DCOM Authentication Fails to use Kerberos, Falls back to NTLM
I have a webservice that is written in Classic ASP. In this web service it attempts to create a VirtualServer.Application object on another server via DCOM. This fails with Permission Denied. However I have another component instantiated in this same webservice on the same remote server, that is created without problems. This component is a custom-in house component. The webservice is called from a standalone EXE program that calls it via WinHTTP. It has been verified that WinHTTP is authenticating with Kerberos to the webservice successfully. The user authenticated to the webservice is the Administrator user. The EXE to webservice authentication step is successful and with kerberos. I have verified the DCOM permissions on the remote computer with DCOMCNFG. The default limits allow administrators both local and remote activation, both local and remote access, and both local and remote launch. The default component permissions allow the same. This has been verified. The individual component permissions for the working component are set to defaults. The individual component permissions for the VirtualServer.Application component are also set to defaults. Based upon these settings, the webservice should be able to instantiate and access the components on the remote computer. Setting up a Wireshark trace while running both tests, one with the working component and one with the VirtualServer.Application component reveals an intresting behavior. When the webservice is instantiating the working, custom, component, I can see the request on the wire to the RPCSS endpoint mapper first perform the TCP connect sequence. Then I see it perform the bind request with the appropriate security package, in this case kerberos. After it obtains the endpoint for the working DCOM component, it connects to the DCOM endpoint authenticating again via Kerberos, and it successfully is able to instantiate and communicate. On the failing VirtualServer.Application component, I again see the bind request with kerberos go to the RPCC endpoing mapper successfully. However, when it then attempts to connect to the endpoint in the Virtual Server process, it fails to connect because it only attempts to authenticate with NTLM, which ultimately fails, because the webservice does not have access to the credentials to perform the NTLM hash. Why is it attempting to authenticate via NTLM? Additional Information: Both components run on the same server via DCOM Both components run as Local System on the server Both components are Win32 Service components Both components have the exact same launch/access/activation DCOM permissions Both Win32 Services are set to run as Local System The permission denied is not a permissions issue as far as I can tell, it is an authentication issue. Permission is denied because NTLM authentication is used with a NULL username instead of Kerberos Delegation Constrained delegation is setup on the server hosting the webservice. The server hosting the webservice is allowed to delegate to rpcss/dcom-server-name The server hosting the webservice is allowed to delegate to vssvc/dcom-server-name The dcom server is allowed to delegate to rpcss/webservice-server The SPN's registered on the dcom server include rpcss/dcom-server-name and vssvc/dcom-server-name as well as the HOST/dcom-server-name related SPNs The SPN's registered on the webservice-server include rpcss/webservice-server and the HOST/webservice-server related SPNs Anybody have any Ideas why the attempt to create a VirtualServer.Application object on a remote server is falling back to NTLM authentication causing it to fail and get permission denied?
April 29th, 2011 10:36pm

basically, the VirtualServer.Application is falling back to NTLM because the webservice-server is either not correctly allowed to delegate to the remote server or the clientside component that runs on the webservice-server and tries to access the VirtualServer.Application object does not support constrained delegation. several notes: a) try enabling the "Trust this computer for delegation to any service" for the webservice. This way you eliminate the problem of incorrect or insufficient SPNs defined. you also may face something else - some components in Windows Server 2008 are obsolete although still present that do not support constrained delegation (an example is Scripting.FileSystemObject), so with the unconstrained delegation you may isolate such issues b) for every SPN, define both the short name (such as webservice-server) as well as the FQDN (such as the webservice-server.domain.local). c) between any tests with delegation, always RESTART the whole webservice-server and log off from the client!!! there are various caches of the tickets including "negative caches" that means that you may just face some "before-restart" temporary conditions d) also make sure the VirtualServer.Application component is really running under System or Network Service identity on the DCOM server, or you will need to define the target SPNs for a different account e) if you want to be really sure the issue is Kerberos delegation related, you can always try to enable Basic authentication on the webservice-server which will allow the webservice to fallback to use NTLM ondrej.
