Further DPAPI (user store) problems

Discussion in 'ASP .Net Security' started by Martin, Sep 12, 2004.

  1. Martin

    Martin Guest

    Hi,

    I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
    Enterprise Services example working on my dev machine.

    Many thanks to Nicole for solving the last problem I had with this.

    I can now start the DPAPI service, and once I have re-registered the
    DPAPIComp.dll, I don't get problems accessing the registry entry for it's
    ProgID.

    However when I run the example web page to encrypt some data, I get access
    denied on creating the DataProtectorComp object which is in DPAPIComp.

    My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug)
    another dir in that project (DPAPIComp/obj/Debug), and locally in the
    DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong
    name this dll, and each instance of the dll mentioned here has the same
    version number. I am surprised there is no mention of adding this dll to
    the GAC. When I look, it is not there after building the DPAPIComp, and
    when I add it manually, it doesn't solve my problem of access denied.

    I have given machine/ASPNet account (running Windows XP Pro sp1) read &
    execute access to each copy of the dll.

    BTW I have each project of the howto in one big solution file.

    Can anyone help me get this running?

    Also what is the best way to test the COM+ Application in isolation of the
    windows service? Login as the DPAPI user and run a windows form
    application? When I try to start the COM+ Application as either me (local
    admin rights) or the local machine dpapi account it fails with "Catalog
    Error, You do not have permission to perform the requested action. If
    security is enabled on the System Application of the target computer make
    sure you are included in the appropriate roles". As per the instructions,
    security level on this COM+ app is at the process level only, and "enforce
    access checks for this app" is ticked.



    Thanks
    Martin
    Martin, Sep 12, 2004
    #1
    1. Advertising

  2. Martin

    Martin Guest

    On attempting to create the DPAPIComp object I get the following System
    event log error:

    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10002
    Date: 12/09/2004
    Time: 12:09:51
    User: DELL\ASPNET
    Computer: DELL
    Description:
    Access denied attempting to launch a DCOM Server. The server is:
    {<some guid>}
    The user is ASPNET/DELL, SID=<another guid>.

    I see from the help on this event message, I should have a registry value
    for HKCR\Clsid\clsid value\localserver32, but I don't.
    My HKCR\Clsid\clsid value\ entry has the sub entries Implemented Categories,
    InProcServer32, and ProgId. Can I follow the event log help, but use
    InProcServer32 instead of localserver32, or should I create a localserver32
    entry?

    Thanks
    Martin

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    "Martin" <> wrote in message
    news:%...
    > Hi,
    >
    > I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
    > Enterprise Services example working on my dev machine.
    >
    > Many thanks to Nicole for solving the last problem I had with this.
    >
    > I can now start the DPAPI service, and once I have re-registered the
    > DPAPIComp.dll, I don't get problems accessing the registry entry for it's
    > ProgID.
    >
    > However when I run the example web page to encrypt some data, I get access
    > denied on creating the DataProtectorComp object which is in DPAPIComp.
    >
    > My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug)
    > another dir in that project (DPAPIComp/obj/Debug), and locally in the
    > DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong
    > name this dll, and each instance of the dll mentioned here has the same
    > version number. I am surprised there is no mention of adding this dll to
    > the GAC. When I look, it is not there after building the DPAPIComp, and
    > when I add it manually, it doesn't solve my problem of access denied.
    >
    > I have given machine/ASPNet account (running Windows XP Pro sp1) read &
    > execute access to each copy of the dll.
    >
    > BTW I have each project of the howto in one big solution file.
    >
    > Can anyone help me get this running?
    >
    > Also what is the best way to test the COM+ Application in isolation of the
    > windows service? Login as the DPAPI user and run a windows form
    > application? When I try to start the COM+ Application as either me (local
    > admin rights) or the local machine dpapi account it fails with "Catalog
    > Error, You do not have permission to perform the requested action. If
    > security is enabled on the System Application of the target computer make
    > sure you are included in the appropriate roles". As per the instructions,
    > security level on this COM+ app is at the process level only, and "enforce
    > access checks for this app" is ticked.
    >
    >
    >
    > Thanks
    > Martin
    >
    >
    >
    >
    Martin, Sep 12, 2004
    #2
    1. Advertising

  3. Martin

    Martin Guest

    Looking further at the help for the event error, I don't seem to have a
    friendly name for DPAPIComp in Component Services\My Computer\DCOM Config.

