Error Code 80070569 configuring Windows DCOM Identity with domain user - windows

I have a COM application instantiated by a local Windows service with which I would like to gain access to a network share. To achieve this, I simply attempted to configure my COM server to run as a domain user with access to that share: I go to the 'dcomcnfg' console, locate my server under Console Root\Component Services\DCOM Config, right-click to 'Properties', go to the 'Identity' tab and specify the domain user for the "This user" option. When I do this on my own company network, it works beautifully. However, when a user tries it on their network, they get:
"Catalog Error
An error occurred while processing the last operation on the remote computer 'DOMAIN'.
Error code 80070569 - Logon failure: the user has not been granted the requested logon type at this computer."
where 'DOMAIN' is the name of the customer's domain. I'm presuming then that this is a problem with their domain policies, but network administration is not my area of expertise. Anybody have some idea what the problem might be so I can have a clue when I talk to their IT? Also, if anybody has an alternative approach, I'm open to suggestions. Thanks.

Related

Create a Windows user for an IIS site and nothing else

I'd like to add basic authentication to a website in IIS, https only. For this I need to create a Windows user. It is important that this user can access nothing other than this website. So I need to add him to Deny log on locally & Deny log on through Remote Desktop Services in Local Computer Policy.
However I cannot add him to Deny access to this computer from the network or he can't access the website. Microsoft says about this permission:
Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources.
Users with permission to access shared folders and files can connect over the network and possibly view or modify data.
What can I do to create a user that I can be 100% sure can only access this website and absolutely nothing else?
To address your concern about the "Deny access to this computer from the network" policy, that shouldn't prohibit the account from be used to authenticate with the website since "access from the network" doesn't include the HTTP/S protocol and WWW service. Therefore, you can add the basic auth user account to the "deny access" policy as desired.
Sources...
https://www.itprotoday.com/compute-engines/understanding-access-computer-network-user-right
"Despite the broad-sounding name, the 'Access this computer from the network' user right applies only to the Server service and the resources it provides. The Server service primarily provides remote access to files and printers but also provides remote access to the resources you see in the Microsoft Management Console (MMC) Computer Management snap-in, including event logs, shared folders, local users and groups, logical disk management, and applications that use named pipes. However the Access this computer from the network user right has no effect on services such as World Wide Web Publishing, Telnet, and Terminal Services. To control access to these services, you must implement security settings specific to each service as necessary."
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network
"The Access this computer from the network policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+)."
Hope this helps.
Maybe you should use another account type. User account type should only be used for real humans (and for buggy applications).
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/service-accounts
https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

Crystal Reports not working with ApplicationPoolIdentity

I'm facing an issue currently where Crystal Reports are only working with "Local Service" or "Network Service" identities in Application Pool. If I switch to a "Custom Account" or ApplicationPoolIdentity, reports won't work and I'm getting "No printers are installed" exception. The same thing works perfectly when I switch the application pool identity to NetworkService or LocalService.
I need to use a custom account for each of my site on the server somehow. Can you please help me resolve this issue?
I created a custom account and added it in following user groups (lusrmgr.msc)
Administrator
Network Configuration Operators
IIS_USRS
The only thing I was missing was, I forgot to login using this newly created account before assigning it to the application pool identity (custom account). Once I logged in, it was working fine and I didn't receive 'No Printers are installed' error anymore.
BTW, The reason I did all this was to resolve a desktop heap memory issue which was probably a reason of using 'Network Service' account to all my IIS websites which are around 20 on our server. There was a suggestion to use individual accounts for each of my website and crystal was stopping that.

