How to connect one user's COM client to another user's OOP server? 
Author Message
 How to connect one user's COM client to another user's OOP server?

I've written a few COM OOP servers that run as services and need
access to various system resources. Therefore they are configured in
"Services", to run as the "System Account" - they run and they work
fine. However, the actual logged on user is a different user and has
and needs considerably restricted rights. We've found that when the
logged in user runs a client, it doesn't create the object in the
already running server, but kicks off another instance of the EXE,
which for us is disastrous! It kinda makes sense what COM is doing
since I presume it's not allowing a restricted client to connect/use a
server that has complete access rights, since it kinda breaks the
security model.

So my question is - is there a way of getting around this security
'wall'? Can I somehow register my clients as being 'trusted'? I'm
writing all the code, so any necessary changes can be made.

This is all in ATL, running on NT4 SP6

Cheers

Simon



Sun, 11 Jul 2004 18:09:53 GMT  
 How to connect one user's COM client to another user's OOP server?
Have you configured your server as service with regard to COM?
This is done by running it with the /Service command-line param.
This assuming you use ATL of course, but judging from the group
you are posting to...

--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD

MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

Quote:

> I've written a few COM OOP servers that run as services and need
> access to various system resources. Therefore they are configured in
> "Services", to run as the "System Account" - they run and they work
> fine. However, the actual logged on user is a different user and has
> and needs considerably restricted rights. We've found that when the
> logged in user runs a client, it doesn't create the object in the
> already running server, but kicks off another instance of the EXE,
> which for us is disastrous! It kinda makes sense what COM is doing
> since I presume it's not allowing a restricted client to connect/use a
> server that has complete access rights, since it kinda breaks the
> security model.

> So my question is - is there a way of getting around this security
> 'wall'? Can I somehow register my clients as being 'trusted'? I'm
> writing all the code, so any necessary changes can be made.

> This is all in ATL, running on NT4 SP6

> Cheers

> Simon



Mon, 12 Jul 2004 03:27:44 GMT  
 How to connect one user's COM client to another user's OOP server?
On Wed, 23 Jan 2002 11:27:44 -0800, "Alexander Nickolov"

Quote:

>Have you configured your server as service with regard to COM?
>This is done by running it with the /Service command-line param.
>This assuming you use ATL of course, but judging from the group
>you are posting to...

Ah! Come to think of it, the system is slightly different to that what
I'd described, and maybe you've hit the nail on the head. There's
actually only one service, which kicks off a handful of other COM
server processes, all of which presumably inherit the system account
rights. Are you saying that if all the OOP servers were actually
services, my restricted clients would connect to the service, rather
than kick of another instance of the EXE as they're doing now? I could
try this of course, but converting an exe to a service will be
tiresome if it's not going to make any difference?

Thanks

Simon



Tue, 13 Jul 2004 05:39:56 GMT  
 How to connect one user's COM client to another user's OOP server?
Ah, your initial posting misled me... If these are not services,
you simply need to change their Identity not to be the default
of Launching user. This User and a specific NT account is best.
Use DCOMCnfg/Properties/Identity tab. Note that for best
performance you should use the same account for all servers.
Each account spawns a new windowstation which amounts to
about 3 MB memory overhead...

--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD

MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

Quote:

> On Wed, 23 Jan 2002 11:27:44 -0800, "Alexander Nickolov"

> >Have you configured your server as service with regard to COM?
> >This is done by running it with the /Service command-line param.
> >This assuming you use ATL of course, but judging from the group
> >you are posting to...

> Ah! Come to think of it, the system is slightly different to that what
> I'd described, and maybe you've hit the nail on the head. There's
> actually only one service, which kicks off a handful of other COM
> server processes, all of which presumably inherit the system account
> rights. Are you saying that if all the OOP servers were actually
> services, my restricted clients would connect to the service, rather
> than kick of another instance of the EXE as they're doing now? I could
> try this of course, but converting an exe to a service will be
> tiresome if it's not going to make any difference?

> Thanks

> Simon



Tue, 13 Jul 2004 06:11:11 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. connecting WinCE ras client to NT system (RAS server)- bypassing user id/password

2. how to changed ad's user's password with csharp (different server)

3. Jet record locked by another user (only one user)

4. Login failed for user 'DESARROLLO\ASPNET'

5. how to changed ad's user's password with csharp

6. Help 'C' user defined functions

7. Looking For WATCOM 'C' Compiler Users

8. Making a user's tty's STDOUT

9. redirecting output to a user's other tty's

10. Bug in SkipList code [Feb'91 C User's Journal]

11. 'User breakpoint called'

12. What is 'user breakpoint 'means?

 

 
Powered by phpBB® Forum Software