    So I don't know how I could customise the DCOM security properties anyhow.
    I thought the idea was that the service application would have loaded the
    DPAPIComp serviced component (the service is running in Windows Services)


    Thanks
    Martin

    "Martin" <> wrote in message
    news:...
    > On attempting to create the DPAPIComp object I get the following System
    > event log error:
    >
    > Event Type: Error
    > Event Source: DCOM
    > Event Category: None
    > Event ID: 10002
    > Date: 12/09/2004
    > Time: 12:09:51
    > User: DELL\ASPNET
    > Computer: DELL
    > Description:
    > Access denied attempting to launch a DCOM Server. The server is:
    > {<some guid>}
    > The user is ASPNET/DELL, SID=<another guid>.
    >
    > I see from the help on this event message, I should have a registry value
    > for HKCR\Clsid\clsid value\localserver32, but I don't.
    > My HKCR\Clsid\clsid value\ entry has the sub entries Implemented

    Categories,
    > InProcServer32, and ProgId. Can I follow the event log help, but use
    > InProcServer32 instead of localserver32, or should I create a

    localserver32
    > entry?
    >
    > Thanks
    > Martin
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    > "Martin" <> wrote in message
    > news:%...
    > > Hi,
    > >
    > > I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
    > > Enterprise Services example working on my dev machine.
    > >
    > > Many thanks to Nicole for solving the last problem I had with this.
    > >
    > > I can now start the DPAPI service, and once I have re-registered the
    > > DPAPIComp.dll, I don't get problems accessing the registry entry for

    it's
    > > ProgID.
    > >
    > > However when I run the example web page to encrypt some data, I get

    access
    > > denied on creating the DataProtectorComp object which is in DPAPIComp.
    > >
    > > My DPAPIComp.dll exists in it's own build directory,

    (DPAPIComp/bin/Debug)
    > > another dir in that project (DPAPIComp/obj/Debug), and locally in the
    > > DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to

    strong
    > > name this dll, and each instance of the dll mentioned here has the same
    > > version number. I am surprised there is no mention of adding this dll

    to
    > > the GAC. When I look, it is not there after building the DPAPIComp, and
    > > when I add it manually, it doesn't solve my problem of access denied.
    > >
    > > I have given machine/ASPNet account (running Windows XP Pro sp1) read &
    > > execute access to each copy of the dll.
    > >
    > > BTW I have each project of the howto in one big solution file.
    > >
    > > Can anyone help me get this running?
    > >
    > > Also what is the best way to test the COM+ Application in isolation of

    the
    > > windows service? Login as the DPAPI user and run a windows form
    > > application? When I try to start the COM+ Application as either me

    (local
    > > admin rights) or the local machine dpapi account it fails with "Catalog
    > > Error, You do not have permission to perform the requested action. If
    > > security is enabled on the System Application of the target computer

    make
    > > sure you are included in the appropriate roles". As per the

    instructions,
    > > security level on this COM+ app is at the process level only, and

    "enforce
    > > access checks for this app" is ticked.
    > >
    > >
    > >
    > > Thanks
    > > Martin
    > >
    > >
    > >
    > >

    >
    >
    Martin, Sep 12, 2004
    #3
  4. Martin

    Martin Guest

    When I *disable* access checks for the DPAPI Helper Application, I got an
    error telling me it couldn't find DataProtection.dll.

    Reading Register Serviced Components from
    http://msdn.microsoft.com/library/en-us/secmod/html/secmod09.asp?frame=true
    I put both DataProtection.dll and DPAPIComp.dll in the gac, re-registered
    DPAPIComp.dll with regsvcs, and re-installed the DPAPIService.exe service.
    Start the service and the DPAPIWEb runs successfully.

