Further DPAPI (user store) problems

[Martin]

Hi,

I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
Enterprise Services example working on my dev machine.

Many thanks to Nicole for solving the last problem I had with this.

I can now start the DPAPI service, and once I have re-registered the
DPAPIComp.dll, I don't get problems accessing the registry entry for it's
ProgID.

However when I run the example web page to encrypt some data, I get access
denied on creating the DataProtectorComp object which is in DPAPIComp.

My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug)
another dir in that project (DPAPIComp/obj/Debug), and locally in the
DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong
name this dll, and each instance of the dll mentioned here has the same
version number. I am surprised there is no mention of adding this dll to
the GAC. When I look, it is not there after building the DPAPIComp, and
when I add it manually, it doesn't solve my problem of access denied.

I have given machine/ASPNet account (running Windows XP Pro sp1) read &
execute access to each copy of the dll.

BTW I have each project of the howto in one big solution file.

Can anyone help me get this running?

Also what is the best way to test the COM+ Application in isolation of the
windows service? Login as the DPAPI user and run a windows form
application? When I try to start the COM+ Application as either me (local
admin rights) or the local machine dpapi account it fails with "Catalog
Error, You do not have permission to perform the requested action. If
security is enabled on the System Application of the target computer make
sure you are included in the appropriate roles". As per the instructions,
security level on this COM+ app is at the process level only, and "enforce
access checks for this app" is ticked.



Thanks
Martin

[Martin]

On attempting to create the DPAPIComp object I get the following System
event log error:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10002
Date: 12/09/2004
Time: 12:09:51
User: DELL\ASPNET
Computer: DELL
Description:
Access denied attempting to launch a DCOM Server. The server is:
{<some guid>}
The user is ASPNET/DELL, SID=<another guid>.

I see from the help on this event message, I should have a registry value
for HKCR\Clsid\clsid value\localserver32, but I don't.
My HKCR\Clsid\clsid value\ entry has the sub entries Implemented Categories,
InProcServer32, and ProgId. Can I follow the event log help, but use
InProcServer32 instead of localserver32, or should I create a localserver32
entry?

Thanks
Martin

For more information, see Help and Support Center at
[url]http://go.microsoft.com/fwlink/events.asp[/url].

"Martin" <x@y.z> wrote in message
news:%23UtTwMLmEHA.1440@TK2MSFTNGP10.phx.gbl...

> Hi,
>
> I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
> Enterprise Services example working on my dev machine.
>
> Many thanks to Nicole for solving the last problem I had with this.
>
> I can now start the DPAPI service, and once I have re-registered the
> DPAPIComp.dll, I don't get problems accessing the registry entry for it's
> ProgID.
>
> However when I run the example web page to encrypt some data, I get access
> denied on creating the DataProtectorComp object which is in DPAPIComp.
>
> My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug)
> another dir in that project (DPAPIComp/obj/Debug), and locally in the
> DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong
> name this dll, and each instance of the dll mentioned here has the same
> version number. I am surprised there is no mention of adding this dll to
> the GAC. When I look, it is not there after building the DPAPIComp, and
> when I add it manually, it doesn't solve my problem of access denied.
>
> I have given machine/ASPNet account (running Windows XP Pro sp1) read &
> execute access to each copy of the dll.
>
> BTW I have each project of the howto in one big solution file.
>
> Can anyone help me get this running?
>
> Also what is the best way to test the COM+ Application in isolation of the
> windows service? Login as the DPAPI user and run a windows form
> application? When I try to start the COM+ Application as either me (local
> admin rights) or the local machine dpapi account it fails with "Catalog
> Error, You do not have permission to perform the requested action. If
> security is enabled on the System Application of the target computer make
> sure you are included in the appropriate roles". As per the instructions,
> security level on this COM+ app is at the process level only, and "enforce
> access checks for this app" is ticked.
>
>
>
> Thanks
> Martin
>
>
>
>

[Martin]

Looking further at the help for the event error, I don't seem to have a
friendly name for DPAPIComp in Component Services\My Computer\DCOM Config.

