VC ATL, How to connect one user's COM client to another user's OOP server?

How to connect one user's COM client to another user's OOP server?

Author	Message
Simon Hammon #1 / 4	How to connect one user's COM client to another user's OOP server? I've written a few COM OOP servers that run as services and need access to various system resources. Therefore they are configured in "Services", to run as the "System Account" - they run and they work fine. However, the actual logged on user is a different user and has and needs considerably restricted rights. We've found that when the logged in user runs a client, it doesn't create the object in the already running server, but kicks off another instance of the EXE, which for us is disastrous! It kinda makes sense what COM is doing since I presume it's not allowing a restricted client to connect/use a server that has complete access rights, since it kinda breaks the security model. So my question is - is there a way of getting around this security 'wall'? Can I somehow register my clients as being 'trusted'? I'm writing all the code, so any necessary changes can be made. This is all in ATL, running on NT4 SP6 Cheers Simon
Sun, 11 Jul 2004 18:09:53 GMT

Alexander Nickolo #2 / 4	How to connect one user's COM client to another user's OOP server? Have you configured your server as service with regard to COM? This is done by running it with the /Service command-line param. This assuming you use ATL of course, but judging from the group you are posting to... -- ===================================== Alexander Nickolov Microsoft MVP [VC], MCSD MVP VC FAQ: http://www.mvps.org/vcfaq ===================================== Quote: > I've written a few COM OOP servers that run as services and need > access to various system resources. Therefore they are configured in > "Services", to run as the "System Account" - they run and they work > fine. However, the actual logged on user is a different user and has > and needs considerably restricted rights. We've found that when the > logged in user runs a client, it doesn't create the object in the > already running server, but kicks off another instance of the EXE, > which for us is disastrous! It kinda makes sense what COM is doing > since I presume it's not allowing a restricted client to connect/use a > server that has complete access rights, since it kinda breaks the > security model. > So my question is - is there a way of getting around this security > 'wall'? Can I somehow register my clients as being 'trusted'? I'm > writing all the code, so any necessary changes can be made. > This is all in ATL, running on NT4 SP6 > Cheers > Simon
Mon, 12 Jul 2004 03:27:44 GMT

Simon Hammon #3 / 4	How to connect one user's COM client to another user's OOP server? On Wed, 23 Jan 2002 11:27:44 -0800, "Alexander Nickolov" Quote: >Have you configured your server as service with regard to COM? >This is done by running it with the /Service command-line param. >This assuming you use ATL of course, but judging from the group >you are posting to... Ah! Come to think of it, the system is slightly different to that what I'd described, and maybe you've hit the nail on the head. There's actually only one service, which kicks off a handful of other COM server processes, all of which presumably inherit the system account rights. Are you saying that if all the OOP servers were actually services, my restricted clients would connect to the service, rather than kick of another instance of the EXE as they're doing now? I could try this of course, but converting an exe to a service will be tiresome if it's not going to make any difference? Thanks Simon
Tue, 13 Jul 2004 05:39:56 GMT

Alexander Nickolo #4 / 4	How to connect one user's COM client to another user's OOP server? Ah, your initial posting misled me... If these are not services, you simply need to change their Identity not to be the default of Launching user. This User and a specific NT account is best. Use DCOMCnfg/Properties/Identity tab. Note that for best performance you should use the same account for all servers. Each account spawns a new windowstation which amounts to about 3 MB memory overhead... -- ===================================== Alexander Nickolov Microsoft MVP [VC], MCSD MVP VC FAQ: http://www.mvps.org/vcfaq ===================================== Quote: > On Wed, 23 Jan 2002 11:27:44 -0800, "Alexander Nickolov" > >Have you configured your server as service with regard to COM? > >This is done by running it with the /Service command-line param. > >This assuming you use ATL of course, but judging from the group > >you are posting to... > Ah! Come to think of it, the system is slightly different to that what > I'd described, and maybe you've hit the nail on the head. There's > actually only one service, which kicks off a handful of other COM > server processes, all of which presumably inherit the system account > rights. Are you saying that if all the OOP servers were actually > services, my restricted clients would connect to the service, rather > than kick of another instance of the EXE as they're doing now? I could > try this of course, but converting an exe to a service will be > tiresome if it's not going to make any difference? > Thanks > Simon
Tue, 13 Jul 2004 06:11:11 GMT

Page 1 of 1

[ 4 post ]