    However..... when I set the DPAPIHelper COM+ app back to *enable* access
    checks, it *still* fails with an system event error 10002.

    NB The DPAPI Help App (COM+ App) is configured to perform access checks at
    the process level only, so there aren't any COM+ roles to configure I guess.

    Still appreciate any help on this.

    Thanks
    Martin
    Martin, Sep 14, 2004
    #4
  5. Martin

    Martin Guest

    Even adding local ASPNET to local Adminstrators group does not let ASPNET
    launch a DCOM Server (error 10002 still occurs)!!!


    "Martin" <> wrote in message
    news:...
    > When I *disable* access checks for the DPAPI Helper Application, I got an
    > error telling me it couldn't find DataProtection.dll.
    >
    > Reading Register Serviced Components from
    >

    http://msdn.microsoft.com/library/en-us/secmod/html/secmod09.asp?frame=true
    > I put both DataProtection.dll and DPAPIComp.dll in the gac, re-registered
    > DPAPIComp.dll with regsvcs, and re-installed the DPAPIService.exe service.
    > Start the service and the DPAPIWEb runs successfully.
    >
    > However..... when I set the DPAPIHelper COM+ app back to *enable* access
    > checks, it *still* fails with an system event error 10002.
    >
    > NB The DPAPI Help App (COM+ App) is configured to perform access checks

    at
    > the process level only, so there aren't any COM+ roles to configure I

    guess.
    >
    > Still appreciate any help on this.
    >
    > Thanks
    > Martin
    >
    >
    Martin, Sep 14, 2004
    #5
  6. If you do not have any roles set up then you will need to leave the
    security disabled at the Application level. By default on XP and
    Win2003 it is turned on. But I think when this document was written
    Windows 2000 was most likely the targeted platform and if I remember
    right the Application access checks was dissabled by default. So maybe
    that explains the lack of mentioning this tidbit in the doc.
    Joseph E Shook [MVP - ADSI], Sep 17, 2004
    #6
  7. Martin

    Martin Guest

    Hi Joseph,

    Thanks for the response.

    I would like to have security at the application level if possible. What
    concerns me is I don't have any entry that looks useful to me under DCOM
    Config.

    Can you give me any pointers on that?

    Thanks
    Martin
    PS I can't see any steps involving the security tab of my COM+ App in the
    January 2004 version of this document.


    "Joseph E Shook [MVP - ADSI]" <> wrote in
    message news:...
    > If you do not have any roles set up then you will need to leave the
    > security disabled at the Application level. By default on XP and
    > Win2003 it is turned on. But I think when this document was written
    > Windows 2000 was most likely the targeted platform and if I remember
    > right the Application access checks was dissabled by default. So maybe
    > that explains the lack of mentioning this tidbit in the doc.
    >
    Martin, Sep 17, 2004
    #7
  8. You shouldn't need to do any configuration with DCOM Config. But you
    will have to create a role in the roles folder of the ES application.
    Then add the users or groups to this role.

    Look at the chapter called How To: Use Role-based Security with
    Enterprise Services in the same doc.
    Basically you will have to implement an interface to be able to see your
    component methods in ES and you will have to create roles.
    Another thing you will need to do is add a Marshaler Role with the
    everyone group in it. It is most convenient to just add the following
    line to your assemblyinfo:
    [assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)]

    Ok, after saying all of that you could just user standard role based
    security in your component. Look up Declarative and Imperative in the
    help files. But remember you can only use ES roles or .NET role based
    security; no mixing of the two.

    I would be more specific but I have to revisit some of my work from last
    year to better tell this story. I hope this will help.