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2011 12:03pm

VirtualServer.Application is the COM components used to interact with Microsoft Virtual Server 2005 R2. The servers involved are Windows Server 2003 R2 SP3. I have tried enabling the "allow everything" delegation setting, but that does not resolve the problem. It seems that the DCOM component hosting service running on the application/dcom server is not allowing kerberos authentication to take place. WebService-Server is named RIVEN: C:\network>setspn -L riven Registered ServicePrincipalNames for CN=RIVEN,OU=Domain Controllers,DC=rivin,DC=net: http/riven.external.rivin.net vssrvc/riven.rivin.net vssrvc/RIVEN vmrc/riven.rivin.net:5900 vmrc/RIVEN:5900 http/services.i.rivin.net http/services.rivin.net exchangeAB/RIVEN exchangeAB/riven.rivin.net ldap/riven.rivin.net/DomainDnsZones.rivin.net ldap/riven.rivin.net/ForestDnsZones.rivin.net exchangeMDB/riven.rivin.net exchangeMDB/RIVEN exchangeRFR/riven.rivin.net exchangeRFR/RIVEN SMTP/RIVEN SMTP/riven.rivin.net SMTPSVC/RIVEN SMTPSVC/riven.rivin.net GC/riven.rivin.net/rivin.net HOST/riven.rivin.net/rivin.net HOST/riven.rivin.net/DNI ldap/1143aa56-4492-4459-873d-fb3b333b0009._msdcs.rivin.net ldap/riven.rivin.net/DNI ldap/RIVEN ldap/riven.rivin.net ldap/riven.rivin.net/rivin.net DNS/riven.rivin.net E3514235-4B06-11D1-AB04-00C04FC2DCD2/1143aa56-4492-4459-873d-fb3b333b0009/rivin.net Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/riven.rivin.net NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/riven.rivin.net HOST/RIVEN HOST/riven.rivin.net Riven's ms-DS-Allowed-To-Delegate-To Attribute: www/terahnee.rivin.net www/TERAHNEE www/terahnee.rivin.net/DNI www/terahnee.rivin.net/rivin.net www/amateria.rivin.net www/AMATERIA www/riven.rivin.net www/RIVEN www/riven.rivin.net/DNI www/riven.rivin.net/rivin.net vssrvc/terahnee.rivin.net vssrvc/TERAHNEE vssrvc/amateria.rivin.net vssrvc/AMATERIA vssrvc/RIVEN vssrvc/riven.rivin.net vmrc/terahnee.rivin.net:5900 vmrc/TERAHNEE:5900 vmrc/amateria.rivin.net:5900 vmrc/AMATERIA:5900 vmrc/RIVEN:5900 vmrc/riven.rivin.net:5900 TelevisionManager/terahnee.rivin.net rpcss/terahnee.rivin.net rpcss/TERAHNEE rpcss/terahnee.rivin.net/DNI rpcss/terahnee.rivin.net/rivin.net rpcss/amateria.rivin.net rpcss/AMATERIA rpcss/riven.rivin.net rpcss/RIVEN rpcss/riven.rivin.net/DNI rpcss/riven.rivin.net/rivin.net rpc/terahnee.rivin.net rpc/TERAHNEE rpc/terahnee.rivin.net/DNI rpc/terahnee.rivin.net/rivin.net rpc/amateria.rivin.net rpc/AMATERIA