Network access to windows service

I have problem with creating service that has access to files on network disk.
Service must have admin rights and it will be run by users that don't have admin privileges.
I send path as UNC
and file is seen by service but it return ACCES_DENIED errors when try to open or do anything on Network drive.
When I run my service as server , everything works fine.
I try to find answer but everywhere I can found only partial answers that do not help me at all.
========
I read that standard service logged as SYSTEM can't have access to network.
So i tried to log id as
NetworkService, LocalService
It didn't work. After run it as one of those user my service can't save files on c:
Some kind of admin account.But I didn't manage to success on that.
Actually logged user.
I don't know how to get password for current user.
Still this will not work for user without admin rights.
========
Please tell me what can I do?
There are plenty of Services that use somehow network resources. How do they do that?
You need to configure your service to run as a user which has sufficient rights. In this case you are looking for rights to network shares. Typically that's going to need a domain user with appropriate rights. Normally you'd ask your network manager to create a dedicated user account for the purpose.
You appear to be labouring under some false information as to how services work. You talk about running the service under the account of the logged on user. Remember that services run when there are no users logged on. And remember that there may be multiple logged users at any point in time.
For me, the port was getting blocked through firewall, I had to add a inbound rule and specify the port which i was using in my application. This way firewall did not blocked my port for outgoing connections.
References:
https://www.firehousesoftware.com/webhelp/FH/Content/FHEnterprise/FHEnterpriseInstallationGuide/24_StaticPort.htm

Device Driver access permissions for domain users in Windows 7

I'm writing a Windows device driver for a custom USB device, but am having trouble opening the device from my user program (using CreateFile) when the user program is run as a domain user. If I run as a local user, or as an administrator (or 'Run As' administrator) I can open the driver fine, but as a domain user GetLastError returns 5 (access denied).
I originally had this problem with local users too, and found I had to add the following SDDL entry to the .inf file, which solved the problem for local users:
HKR,,Security,,"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW;;;BU)
From this reference:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff563667(v=vs.85).aspx
When I discovered that domain users did not have access I thought that simply adding them to this SDDL entry would give them access, but it doesn't seem to work: I still get access denied. I've even tried extreme solutions such as giving all users (everyone (WD), unauthenticated users etc.) full access, but this doesn't work either, which makes me think the problem lies elsewhere; i.e. something else is denying domain users access which takes precedent over the permit in the SDDL entry in the driver inf.
So my question is, what am I missing that is required to give domain users (or all users) access to connect to the driver? Or are there any other solutions to this problem (such as connecting to the driver as a service and then accessing this service from the user program)?
HKR,,Security,,"D:P(A;;GA;;;WD)"
set everyone can access, try it!

Programmatically discovering "guest only" sharing/security model

On Modern Windows, the default configuration is done in such a way that if I network-login as a local user, I actually only get authenticated as a guest (more details about this behavior is explained in http://technet.microsoft.com/en-us/library/cc786449(WS.10).aspx)
When my program tries to access WMI on this kind of servers via DCOM, I simply get "Access Denied" error, presumably because a guest user isn't allowed to connect to WMI.
I'd like to differentiate this error from other kinds of access denied errors, such as a wrong password or non-existent user name, so that I can explain to the user what they need to fix the problem.
So my question is, what can I do to detect such a server. I'm thinking that if there's some COM components that can be activated by a guest, that would do --- I can try to activate such a component, and if that works, I know that my login credential was correct. But I can't think of any such concrete component.
Does anyone know such a component? Or any other ways of diagnosing this situation?
No, I cannot recall that there is a DCOM server that can be accessed by a guest. Wouldn't that be unsafe?
If you have time you can check all security settings of DCOM servers using dcomcnfg. Maybe there is a guest. But I don't think so.
On the other side. You cannot see the reason behind AccessDenied on the client side because that would make the server more vulnerable. If an attacker could distinguish between different kinds of access denied errors, he probably would be able to adapt his actions accordingly.
But if you have access to the server you can activate DCOM logging (see http://support.microsoft.com/?scid=kb%3Ben-us%3B892500&x=18&y=11)
As a solution, I suggest that you write such a and similar problems and how they happen into a FAQ/Readme/Webpage. People tend to rather search the web than read a message box.

Resources