    Martin wrote:

    > Hi Joseph,
    >
    > Thanks for the response.
    >
    > I would like to have security at the application level if possible. What
    > concerns me is I don't have any entry that looks useful to me under DCOM
    > Config.
    >
    > Can you give me any pointers on that?
    >
    > Thanks
    > Martin
    > PS I can't see any steps involving the security tab of my COM+ App in the
    > January 2004 version of this document.
    >
    >
    > "Joseph E Shook [MVP - ADSI]" <> wrote in
    > message news:...
    >
    >>If you do not have any roles set up then you will need to leave the
    >>security disabled at the Application level. By default on XP and
    >>Win2003 it is turned on. But I think when this document was written
    >>Windows 2000 was most likely the targeted platform and if I remember
    >>right the Application access checks was dissabled by default. So maybe
    >>that explains the lack of mentioning this tidbit in the doc.
    >>

    >
    >
    >
    Joseph E Shook [MVP - ADSI], Sep 17, 2004
    #8
  9. Martin

    Martin Guest

    Thanks Joseph,

    I'll have another look.

    Martin

    "Joseph E Shook [MVP - ADSI]" <> wrote in
    message news:%...
    > You shouldn't need to do any configuration with DCOM Config. But you
    > will have to create a role in the roles folder of the ES application.
    > Then add the users or groups to this role.
    >
    > Look at the chapter called How To: Use Role-based Security with
    > Enterprise Services in the same doc.
    > Basically you will have to implement an interface to be able to see your
    > component methods in ES and you will have to create roles.
    > Another thing you will need to do is add a Marshaler Role with the
    > everyone group in it. It is most convenient to just add the following
    > line to your assemblyinfo:
    > [assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)]
    >
    > Ok, after saying all of that you could just user standard role based
    > security in your component. Look up Declarative and Imperative in the
    > help files. But remember you can only use ES roles or .NET role based
    > security; no mixing of the two.
    >
    > I would be more specific but I have to revisit some of my work from last
    > year to better tell this story. I hope this will help.
    >
    >
    >
    > Martin wrote:
    >
    > > Hi Joseph,
    > >
    > > Thanks for the response.
    > >
    > > I would like to have security at the application level if possible.

    What
    > > concerns me is I don't have any entry that looks useful to me under DCOM
    > > Config.
    > >
    > > Can you give me any pointers on that?
    > >
    > > Thanks
    > > Martin
    > > PS I can't see any steps involving the security tab of my COM+ App in

    the
    > > January 2004 version of this document.
    > >
    > >
    > > "Joseph E Shook [MVP - ADSI]" <> wrote in
    > > message news:...
    > >
    > >>If you do not have any roles set up then you will need to leave the
    > >>security disabled at the Application level. By default on XP and
    > >>Win2003 it is turned on. But I think when this document was written
    > >>Windows 2000 was most likely the targeted platform and if I remember
    > >>right the Application access checks was dissabled by default. So maybe
    > >>that explains the lack of mentioning this tidbit in the doc.
    > >>

    > >
    > >
    > >
    Martin, Sep 22, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. omar

    DPAPI User Store Does Not Work as advertised

    omar, Nov 17, 2004, in forum: ASP .Net Security
    Replies:
    6
    Views:
    201
    Patricio Jutard
    Nov 20, 2004
  2. Dominick Baier [DevelopMentor]

    Problems with Dpapi Tools zip download link

    Dominick Baier [DevelopMentor], Jan 25, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    126
    Dominick Baier [DevelopMentor]
    Jan 25, 2005
  3. Jason Duckers

    DPAPI failing with user store (revisited)

    Jason Duckers, Jan 27, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    118
    Jason Duckers
    Jan 27, 2005
  4. Dominick Baier

    DPAPI failing with user store (revisited)

    Dominick Baier, Jan 27, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    112
    Jason Duckers
    Jan 28, 2005
  5. Sachin Chavan

    DPAPI (Machine Store) Access Denied Problem.

    Sachin Chavan, May 10, 2006, in forum: ASP .Net Security
    Replies:
    7
    Views:
    204
    Dominick Baier [DevelopMentor]
    May 12, 2006
Loading...

Share This Page