rpc/riven.rivin.net rpc/RIVEN rpc/riven.rivin.net/DNI rpc/riven.rivin.net/rivin.net http/owa.rivin.net http/owa.i.rivin.net http/www.rivin.net http/www.i.rivin.net http/TERAHNEE http/terahnee.rivin.net/DNI http/terahnee.rivin.net/rivin.net http/terahnee.rivin.net http/amateria.rivin.net http/AMATERIA http/riven.rivin.net http/RIVEN http/riven.rivin.net/DNI http/riven.rivin.net/rivin.net http/riven.external.rivin.net http/services.rivin.net http/services.i.rivin.net HOST/terahnee.rivin.net HOST/TERAHNEE HOST/terahnee.rivin.net/DNI HOST/terahnee.rivin.net/rivin.net HOST/amateria.rivin.net HOST/AMATERIA HOST/riven.rivin.net HOST/RIVEN HOST/riven.rivin.net/DNI HOST/riven.rivin.net/rivin.net dcom/terahnee.rivin.net dcom/TERAHNEE dcom/terahnee.rivin.net/DNI dcom/terahnee.rivin.net/rivin.net dcom/amateria.rivin.net dcom/AMATERIA dcom/riven.rivin.net dcom/RIVEN dcom/riven.rivin.net/DNI dcom/riven.rivin.net/rivin.net cifs/terahnee.rivin.net cifs/TERAHNEE cifs/terahnee.rivin.net/DNI cifs/terahnee.rivin.net/rivin.net cifs/amateria.rivin.net cifs/AMATERIA cifs/riven.rivin.net cifs/RIVEN cifs/riven.rivin.net/DNI cifs/riven.rivin.net/rivin.net Application Server where the DCOM component VirtualServer.Application is instantiated on: C:\network>setspn -L terahnee Registered ServicePrincipalNames for CN=TERAHNEE,OU=Domain Controllers,DC=rivin,DC=net: vssrvc/TERAHNEE vssrvc/terahnee.rivin.net vmrc/TERAHNEE:5900 vmrc/terahnee.rivin.net:5900 TelevisionManager/terahnee.rivin.net http/owa.i.rivin.net http/www.i.rivin.net http/owa.rivin.net http/www.rivin.net http/terahnee.rivin.net IMAP4/terahnee.rivin.net IMAP4/TERAHNEE IMAP/terahnee.rivin.net IMAP/TERAHNEE exchangeAB/terahnee.rivin.net exchangeAB/TERAHNEE POP3/terahnee.rivin.net POP3/TERAHNEE ldap/terahnee.rivin.net/DomainDnsZones.rivin.net ldap/terahnee.rivin.net/ForestDnsZones.rivin.net Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/terahnee.rivin.net SmtpSvc/terahnee.rivin.net SmtpSvc/TERAHNEE SMTP/terahnee.rivin.net SMTP/TERAHNEE NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/terahnee.rivin.net HOST/terahnee.rivin.net/rivin.net GC/terahnee.rivin.net/rivin.net DNS/terahnee.rivin.net ldap/terahnee.rivin.net/DNI ldap/2472f694-331d-4e0b-9688-0b6501e3e4f2._msdcs.rivin.net HOST/terahnee.rivin.net/DNI ldap/terahnee.rivin.net/rivin.net ldap/terahnee.rivin.net ldap/TERAHNEE E3514235-4B06-11D1-AB04-00C04FC2DCD2/2472f694-331d-4e0b-9688-0b6501e3e4f2/rivin.net HOST/TERAHNEE HOST/terahnee.rivin.net Terahnee's msDS-Allowed-To-Delegate-To