So I don't know how I could customise the DCOM security properties anyhow.
I thought the idea was that the service application would have loaded the
DPAPIComp serviced component (the service is running in Windows Services)


Thanks
Martin

"Martin" <x@y.z> wrote in message
news:e0oRTuLmEHA.3352@TK2MSFTNGP10.phx.gbl...

> On attempting to create the DPAPIComp object I get the following System
> event log error:
>
> Event Type: Error
> Event Source: DCOM
> Event Category: None
> Event ID: 10002
> Date: 12/09/2004
> Time: 12:09:51
> User: DELL\ASPNET
> Computer: DELL
> Description:
> Access denied attempting to launch a DCOM Server. The server is:
> {<some guid>}
> The user is ASPNET/DELL, SID=<another guid>.
>
> I see from the help on this event message, I should have a registry value
> for HKCR\Clsid\clsid value\localserver32, but I don't.
> My HKCR\Clsid\clsid value\ entry has the sub entries Implemented

Categories,

> InProcServer32, and ProgId. Can I follow the event log help, but use
> InProcServer32 instead of localserver32, or should I create a

localserver32

> entry?
>
> Thanks
> Martin
>
> For more information, see Help and Support Center at
> [url]http://go.microsoft.com/fwlink/events.asp[/url].
>
> "Martin" <x@y.z> wrote in message
> news:%23UtTwMLmEHA.1440@TK2MSFTNGP10.phx.gbl...

> > Hi,
> >
> > I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
> > Enterprise Services example working on my dev machine.
> >
> > Many thanks to Nicole for solving the last problem I had with this.
> >
> > I can now start the DPAPI service, and once I have re-registered the
> > DPAPIComp.dll, I don't get problems accessing the registry entry for

it's

> > ProgID.
> >
> > However when I run the example web page to encrypt some data, I get

access

> > denied on creating the DataProtectorComp object which is in DPAPIComp.
> >
> > My DPAPIComp.dll exists in it's own build directory,

(DPAPIComp/bin/Debug)

> > another dir in that project (DPAPIComp/obj/Debug), and locally in the
> > DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to

strong

> > name this dll, and each instance of the dll mentioned here has the same
> > version number. I am surprised there is no mention of adding this dll

to

> > the GAC. When I look, it is not there after building the DPAPIComp, and
> > when I add it manually, it doesn't solve my problem of access denied.
> >
> > I have given machine/ASPNet account (running Windows XP Pro sp1) read &
> > execute access to each copy of the dll.
> >
> > BTW I have each project of the howto in one big solution file.
> >
> > Can anyone help me get this running?
> >
> > Also what is the best way to test the COM+ Application in isolation of

the

> > windows service? Login as the DPAPI user and run a windows form
> > application? When I try to start the COM+ Application as either me

(local

> > admin rights) or the local machine dpapi account it fails with "Catalog
> > Error, You do not have permission to perform the requested action. If
> > security is enabled on the System Application of the target computer

make

> > sure you are included in the appropriate roles". As per the

instructions,

> > security level on this COM+ app is at the process level only, and

"enforce

> > access checks for this app" is ticked.
> >
> >
> >
> > Thanks
> > Martin
> >
> >
> >
> >

>
>

[Martin]

I installed the dlls on another xp pro machine (this time with sp2
installed)

It fails at the same point (running my web app creating the object
private void btnEncrypt_Click(object sender, System.EventArgs e)
Line 60: {
Line 61: DataProtectorComp dp = new DataProtectorComp();

This time the event log message is
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 13/09/2004
Time: 12:19:52
User: BLAH08\ASPNET
Computer: BLAH08
Description:
The application-specific permission settings do not grant Local Activation
permission for the COM Server application with CLSID
{B260D933-05AA-3D74-BC26-C29C52C95F6C}
to the user BLAH08\ASPNET SID
(S-1-5-21-2409822955-685331194-164014053-1011). This security permission
can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at
[url]http://go.microsoft.com/fwlink/events.asp[/url].

There doesn't seem to be any help in the support center for this error.

I don't know if this is a step forward or a step back compared to my main
dev machine.

???

Martin

"Martin" <x@y.z> wrote in message
news:%23UtTwMLmEHA.1440@TK2MSFTNGP10.phx.gbl...

