I have a legacy DCOM server and client application both written in Delphi v6. The DCOM server is currently configured to run once and service all clients. The main reason for it running once is that the server provides an interface to an accounts application and must logon and can only do this once for a given user name.
Our customer now wants to upgrade their server to Windows Server 2008 R2 leaving the clients on Windows XP but I have been unable to replicate the current set-up.
The current set up that I can get to work on a test rig is slightly odd!
I have to configure DCOM settings to allow remote launch or I get access denied on the client
If the DCOM server is not already running, when the client tries to connect to it I get server execution failed.
If the server is running and the launch permission is set to allow remote launch, the client starts a new instance of the DCOM server rather than using the instance already started. This then causes problems in the accounts application as the same user tries to logon which is not allowed.
If I close the DCOM server running on the server, the client happily works away with its own instance. I cannot see the DCOM servers main form though as its running in the background (can see it in task manager)
I've found various articles to do with this problem but nothing so far has worked. These include running the DCOM server as administrator, not running the DCOM server as administrator, allowing COM+ in the firewall, adding the DCOM server to the firewall, the DCOM server located in SysWOW64, using the 32 bit version of DCOMCNFG, etc.
Now not sure where to go...
Thanks for any help
Simon
DCOM default permissions has changed in XP SP2 and 2003 SP1. You'll need to configure the properly to make your service running properly. Usually, unless you implement the DCOM server in a service (something Delphi doesn't allow due to limited DCOM support), the DCOM server is started when a user connects, and that's why you may need the "remote launch" permissions.
Moreover a DCOM server may be started in the context of a given user, the interactive user (must be avoided for remote clients!), or the launching user. What mode are you using? - if it is set to "launching user" it will always create a new instance. How was your server instanced before the new OS? How is its class factory implemented?
See here for some interesting information about DCOM and Delphi implementations.
BTW:
Never run your DCOM server with Administrators privileges unless it really needs it. Otherwise you can create a security hole.
If a firewall is present, both the RPC endpoint port and the ports configured for DCOM must be opened to the calling clients.
Don't mess system directories with your application. There's no need, if your app works only there you have a privileges misconfiguration, and you won't solve it properly putting files where they don't belong to.
Related
Im trying to expose a web application I have developed in ASP.NET MVC 5 through ngrok and Im having no luck with the Windows Authentication. My plan was to test the app using other VMs with IE8 (insert rage here) and a few mobile devices connecting through ngrok.
My setup details are as follows.
VM with Server 2008 (Domain Controller), Visual Studio 2013, SQL etc and development tools
Domain XYZ setup in VM with test users
The Web App is running by F5'ing VS in IIS Express and uses Windows Authentication. IIS express is configured to support Windows Authentication.
I have configured ngrok bindings in the applicationhost config file and also run the netsh command "netsh http add urlacl url=URLPLUSPORT user=everyone"
I can access and use/debug the app fine on the VM using localhost, this has always worked. However, when I run ngrok and then access the app from outside the VM I get the login credential prompt (was expecting this). I enter the correct user/password and I still get 401 Unauthorised and cannot access the app.
Can anyone help? Do I need any extra configuration to allow the authentication to pass through? Is this even possible?
I am pretty much stumped right now and the ngrok site is down although I cant imagine there is much documentation on this scenario :(
Thanks for your help
Implementing the steps here: http://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-how-to-configure-iis-express/
I tried to access the mobile service REST interface from iOS, Android and Windows based applications running on a remote machine performing GETs and POSTS all requests result in an "authorization has been denied for this request" response.
I am able to navigate to the mobile service website from the remote machine mentioned above, which is on the same subnet as the mobile service, however when clicking on the "try it out" link I am prompted to enter credentials. I tried entering the mobile service key, windows credentials and the credentials used when setting up the database none worked all resulted in a re-prompt for credentials.
The same Android and Windows applications work without issue when running on the machine the mobile service is running on. I have to use 10.0.2.2 for android app running in the emulator to get the loopback to work but otherwise the code is unchanged.
The azure mobile service is running in the debugger using Visual Studio 2013 with Update 3. Visual Studio was launched as an admin.
All three apps iOS, Android and Windows can access the same mobile service when its running in Azure (Cloud).
I have read that the mobile service, running in IISExpress, allows anonymous requests originating from localhost but I have not seen any mention about how to configure authentication when accessing remotely or if any adjustments are needed to authenticate properly.
Any ideas?
Remote access for IIS Express is initially blocked
On Vista and Win7 or Win 8 run the following command with administratice Privileges
netsh http add urlacl url=http://xxxxx:port/ user=everyone
I have an application that can run both as windows service or stand-alone console. It is deployed remotely, on my client's servers. When I remote desktop into the server, I use the same domain account that is used to run the windows service configuration of my application. Therefore, running the application as windows service or console is done absolutely under the same credentials. Or is it? The problem is that my console throws the "Access to Message Queuing system is denied" exception while the windows service doesn't have any issues with this. All the functionality of the application that accesses the MSMQ system is encapsulated into a .dll that is used by both the windows service and the console, so again, there should be no difference.
Any ideas as to what should I change?
I made a Windows Service that interact with MSMQ (a stupid data exchange application with no requirement regarding security).
I had to disable un-authenticated RPC calls using the Message Queuing properties pane in Computer management to make it work. Otherwise it throws System.Messaging.MessageQueueException (0x80004005): Access to Message Queuing system is denied.
Also the service run under Local System (which I remember is by default)
The user under which the service/console is executing should have access to MSMQ.
Please check if this is the case or not in your instance.
when I go to application tier, configure installed features ,start wizard,
it will ask whether I would like to have sharepoint on this machine or not, I go for it and the error displays is:
TF400081: Cannot connect to the Internet. An Internet connection is needed to be able to install SharePoint.
We are using a proxy on the network to access the internet, when I look in the log it says:
Exception Message: The remote server returned an error: (407) Proxy Authentication Required. (type WebException)Status: ProtocolError
Response Status Code: ProxyAuthenticationRequired
how can I run the standard configuration wizard do that it gets authenticated by the proxy?
This is because it's trying to download all the prerequisites for sharepoint. It may just be easier to do an offline install by manually installing the prereqs yourself.
http://blogs.technet.com/b/patrick_heyde/archive/2010/03/02/install-sharepoint-2010-without-internet-access.aspx
There is two ways:
1. switch off require authentication for your server on proxy
install your own intermediate proxy (Proxomitron.info for example) on you work computer and make TFS server to connect to you proxy instead of corporate.
And configure an intermediate proxy to bypass all connection without authentication.
BEFORE: I had a TFS 2010 on a temporary test environment set up with a project and I had web users and everything worked great.
NOW: I've installed it on a permanent environment (same O/S, domain, everything) but any permissions I set no longer seem to have any effect.
It seems only the service account can access any features.
Authentication is NTLM.
Any network users I give access to are either being asked for their credentials to connect to the server and being rejected regardless (they can connect to the default IIS fine) or they get:
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
Ridiculous, but the problem is that the new install was on the E: not the C: so the local NETWORK SERVICE account (that I use as a service account for TFS) did not have access to the files/folders under \Program Files\Microsoft Team Foundation Server 2010\