attribute: HOST/amateria.rivin.net HOST/AMATERIA rpcss/AMATERIA rpcss/RIVEN rpcss/riven.rivin.net rpcss/riven.rivin.net/DNI rpcss/riven.rivin.net/rivin.net rpcss/amateria.rivin.net vmrc/AMATERIA:5900 vmrc/amateria.rivin.net:5900 vmrc/riven.rivin.net:5900 vmrc/RIVEN:5900 MSSQLSvc/riven:1433 MSSQLSvc/riven.rivin.net MSSQLSvc/riven MSSQLSvc/riven.rivin.net:1433 cifs/riven.rivin.net/rivin.net cifs/riven.rivin.net/DNI cifs/RIVEN http/riven.external.rivin.net cifs/riven.rivin.net HOST/RIVEN HOST/riven.rivin.net/DNI HOST/riven.rivin.net/rivin.net HOST/riven.rivin.net http/services.rivin.net http/services.i.rivin.net cifs/MYST cifs/myst.rivin.net vssrvc/RIVEN vssrvc/riven.rivin.net vssrvc/AMATERIA vssrvc/amateria.rivin.net http/RIVEN http/riven.rivin.net http/riven.rivin.net/rivin.net http/riven.rivin.net/DNI Service information about Virtual Server function: (this is the service that the webservice fails to connect to DCOM components in) U:\>sc \\terahnee qc "Virtual Server" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Virtual Server TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "D:\virtualServer\vssrvc.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Virtual Server DEPENDENCIES : RpcSs : vmh : vmm SERVICE_START_NAME : LocalSystem Service information about the service that works: (this is the service that the webservice IS able to connect to DCOM components in) U:\>sc \\terahnee qc "TelevisionManager" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: TelevisionManager TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k MediaSystem LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Television A/V Capture and Streaming Service DEPENDENCIES : DelaySvc1 SERVICE_START_NAME : LocalSystem Authentication Headers as provided to the webservice by the client: Cache-Control: no-cache Connection: Keep-Alive Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-us Authorization: Negotiate YIIM8AYGKwYBBQUCoIIM5DCCDOCgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCDLYEggyyYIIMrgYJKoZIhvcSAQICAQBuggydMIIMmaADAgEFoQMCAQ6iBwMFACAAAACjggvAYYILvDCCC7igAwIBBaELGwlSSVZJTi5ORVSiKzApoAMCAQKhIjAgGwRIVFRQGxhyaXZlbi5leHRlcm5hbC5yaXZpbi5uZXSjggt1MIILcaADAgEXoQMCATqiggtjBIILX9fdl09GRP4RJsC/3qOvuLXBvlQqovr8AuWFa/onw7xZ9tJlqn0ASmcA5Sdpcu4YopVjRNpFI0QSNtWCFIw57XcYMqz6i4MN/g8Uxat7G3kyEBkMktPYy5uYn8RFn96nLp8C9Y/rzYuQCVGP/bvcPZBHAmoAE9upObglz56PgPY+Qjlabhc8x9AXTBwDy+nKcS6OCH/4ZmagBDHAzSL8+R0hJllBIYz+FISOp2pkw/XyTpfJokJ0XII4PSe5EcPZxdefDFUTIE+ecoOvImuXW69w39c1