> Hi,
>
> I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
> Enterprise Services example working on my dev machine.
>
> Many thanks to Nicole for solving the last problem I had with this.
>
> I can now start the DPAPI service, and once I have re-registered the
> DPAPIComp.dll, I don't get problems accessing the registry entry for it's
> ProgID.
>
> However when I run the example web page to encrypt some data, I get access
> denied on creating the DataProtectorComp object which is in DPAPIComp.
>
> My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug)
> another dir in that project (DPAPIComp/obj/Debug), and locally in the
> DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong
> name this dll, and each instance of the dll mentioned here has the same
> version number. I am surprised there is no mention of adding this dll to
> the GAC. When I look, it is not there after building the DPAPIComp, and
> when I add it manually, it doesn't solve my problem of access denied.
>
> I have given machine/ASPNet account (running Windows XP Pro sp1) read &
> execute access to each copy of the dll.
>
> BTW I have each project of the howto in one big solution file.
>
> Can anyone help me get this running?
>
> Also what is the best way to test the COM+ Application in isolation of the
> windows service? Login as the DPAPI user and run a windows form
> application? When I try to start the COM+ Application as either me (local
> admin rights) or the local machine dpapi account it fails with "Catalog
> Error, You do not have permission to perform the requested action. If
> security is enabled on the System Application of the target computer make
> sure you are included in the appropriate roles". As per the instructions,
> security level on this COM+ app is at the process level only, and "enforce
> access checks for this app" is ticked.
>
>
>
> Thanks
> Martin
>
>
>
>

[Martin]

Removing sp2 makes the 10016 event error go away, leaving me with the 1002
error.

Martin

[Martin]

When I *disable* access checks for the DPAPI Helper Application, I got an
error telling me it couldn't find DataProtection.dll.

Reading Register Serviced Components from
[url]http://msdn.microsoft.com/library/en-us/secmod/html/secmod09.asp?frame=true[/url]
I put both DataProtection.dll and DPAPIComp.dll in the gac, re-registered
DPAPIComp.dll with regsvcs, and re-installed the DPAPIService.exe service.
Start the service and the DPAPIWEb runs successfully.

However..... when I set the DPAPIHelper COM+ app back to *enable* access
checks, it *still* fails with an system event error 10002.

NB The DPAPI Help App (COM+ App) is configured to perform access checks at
the process level only, so there aren't any COM+ roles to configure I guess.

Still appreciate any help on this.

Thanks
Martin

[Martin]

Even adding local ASPNET to local Adminstrators group does not let ASPNET
launch a DCOM Server (error 10002 still occurs)!!!


"Martin" <x@y.z> wrote in message
news:uDD2GTkmEHA.1656@TK2MSFTNGP09.phx.gbl...

> When I *disable* access checks for the DPAPI Helper Application, I got an
> error telling me it couldn't find DataProtection.dll.
>
> Reading Register Serviced Components from
>

[url]http://msdn.microsoft.com/library/en-us/secmod/html/secmod09.asp?frame=true[/url]

> I put both DataProtection.dll and DPAPIComp.dll in the gac, re-registered
> DPAPIComp.dll with regsvcs, and re-installed the DPAPIService.exe service.
> Start the service and the DPAPIWEb runs successfully.
>
> However..... when I set the DPAPIHelper COM+ app back to *enable* access
> checks, it *still* fails with an system event error 10002.
>
> NB The DPAPI Help App (COM+ App) is configured to perform access checks

at

> the process level only, so there aren't any COM+ roles to configure I

guess.

>
> Still appreciate any help on this.
>
> Thanks
> Martin
>
>

[Joseph E Shook [MVP - ADSI]]

If you do not have any roles set up then you will need to leave the
security disabled at the Application level. By default on XP and
Win2003 it is turned on. But I think when this document was written
Windows 2000 was most likely the targeted platform and if I remember
right the Application access checks was dissabled by default. So maybe
that explains the lack of mentioning this tidbit in the doc.

[Martin]

Hi Joseph,

Thanks for the response.

I would like to have security at the application level if possible. What
concerns me is I don't have any entry that looks useful to me under DCOM
Config.

