Further DPAPI (user store) problems

[Martin]

Hi,

I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
Enterprise Services example working on my dev machine.

Many thanks to Nicole for solving the last problem I had with this.

I can now start the DPAPI service, and once I have re-registered the
DPAPIComp.dll, I don't get problems accessing the registry entry for it's
ProgID.

However when I run the example web page to encrypt some data, I get access
denied on creating the DataProtectorComp object which is in DPAPIComp.

My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug)
another dir in that project (DPAPIComp/obj/Debug), and locally in the
DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong
name this dll, and each instance of the dll mentioned here has the same
version number. I am surprised there is no mention of adding this dll to
the GAC. When I look, it is not there after building the DPAPIComp, and
when I add it manually, it doesn't solve my problem of access denied.

I have given machine/ASPNet account (running Windows XP Pro sp1) read &
execute access to each copy of the dll.

BTW I have each project of the howto in one big solution file.

Can anyone help me get this running?

Also what is the best way to test the COM+ Application in isolation of the
windows service? Login as the DPAPI user and run a windows form
application? When I try to start the COM+ Application as either me (local
admin rights) or the local machine dpapi account it fails with "Catalog
Error, You do not have permission to perform the requested action. If
security is enabled on the System Application of the target computer make
sure you are included in the appropriate roles". As per the instructions,
security level on this COM+ app is at the process level only, and "enforce
access checks for this app" is ticked.



Thanks
Martin

 

[Martin]

On attempting to create the DPAPIComp object I get the following System
event log error:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10002
Date: 12/09/2004
Time: 12:09:51
User: DELL\ASPNET
Computer: DELL
Description:
Access denied attempting to launch a DCOM Server. The server is:
{<some guid>}
The user is ASPNET/DELL, SID=<another guid>.

I see from the help on this event message, I should have a registry value
for HKCR\Clsid\clsid value\localserver32, but I don't.
My HKCR\Clsid\clsid value\ entry has the sub entries Implemented Categories,
InProcServer32, and ProgId. Can I follow the event log help, but use
InProcServer32 instead of localserver32, or should I create a localserver32
entry?

Thanks
Martin

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Martin]

Looking further at the help for the event error, I don't seem to have a
friendly name for DPAPIComp in Component Services\My Computer\DCOM Config.

So I don't know how I could customise the DCOM security properties anyhow.
I thought the idea was that the service application would have loaded the
DPAPIComp serviced component (the service is running in Windows Services)


Thanks
Martin

 

[Martin]

When I *disable* access checks for the DPAPI Helper Application, I got an
error telling me it couldn't find DataProtection.dll.

Reading Register Serviced Components from
http://msdn.microsoft.com/library/en-us/secmod/html/secmod09.asp?frame=true
I put both DataProtection.dll and DPAPIComp.dll in the gac, re-registered
DPAPIComp.dll with regsvcs, and re-installed the DPAPIService.exe service.
Start the service and the DPAPIWEb runs successfully.

However..... when I set the DPAPIHelper COM+ app back to *enable* access
checks, it *still* fails with an system event error 10002.

NB The DPAPI Help App (COM+ App) is configured to perform access checks at
the process level only, so there aren't any COM+ roles to configure I guess.

Still appreciate any help on this.

Thanks
Martin

 

[Martin]

Even adding local ASPNET to local Adminstrators group does not let ASPNET
launch a DCOM Server (error 10002 still occurs)!!!

 

[Joseph E Shook [MVP - ADSI]]

If you do not have any roles set up then you will need to leave the
security disabled at the Application level. By default on XP and
Win2003 it is turned on. But I think when this document was written
Windows 2000 was most likely the targeted platform and if I remember
right the Application access checks was dissabled by default. So maybe
that explains the lack of mentioning this tidbit in the doc.

 

[Martin]

Hi Joseph,

Thanks for the response.

I would like to have security at the application level if possible. What
concerns me is I don't have any entry that looks useful to me under DCOM
Config.

Can you give me any pointers on that?

Thanks
Martin
PS I can't see any steps involving the security tab of my COM+ App in the
January 2004 version of this document.

 

[Joseph E Shook [MVP - ADSI]]

You shouldn't need to do any configuration with DCOM Config. But you
will have to create a role in the roles folder of the ES application.
Then add the users or groups to this role.

Look at the chapter called How To: Use Role-based Security with
Enterprise Services in the same doc.
Basically you will have to implement an interface to be able to see your
component methods in ES and you will have to create roles.
Another thing you will need to do is add a Marshaler Role with the
everyone group in it. It is most convenient to just add the following
line to your assemblyinfo:
[assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)]

Ok, after saying all of that you could just user standard role based
security in your component. Look up Declarative and Imperative in the
help files. But remember you can only use ES roles or .NET role based
security; no mixing of the two.

I would be more specific but I have to revisit some of my work from last
year to better tell this story. I hope this will help.

 

[Martin]

Thanks Joseph,

I'll have another look.

Martin

You shouldn't need to do any configuration with DCOM Config. But you
will have to create a role in the roles folder of the ES application.
Then add the users or groups to this role.

Look at the chapter called How To: Use Role-based Security with
Enterprise Services in the same doc.
Basically you will have to implement an interface to be able to see your
component methods in ES and you will have to create roles.
Another thing you will need to do is add a Marshaler Role with the
everyone group in it. It is most convenient to just add the following
line to your assemblyinfo:
[assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)]

Ok, after saying all of that you could just user standard role based
security in your component. Look up Declarative and Imperative in the
help files. But remember you can only use ES roles or .NET role based
security; no mixing of the two.

I would be more specific but I have to revisit some of my work from last
year to better tell this story. I hope this will help.

Hi Joseph,

Thanks for the response.

I would like to have security at the application level if possible. What
concerns me is I don't have any entry that looks useful to me under DCOM
Config.

Can you give me any pointers on that?

Thanks
Martin
PS I can't see any steps involving the security tab of my COM+ App in the
January 2004 version of this document.