subject_61598.htm

vc

<p>
序号：61598 发表者：lyliuyu 发表日期：2003-11-20 15:42:50
<br>主题：为什么我的DCOM只能在Guest用户下才能连接成功？
<br>内容：请问为什么我的DCOM只能在Guest用户下才能连接成功？在administrator下提示错误：拒绝访问。怎么办？
<br><a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p>
<hr size=1>
<blockquote><p>
回复者：QueryInterface 回复日期：2003-11-20 16:23:55
<br>内容：关注。<BR>我不熟DCOM，但我想是不是DCOM的安全设置里administrator用户没有被赋予足够的权限！，个人观点
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者：dfgsdfg 回复日期：2003-11-21 12:01:24
<br>内容：1、你的client PC和server PC肯定不在一个域内；<BR>2、你把你的client PC的系统管理员密码和服务器设成一样就可以成功。<BR>
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
回复者：勇敢的心72 回复日期：2003-11-22 20:41:00
<br>内容：要用DOMAIN方式管理才行。
<br>
<a href="javascript:history.go(-1)">返回上页</a><br><a href=http://www.copathway.com/cndevforum/>访问论坛</a></p></blockquote>
<hr size=1>
<blockquote><p>
<font color=red>答案被接受</font><br>回复者：勇敢的心72 回复日期：2003-11-24 22:21:58
<br>内容：Hi<BR><BR>After posting my initial problem here last week, I went on an extended<BR>search to try and find out why I was getting E_ACCESSDENIED errors using a<BR>local account on the client machine.<BR><BR>I started making sure to follow all the hings in Keith Brown's COM Security<BR>FAQ Ex2 (http://www.develop.com/kbrown/com/secfaq.htm#TurnOffSecurity), but<BR>I would still have problems using a non domain login on a client machine.<BR>During my research, I came across point 4 of Microsoft's COM Security FAQ<BR>(http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com<BR>:80/support/kb/articles/Q158/5/08.asp&amp;NoWebContent=1) which mentions that if<BR>not working in a domain, the account that is being used to launch the client<BR>must match an account existing on the machine where the DCOM service is<BR>running on. &lt;&lt;&lt;&lt;&lt;&lt;&lt;&lt;My two machines have the same local Administrator account and<BR>password, and using that account, I could indeed access the DCOM service,&gt;&gt;&gt;&gt;&gt;<BR>but using any other account that was only available on one machine, I would<BR>get an E_ACCESSDENIED error either when calling CoCreateInstance (in case<BR>the service was not running and its start permissions were not set to<BR>include Everyone), or when calling QueryInterface (in case the service was<BR>already running, or the start permissions were set to include Everyone).<BR>Turning on auditing of logon/logoff events I could clearly see how the<BR>remote machine was trying to authenticate itself to the machine where the<BR>DCOM service is running, but the authentication would fail.<BR><BR>But loggin in using any domain account on the client machine would pose no<BR>problem whatsoever.<BR><BR>Now I'm wondering, since I have turned off authentication on both server and<BR>client, why is there still some kind of authentication active when accessing<BR>the service? If you can set the launch permissions to include Everyone, and<BR>thus completely deactivate security for launching the server, why is the<BR>same not possible when executing a remote method? After all I have<BR>instructed both client and server not to authenticate any packet. This<BR>forced authentication really surprises me, especially since usually<BR>Microsoft isn't so particular on security (and there are various RPC/DCOM<BR>exploits out there and certain holes have just recently been plugged). Is<BR>the authentication when executing a remote method something inherent to the<BR>DCOM architecture that cannot be turned off, or is there a way I'm not aware<BR>of? I'd expect my service to work anyway, because all potential users have a<BR>domain login, but I'm still wondering if there isn't a way to turn off the<BR>authentication.<BR><BR>2003-11-24 22:23:56