Can you give me any pointers on that?

Thanks
Martin
PS I can't see any steps involving the security tab of my COM+ App in the
January 2004 version of this document.


"Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in
message news:unqdogInEHA.3988@TK2MSFTNGP10.phx.gbl...

> If you do not have any roles set up then you will need to leave the
> security disabled at the Application level. By default on XP and
> Win2003 it is turned on. But I think when this document was written
> Windows 2000 was most likely the targeted platform and if I remember
> right the Application access checks was dissabled by default. So maybe
> that explains the lack of mentioning this tidbit in the doc.
>

[Joseph E Shook [MVP - ADSI]]

You shouldn't need to do any configuration with DCOM Config. But you
will have to create a role in the roles folder of the ES application.
Then add the users or groups to this role.

Look at the chapter called How To: Use Role-based Security with
Enterprise Services in the same doc.
Basically you will have to implement an interface to be able to see your
component methods in ES and you will have to create roles.
Another thing you will need to do is add a Marshaler Role with the
everyone group in it. It is most convenient to just add the following
line to your assemblyinfo:
[assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)]

Ok, after saying all of that you could just user standard role based
security in your component. Look up Declarative and Imperative in the
help files. But remember you can only use ES roles or .NET role based
security; no mixing of the two.

I would be more specific but I have to revisit some of my work from last
year to better tell this story. I hope this will help.



Martin wrote:

> Hi Joseph,
>
> Thanks for the response.
>
> I would like to have security at the application level if possible. What
> concerns me is I don't have any entry that looks useful to me under DCOM
> Config.
>
> Can you give me any pointers on that?
>
> Thanks
> Martin
> PS I can't see any steps involving the security tab of my COM+ App in the
> January 2004 version of this document.
>
>
> "Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in
> message news:unqdogInEHA.3988@TK2MSFTNGP10.phx.gbl...
>

>>If you do not have any roles set up then you will need to leave the
>>security disabled at the Application level. By default on XP and
>>Win2003 it is turned on. But I think when this document was written
>>Windows 2000 was most likely the targeted platform and if I remember
>>right the Application access checks was dissabled by default. So maybe
>>that explains the lack of mentioning this tidbit in the doc.
>>

>
>
>

[Martin]

Thanks Joseph,

I'll have another look.

Martin

"Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in
message news:%23hxMROMnEHA.2764@TK2MSFTNGP10.phx.gbl...

> You shouldn't need to do any configuration with DCOM Config. But you
> will have to create a role in the roles folder of the ES application.
> Then add the users or groups to this role.
>
> Look at the chapter called How To: Use Role-based Security with
> Enterprise Services in the same doc.
> Basically you will have to implement an interface to be able to see your
> component methods in ES and you will have to create roles.
> Another thing you will need to do is add a Marshaler Role with the
> everyone group in it. It is most convenient to just add the following
> line to your assemblyinfo:
> [assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)]
>
> Ok, after saying all of that you could just user standard role based
> security in your component. Look up Declarative and Imperative in the
> help files. But remember you can only use ES roles or .NET role based
> security; no mixing of the two.
>
> I would be more specific but I have to revisit some of my work from last
> year to better tell this story. I hope this will help.
>
>
>
> Martin wrote:
>

> > Hi Joseph,
> >
> > Thanks for the response.
> >
> > I would like to have security at the application level if possible.

What

> > concerns me is I don't have any entry that looks useful to me under DCOM
> > Config.
> >
> > Can you give me any pointers on that?
> >
> > Thanks
> > Martin
> > PS I can't see any steps involving the security tab of my COM+ App in

the

> > January 2004 version of this document.
> >
> >
> > "Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in
> > message news:unqdogInEHA.3988@TK2MSFTNGP10.phx.gbl...
> >

> >>If you do not have any roles set up then you will need to leave the
> >>security disabled at the Application level. By default on XP and
> >>Win2003 it is turned on. But I think when this document was written
> >>Windows 2000 was most likely the targeted platform and if I remember
> >>right the Application access checks was dissabled by default. So maybe
> >>that explains the lack of mentioning this tidbit in the doc.
> >>

> >
> >
> >