Ua3AMEq1Yy9vhyJGuFAWoCtgTerNnCN3RssIUuO7Y/6eOvoZ0/8d6eAliZeGvpnGcPA58fC4oYX3X6qKfenuDgCiDVEME8TgRdhHR1lQo74UFvBu+QLDPvkTgvcwpOMK3ogr0ZJSTI7iGzT8deuxdp0ukjy+VcAWJ5NcUJPSVkRrN/BW2u+VENx7rddpmcoS7IKGAX/tJQU5VMXcD+T5K9UoDETPUsvGGyFNq6963UUx8qq8v/DAtVABbOk+vWclpoUmjhQmsGFH+Sc0OLqfeIy1Gwv93hVVfK68j1LarVkdNE9BYZTHJC74ZCni5hxGC6y8S2AeetsY5gS1D9+V08qN06XMJNNjCl1z5eaVKH5lyjcIoFRb2uBW8JirhgRxpZijI5qg6mbYW8O0uKcWrmqWfRzwrPcXUcaQGlX1txgwCnXpfwaExwfWwmu7CJimDmAA+LEBygV1ii9JyBaBx2CBXP9+n6Q0ccXagJekv5nMb4GKcabsYnRN87vzcJ6EOwtLR27ZQOQ7kkE3mZ0Y/sTXvdhw8qxBhPPP24iRD09QS9OPDMWQiw4SUfHNW6ZqJGcrxSD4RKbO4dDcdQl88mkmfgScVVKt9QLcmX3a+GlvqzFkeeFhi9ZGu2roiqibphfZ6ZvfHbtQlEh3wZkEYweCgOFbSXu3QYNEsdFzLtAwGCT3/xc9m5catqSSIy7NqehAiiG0v+cJO1Px+SuPr/7I4MPMuCZFE0EJ/AjSJa5s8T1qO0Uig81z912kmK9fvOpmDBMBGO9ClgPBSej0MM2NmJfyzeh7LQ8jE6WageZuyclvrnljlXfblwpKZjZ12Bs/qEfQeXw41HgxFZdxt9LyOauFX5rULH8kvnyU2uTwB7Ayl1XaIZF5GDYTq/O78LtJrvWAfafm3mE8M2Lqz94LPmn3AqG7m+wtBhddK1s1QRUmtYFaPBStdJCV1vfaHA9uGACn5JMUZPY6yB2JBDXvul9yDQ57hec0HEnr9XIto0DkvM4UGz03m6iOCu3BEpeceKedPoOa6/sgkTkvS+EWnOqU7XpZ+JVd2JzIcspRnwoVxlr9Sh2qnsCSn8MBb9BtJ0Efj8Uev/UtsIDy0Lvn1cGehYnCJDL8UDVKmWt/zkTA/sQ4XoJTVJLLiGj6g2ExyYVsYxpjBri6QRhRgu5XsDFu6zQlcGekse8Jd9DZP3jkJfwPmVnohvf3dZ+smVkJ0HpO1l70Yz2/+5wh+PDUekKnKWqXEW9eX0bMH0qnSs7x/FV4/mFibm5urdy9YzxANoA8VurQQjU3L2junoc9ZXvOVIudRbaZxE48g3UdAkUufMoIAVTGACFqDDyPT+4za3EJoyrZp4P1WXDXCjtVQSjvQ+ftraTX0PUXRvmwcnPTK5mHE1FEAV72T1BLkQKG1IpJoeo93lqyx+nIr/eI8dhQSGBZz8C5cZ2Rcs53T8FLOb5MK1N2U8cPv3Zk+M+fRI/xdtsWaIOpz3kJn16SYsyeZCEzyp8eqvybsDkspIbmQbuLvICpwMR5FPlU6poxffU8CAZHryK5nKLiCD0BjBxKPzvuBAwyWjTzMWDB0Zchve14j/+87n0Jl3hVxMh1ISHMPee26O2lRCG4Yw7jZD5KrQLn34T2peGemFZ9ckypNv7ut+J2UaszVtL5Q/nEsTsCFN/cDx+ODRJbXKU7K+3vUiDcNhLa8UIoPABxzTGVr7evaGCIzDrnxY4qYCH7ichvUt0Wt2VEVQcyglX6V7bidMmRJ8HSB5mZ+JmFAKBlS78KzedcPj/wksLdasu+oE8AgT0MjcIb7+qY498XWt15fNvK1DhdBWQBoEHDwaOApkv7z3Fc/y0OBi9qjMcn+NXWPYJXLXkTDu/dWVaM833nJL3Xnqu4iKCgMJeasiW33RPa64rlz7BleBvzKk1B86U3+4viYaeU1AXZ0UTetqQKrIlMsq7MMaha9lBqr5eGVFGlhHF9stPO5lJKcjCxcx411H61cjQgrrXrlPtoULKi7S9qlcfUjuoYB+UoiGhGLoslYWRPi6hnYB+y9h36zUZKzycJbFv6XRio+Sar/hIPyJDnJrbNndpGUW4xqxIKswVfpLpyNhpIK78FToghpmrMzrMh6gh5fVF87ThpDjmfRmueHEN6NEyyfKAq0FehCFxHaM3zQxptG8KzortjlyPXPIRT3TbfmxDtFQSYCL7B4BW728BTo3Ido5Zau/GTpW5r+dOO7Q1yZccMqFvGBQJfsyneAtDUaucJsmfpcNU/sW9154o5rVvQ4s9MWDN/Ulp+9vqV90TU8mhpy0h5/jEaK5FSZ5yey+ymeKdw7DW92GbAJxCSCcuWKIOLrAyEm/F1BDagLQvVa50H2kWozu1qBi+EyZsdI5i2KxtYSBEk1GP33JcX/RaY9zn8zSONIumqzKO/dZOuVNwP4JNhhB5nGf7F0pnnvPVrwyvnRovMhyF+o7SGpdW+vMopSBlxLUnGn76Kki9x5Pfh74oOqR36t6v/L5dUnWElCdHCrNYJRQTx3ZlDAOXOqfrkhWV+lb4M6UoOei7VWi0TLVMNf1l3bQOy0O+Go3Tlnw5Mn0Ywzi2KHFd3xsuxYuxJLpCE3OFJY9LnM9fE+wtlB28jrvO0tHejoryrwjd3JQiZdr/UAJqdp51im1xUB5ALyBVe4YNdb09dUpJB+MbqgE/ZKg4Q45yTz5tVBOCb89KQc51CIXPvipaqCFTrpwMjYM8OfaMZyn8F5hlQEnIMJtiRWHllYunUJVYZROLSvUr4cpLECvBpbyzoghWn/q/+VHdwH+G9nakPS5tMxgYE+9mCYhRn9R9CfkKgsWkVI8pTGbhdYbA25yTFXL9qV7FPSmcC+XNIUxovO1BH/tYuo7lNAUg1/zNcB95qKe7ZmrlFl4Z3AVo4q9kRIEVo1LMjNmPb+2hOhAMKeKcXzNov320mL3AnUk2zekti4W8R4Iup5bGL7sz6VmeC4K00Y/FfCf0IjrugkjQ3kkpCmPN3+z7eR4zg6TadQzoXD/AXbP0NZsJ50c08fnBaWBq82Sibd3EHOzDiSY5D021s/5mXa5NBkqoYrykWbPIpZj1W+eJXKxgsIfSl1K/6dNyLyzqXqHhwct9fuVFAGwxmJIyaUTZpACmzDQhlhN5yByiDGwQWRJzLfhiU7bL0OSZd4YD5HuOtHOnBBIezVzlBGpAoKJqRXVeF9Ldh+y5X+DuitguiZ+Wg27td+RvmY4KS1XvoI8lR+gPzXzK++a8kjAqRb56+h6tJQ9aKzp0lI2Gf4yJkRGmAtalmXDGmqAgurerKAXsZj2hIXYfp3MDl3XYSQ3v79rSQrPMnYcbyjGk7MIcHVqg36s20fMcXumQMCBBczU/XPiQdyPbL8h6oX3rFX1C2c2tr+cr69QmKhLSUbTQAwsuEWj3pYXqGapUmTKOM68voPKMlYNClxtfruqdq+jGXRvVEysZx/Rk07ou+D1gK23g6bnsWsb5PMob2NZGvJqnXMmCUmWRpssqWo3ToykzTUBj7JHu6anSpa/BXWSlc0n78b2x2V/hV5i7UfTH6cFbKmPdS5rH+kTp/4L6u8GCzok3xeNhi+zmkgb8wgbygAwIBF6KBtASBsXeJbKUUhZXqWl9v/OyWYHZ2gIyVdP8ALbkmKhLQHem+4fJ6ZB3u+3znJMhoDA476CbRqSmI85MNgQhss2GtN/cC1tkpd6oWCM87MPXgDgnMup/5TlPAYt5ytVzBnsL9IzRslmyPHYcCp5+XCziMem3V4quN/8ksQU5xyn9WHT0UBzLmhqI4eqVy0fgdB3k1U5pe83VF6is+wOQZpxfLRrt1/pfT5KP+T9kVFQO4Jv/qgw== Cookie: ASPSESSIONIDQADBCTTC=OOJPLFLAAMNPGOKFJPNCCGBM Host: services.rivin.net User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
May 4th, 2011 7:14pm

Here is some additional information. When the following code is run in the context of the webservice, directly via a testing-only, just-developed COM component, it fails on the specified line with Access Denied. COSERVERINFO csi; csi.dwReserved1=0; csi.pwszName=L"terahnee.rivin.net"; csi.pAuthInfo=NULL; csi.dwReserved2=NULL; hr=CoGetClassObject(CLSID_VirtualServer, CLSCTX_ALL, &csi, IID_IClassFactory, (void **) &pClsFact); if(FAILED( hr )) goto error1; // Fails here with HRESULT_FROM_WIN32(ERROR_ACCESS_DENIED) hr=pClsFact->CreateInstance(NULL, IID_IUnknown, (void **) &pUnk); if(FAILED( hr )) goto error2; Ive also noticed that in the Wireshark Traces, i see the attempt to connect to the service process component *only requests* NTLMSSP authentication, it doesnt even attmept to use kerberos. This suggests that for some reason the webservice thinks it cant use kerberos...
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 3:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics