| Groups | Blog | Home |
asp.net security : Further DPAPI (user store) problems
I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services example working on my dev machine. Many thanks to Nicole for solving the last problem I had with this. I can now start the DPAPI service, and once I have re-registered the DPAPIComp.dll, I don't get problems accessing the registry entry for it's ProgID. However when I run the example web page to encrypt some data, I get access denied on creating the DataProtectorComp object which is in DPAPIComp. My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug) another dir in that project (DPAPIComp/obj/Debug), and locally in the DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong name this dll, and each instance of the dll mentioned here has the same version number. I am surprised there is no mention of adding this dll to the GAC. When I look, it is not there after building the DPAPIComp, and when I add it manually, it doesn't solve my problem of access denied. I have given machine/ASPNet account (running Windows XP Pro sp1) read & execute access to each copy of the dll. BTW I have each project of the howto in one big solution file. Can anyone help me get this running? Also what is the best way to test the COM+ Application in isolation of the windows service? Login as the DPAPI user and run a windows form application? When I try to start the COM+ Application as either me (local admin rights) or the local machine dpapi account it fails with "Catalog Error, You do not have permission to perform the requested action. If security is enabled on the System Application of the target computer make sure you are included in the appropriate roles". As per the instructions, security level on this COM+ app is at the process level only, and "enforce access checks for this app" is ticked. Thanks Martin
On attempting to create the DPAPIComp object I get the following System
event log error: Event Type: Error Event Source: DCOM Event Category: None Event ID: 10002 Date: 12/09/2004 Time: 12:09:51 User: DELL\ASPNET Computer: DELL Description: Access denied attempting to launch a DCOM Server. The server is: {<some guid>} The user is ASPNET/DELL, SID=<another guid>. I see from the help on this event message, I should have a registry value for HKCR\Clsid\clsid value\localserver32, but I don't. My HKCR\Clsid\clsid value\ entry has the sub entries Implemented Categories, InProcServer32, and ProgId. Can I follow the event log help, but use InProcServer32 instead of localserver32, or should I create a localserver32 entry? Thanks Martin For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. [quoted text, click to view] "Martin" <x@y.z> wrote in message news:%23UtTwMLmEHA.1440@TK2MSFTNGP10.phx.gbl... > Hi, > > I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with > Enterprise Services example working on my dev machine. > > Many thanks to Nicole for solving the last problem I had with this. > > I can now start the DPAPI service, and once I have re-registered the > DPAPIComp.dll, I don't get problems accessing the registry entry for it's > ProgID. > > However when I run the example web page to encrypt some data, I get access > denied on creating the DataProtectorComp object which is in DPAPIComp. > > My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug) > another dir in that project (DPAPIComp/obj/Debug), and locally in the > DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong > name this dll, and each instance of the dll mentioned here has the same > version number. I am surprised there is no mention of adding this dll to > the GAC. When I look, it is not there after building the DPAPIComp, and > when I add it manually, it doesn't solve my problem of access denied. > > I have given machine/ASPNet account (running Windows XP Pro sp1) read & > execute access to each copy of the dll. > > BTW I have each project of the howto in one big solution file. > > Can anyone help me get this running? > > Also what is the best way to test the COM+ Application in isolation of the > windows service? Login as the DPAPI user and run a windows form > application? When I try to start the COM+ Application as either me (local > admin rights) or the local machine dpapi account it fails with "Catalog > Error, You do not have permission to perform the requested action. If > security is enabled on the System Application of the target computer make > sure you are included in the appropriate roles". As per the instructions, > security level on this COM+ app is at the process level only, and "enforce > access checks for this app" is ticked. > > > > Thanks > Martin > > > >
Looking further at the help for the event error, I don't seem to have a
friendly name for DPAPIComp in Component Services\My Computer\DCOM Config. So I don't know how I could customise the DCOM security properties anyhow. I thought the idea was that the service application would have loaded the DPAPIComp serviced component (the service is running in Windows Services) Thanks Martin [quoted text, click to view] "Martin" <x@y.z> wrote in message news:e0oRTuLmEHA.3352@TK2MSFTNGP10.phx.gbl... > On attempting to create the DPAPIComp object I get the following System > event log error: > > Event Type: Error > Event Source: DCOM > Event Category: None > Event ID: 10002 > Date: 12/09/2004 > Time: 12:09:51 > User: DELL\ASPNET > Computer: DELL > Description: > Access denied attempting to launch a DCOM Server. The server is: > {<some guid>} > The user is ASPNET/DELL, SID=<another guid>. > > I see from the help on this event message, I should have a registry value > for HKCR\Clsid\clsid value\localserver32, but I don't. > My HKCR\Clsid\clsid value\ entry has the sub entries Implemented Categories, > InProcServer32, and ProgId. Can I follow the event log help, but use > InProcServer32 instead of localserver32, or should I create a localserver32 > entry? > > Thanks > Martin > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > "Martin" <x@y.z> wrote in message > news:%23UtTwMLmEHA.1440@TK2MSFTNGP10.phx.gbl... > > Hi, > > > > I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with > > Enterprise Services example working on my dev machine. > > > > Many thanks to Nicole for solving the last problem I had with this. > > > > I can now start the DPAPI service, and once I have re-registered the > > DPAPIComp.dll, I don't get problems accessing the registry entry for it's > > ProgID. > > > > However when I run the example web page to encrypt some data, I get access > > denied on creating the DataProtectorComp object which is in DPAPIComp. > > > > My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug) > > another dir in that project (DPAPIComp/obj/Debug), and locally in the > > DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong > > name this dll, and each instance of the dll mentioned here has the same > > version number. I am surprised there is no mention of adding this dll to > > the GAC. When I look, it is not there after building the DPAPIComp, and > > when I add it manually, it doesn't solve my problem of access denied. > > > > I have given machine/ASPNet account (running Windows XP Pro sp1) read & > > execute access to each copy of the dll. > > > > BTW I have each project of the howto in one big solution file. > > > > Can anyone help me get this running? > > > > Also what is the best way to test the COM+ Application in isolation of the > > windows service? Login as the DPAPI user and run a windows form > > application? When I try to start the COM+ Application as either me (local > > admin rights) or the local machine dpapi account it fails with "Catalog > > Error, You do not have permission to perform the requested action. If > > security is enabled on the System Application of the target computer make > > sure you are included in the appropriate roles". As per the instructions, > > security level on this COM+ app is at the process level only, and "enforce > > access checks for this app" is ticked. > > > > > > > > Thanks > > Martin > > > > > > > > > >
I installed the dlls on another xp pro machine (this time with sp2
installed) It fails at the same point (running my web app creating the object private void btnEncrypt_Click(object sender, System.EventArgs e) Line 60: { Line 61: DataProtectorComp dp = new DataProtectorComp(); This time the event log message is Event Type: Error Event Source: DCOM Event Category: None Event ID: 10016 Date: 13/09/2004 Time: 12:19:52 User: BLAH08\ASPNET Computer: BLAH08 Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B260D933-05AA-3D74-BC26-C29C52C95F6C} to the user BLAH08\ASPNET SID (S-1-5-21-2409822955-685331194-164014053-1011). This security permission can be modified using the Component Services administrative tool. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. There doesn't seem to be any help in the support center for this error. I don't know if this is a step forward or a step back compared to my main dev machine. ??? Martin [quoted text, click to view] "Martin" <x@y.z> wrote in message news:%23UtTwMLmEHA.1440@TK2MSFTNGP10.phx.gbl... > Hi, > > I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with > Enterprise Services example working on my dev machine. > > Many thanks to Nicole for solving the last problem I had with this. > > I can now start the DPAPI service, and once I have re-registered the > DPAPIComp.dll, I don't get problems accessing the registry entry for it's > ProgID. > > However when I run the example web page to encrypt some data, I get access > denied on creating the DataProtectorComp object which is in DPAPIComp. > > My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug) > another dir in that project (DPAPIComp/obj/Debug), and locally in the > DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong > name this dll, and each instance of the dll mentioned here has the same > version number. I am surprised there is no mention of adding this dll to > the GAC. When I look, it is not there after building the DPAPIComp, and > when I add it manually, it doesn't solve my problem of access denied. > > I have given machine/ASPNet account (running Windows XP Pro sp1) read & > execute access to each copy of the dll. > > BTW I have each project of the howto in one big solution file. > > Can anyone help me get this running? > > Also what is the best way to test the COM+ Application in isolation of the > windows service? Login as the DPAPI user and run a windows form > application? When I try to start the COM+ Application as either me (local > admin rights) or the local machine dpapi account it fails with "Catalog > Error, You do not have permission to perform the requested action. If > security is enabled on the System Application of the target computer make > sure you are included in the appropriate roles". As per the instructions, > security level on this COM+ app is at the process level only, and "enforce > access checks for this app" is ticked. > > > > Thanks > Martin > > > >
Removing sp2 makes the 10016 event error go away, leaving me with the 1002
error. Martin
When I *disable* access checks for the DPAPI Helper Application, I got an
error telling me it couldn't find DataProtection.dll. Reading Register Serviced Components from http://msdn.microsoft.com/library/en-us/secmod/html/secmod09.asp?frame=true I put both DataProtection.dll and DPAPIComp.dll in the gac, re-registered DPAPIComp.dll with regsvcs, and re-installed the DPAPIService.exe service. Start the service and the DPAPIWEb runs successfully. However..... when I set the DPAPIHelper COM+ app back to *enable* access checks, it *still* fails with an system event error 10002. NB The DPAPI Help App (COM+ App) is configured to perform access checks at the process level only, so there aren't any COM+ roles to configure I guess. Still appreciate any help on this. Thanks Martin
Even adding local ASPNET to local Adminstrators group does not let ASPNET
launch a DCOM Server (error 10002 still occurs)!!! [quoted text, click to view] "Martin" <x@y.z> wrote in message news:uDD2GTkmEHA.1656@TK2MSFTNGP09.phx.gbl... > When I *disable* access checks for the DPAPI Helper Application, I got an > error telling me it couldn't find DataProtection.dll. > > Reading Register Serviced Components from > http://msdn.microsoft.com/library/en-us/secmod/html/secmod09.asp?frame=true > I put both DataProtection.dll and DPAPIComp.dll in the gac, re-registered > DPAPIComp.dll with regsvcs, and re-installed the DPAPIService.exe service. > Start the service and the DPAPIWEb runs successfully. > > However..... when I set the DPAPIHelper COM+ app back to *enable* access > checks, it *still* fails with an system event error 10002. > > NB The DPAPI Help App (COM+ App) is configured to perform access checks at > the process level only, so there aren't any COM+ roles to configure I guess. > > Still appreciate any help on this. > > Thanks > Martin > >
If you do not have any roles set up then you will need to leave the
security disabled at the Application level. By default on XP and Win2003 it is turned on. But I think when this document was written Windows 2000 was most likely the targeted platform and if I remember right the Application access checks was dissabled by default. So maybe that explains the lack of mentioning this tidbit in the doc.
