJLpCE3OFJY9LnM9fE+wtlB28jrvO0tHejoryrwjd3JQiZdr/UAJqdp51im1xUB5ALyBVe4YNdb09dUpJB+MbqgE/ZKg4Q45yTz5tVBOCb89KQc51CIXPvipaqCFTrpwMjYM8OfaMZyn8F5hlQEnIMJtiRWHllYunUJVYZROLSvUr4cpLECvBpbyzoghWn/q/+VHdwH+G9nakPS5tMxgYE+9mCYhRn9R9CfkKgsWkVI8pTGbhdYbA25yTFXL9qV7FPSmcC+XNIUxovO1BH/tYuo7lNAUg1/zNcB95qKe7ZmrlFl4Z3AVo4q9kRIEVo1LMjNmPb+2hOhAMKeKcXzNov320mL3AnUk2zekti4W8R4Iup5bGL7sz6VmeC4K00Y/FfCf0IjrugkjQ3kkpCmPN3+z7eR4zg6TadQzoXD/AXbP0NZsJ50c08fnBaWBq82Sibd3EHOzDiSY5D021s/5mXa5NBkqoYrykWbPIpZj1W+eJXKxgsIfSl1K/6dNyLyzqXqHhwct9fuVFAGwxmJIyaUTZpACmzDQhlhN5yByiDGwQWRJzLfhiU7bL0OSZd4YD5HuOtHOnBBIezVzlBGpAoKJqRXVeF9Ldh+y5X+DuitguiZ+Wg27td+RvmY4KS1XvoI8lR+gPzXzK++a8kjAqRb56+h6tJQ9aKzp0lI2Gf4yJkRGmAtalmXDGmqAgurerKAXsZj2hIXYfp3MDl3XYSQ3v79rSQrPMnYcbyjGk7MIcHVqg36s20fMcXumQMCBBczU/XPiQdyPbL8h6oX3rFX1C2c2tr+cr69QmKhLSUbTQAwsuEWj3pYXqGapUmTKOM68voPKMlYNClxtfruqdq+jGXRvVEysZx/Rk07ou+D1gK23g6bnsWsb5PMob2NZGvJqnXMmCUmWRpssqWo3ToykzTUBj7JHu6anSpa/BXWSlc0n78b2x2V/hV5i7UfTH6cFbKmPdS5rH+kTp/4L6u8GCzok3xeNhi+zmkgb8wgbygAwIBF6KBtASBsXeJbKUUhZXqWl9v/OyWYHZ2gIyVdP8ALbkmKhLQHem+4fJ6ZB3u+3znJMhoDA476CbRqSmI85MNgQhss2GtN/cC1tkpd6oWCM87MPXgDgnMup/5TlPAYt5ytVzBnsL9IzRslmyPHYcCp5+XCziMem3V4quN/8ksQU5xyn9WHT0UBzLmhqI4eqVy0fgdB3k1U5pe83VF6is+wOQZpxfLRrt1/pfT5KP+T9kVFQO4Jv/qgw==
Cookie: ASPSESSIONIDQADBCTTC=OOJPLFLAAMNPGOKFJPNCCGBM
Host: services.rivin.net
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
May 4th, 2011 7:14pm
Here is some additional information. When the following code is run in the context of the webservice, directly via a testing-only, just-developed COM component, it fails on the specified line with Access Denied. COSERVERINFO csi; csi.dwReserved1=0; csi.pwszName=L"terahnee.rivin.net";
csi.pAuthInfo=NULL; csi.dwReserved2=NULL; hr=CoGetClassObject(CLSID_VirtualServer, CLSCTX_ALL, &csi, IID_IClassFactory, (void **) &pClsFact); if(FAILED( hr )) goto error1; // Fails here with HRESULT_FROM_WIN32(ERROR_ACCESS_DENIED) hr=pClsFact->CreateInstance(NULL,
IID_IUnknown, (void **) &pUnk); if(FAILED( hr )) goto error2; Ive also noticed that in the Wireshark Traces, i see the attempt to connect to the service process component *only requests* NTLMSSP authentication, it doesnt even attmept to use kerberos. This
suggests that for some reason the webservice thinks it cant use kerberos...
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 3:18am