You shouldn't need to do any configuration with DCOM Config. But you
will have to create a role in the roles folder of the ES application. Then add the users or groups to this role. Look at the chapter called How To: Use Role-based Security with Enterprise Services in the same doc. Basically you will have to implement an interface to be able to see your component methods in ES and you will have to create roles. Another thing you will need to do is add a Marshaler Role with the everyone group in it. It is most convenient to just add the following line to your assemblyinfo: [assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)] Ok, after saying all of that you could just user standard role based security in your component. Look up Declarative and Imperative in the help files. But remember you can only use ES roles or .NET role based security; no mixing of the two. I would be more specific but I have to revisit some of my work from last year to better tell this story. I hope this will help. [quoted text, click to view] Martin wrote:
> Hi Joseph, > > Thanks for the response. > > I would like to have security at the application level if possible. What > concerns me is I don't have any entry that looks useful to me under DCOM > Config. > > Can you give me any pointers on that? > > Thanks > Martin > PS I can't see any steps involving the security tab of my COM+ App in the > January 2004 version of this document. > > > "Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in > message news:unqdogInEHA.3988@TK2MSFTNGP10.phx.gbl... > >>If you do not have any roles set up then you will need to leave the >>security disabled at the Application level. By default on XP and >>Win2003 it is turned on. But I think when this document was written >>Windows 2000 was most likely the targeted platform and if I remember >>right the Application access checks was dissabled by default. So maybe >>that explains the lack of mentioning this tidbit in the doc. >> > >
Hi Joseph,
Thanks for the response. I would like to have security at the application level if possible. What concerns me is I don't have any entry that looks useful to me under DCOM Config. Can you give me any pointers on that? Thanks Martin PS I can't see any steps involving the security tab of my COM+ App in the January 2004 version of this document. "Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in message news:unqdogInEHA.3988@TK2MSFTNGP10.phx.gbl... [quoted text, click to view] > If you do not have any roles set up then you will need to leave the > security disabled at the Application level. By default on XP and > Win2003 it is turned on. But I think when this document was written > Windows 2000 was most likely the targeted platform and if I remember > right the Application access checks was dissabled by default. So maybe > that explains the lack of mentioning this tidbit in the doc. >
Thanks Joseph,
I'll have another look. Martin "Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in message news:%23hxMROMnEHA.2764@TK2MSFTNGP10.phx.gbl... [quoted text, click to view] > You shouldn't need to do any configuration with DCOM Config. But you > will have to create a role in the roles folder of the ES application. > Then add the users or groups to this role. > > Look at the chapter called How To: Use Role-based Security with > Enterprise Services in the same doc. > Basically you will have to implement an interface to be able to see your > component methods in ES and you will have to create roles. > Another thing you will need to do is add a Marshaler Role with the > everyone group in it. It is most convenient to just add the following > line to your assemblyinfo: > [assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)] > > Ok, after saying all of that you could just user standard role based > security in your component. Look up Declarative and Imperative in the > help files. But remember you can only use ES roles or .NET role based > security; no mixing of the two. > > I would be more specific but I have to revisit some of my work from last > year to better tell this story. I hope this will help. > > > > Martin wrote: > > > Hi Joseph, > > > > Thanks for the response. > > > > I would like to have security at the application level if possible. What > > concerns me is I don't have any entry that looks useful to me under DCOM > > Config. > > > > Can you give me any pointers on that? > > > > Thanks > > Martin > > PS I can't see any steps involving the security tab of my COM+ App in the > > January 2004 version of this document. > > > > > > "Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in > > message news:unqdogInEHA.3988@TK2MSFTNGP10.phx.gbl... > > > >>If you do not have any roles set up then you will need to leave the > >>security disabled at the Application level. By default on XP and > >>Win2003 it is turned on. But I think when this document was written > >>Windows 2000 was most likely the targeted platform and if I remember > >>right the Application access checks was dissabled by default. So maybe > >>that explains the lack of mentioning this tidbit in the doc. > >> > > > > > >
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |