Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,963 questions
DCOM Interface Call fails with Kerberos
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 92%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
TRoll
0
Reputation points
We try to move one of our current DCOM Applications that Impersonates a Client from NTLM over to Kerberos. So I tryed to get a minimal Example running.
I Init the Server and Client as follows:
CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_MUTUAL_AUTH, NULL);
Then I create the Remote Server from the Client via:
COSERVERINFO serverInfo;
ZeroMemory(&serverInfo, sizeof(COSERVERINFO));
COAUTHINFO athn;
ZeroMemory(&athn, sizeof(COAUTHINFO));
athn.dwAuthnLevel = RPC_C_AUTHN_LEVEL_PKT_PRIVACY;
athn.dwAuthnSvc = RPC_C_AUTHN_GSS_KERBEROS;
athn.dwAuthzSvc = RPC_C_AUTHZ_DEFAULT;
athn.dwCapabilities = EOAC_MUTUAL_AUTH;
athn.dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE;
athn.pAuthIdentityData = NULL;
athn.pwszServerPrincName = L"HOST/<FQDN>";
serverInfo.pwszName = L"<FQDN>";
serverInfo.pAuthInfo = &athn;
serverInfo.dwReserved1 = 0;
serverInfo.dwReserved2 = 0;
MULTI_QI qi = {&IID_ITestKerbAuth, NULL, S_OK};
HRESULT hr = CoCreateInstanceEx(CLSID_TestKerbAuth, NULL, CLSCTX_REMOTE_SERVER , &serverInfo, 1, &qi);
And after that I try to call the Interface:
if (SUCCEEDED(qi.hr)) {
ITestKerbAuth* pMyInterface = reinterpret_cast<ITestKerbAuth*>(qi.pItf);
hr = pMyInterface->TestCall();
pMyInterface->Release();
}
If I Configure the Application Identity via dcomcnfg with a system Account, a Specific User Account or for the interactive User everything works fine. But if I try to set the Application Identity to Launching User, I get:
Error: 80070721 A security package specific error occurred.
The Initial logon to start the Server still succeeds, but all following calls to the Interface fail with the above mentioned Error. If I dont disable NTLM, DCOM is able to fallback to NTLMv2 to call the Interface.
I already tried to set a Service Specific SPN, enabled all the login for Kerberos, enabled logon auditing, tried to call with administrator Privileges, but still have no clue what exactly is wrong.
Can anyone provide any input on how to debug or troubleshoot this issue?
Thanks!
Windows 10
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,546 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,822 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 57.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMY%3C/text%3E%3C/svg%3E)
Minxin Yu 12,356 Reputation points Microsoft Vendor2024-05-03T01:40:05.4066667+00:00 May I know which version of Windows Server are you using? Can you provide detailed steps to reproduce the problem and a minimal code example without personal privacy that can be run directly?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 16%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Mr. B 0 Reputation points2025-01-07T11:50:43.6133333+00:00 I am facing same issue. Additonally, before making DCOM call I am calling CoSetProxyBlanket with:
// Use the correct SPN for the COM Server hr = CoSetProxyBlanket( pComObject, // No proxy for the COM object RPC_C_AUTHN_GSS_KERBEROS, // Authentication service (Kerberos) RPC_C_AUTHZ_NONE, // No authorization service szSpn, // Default server RPC_C_AUTHN_LEVEL_PKT_PRIVACY, // Privacy level RPC_C_IMP_LEVEL_IDENTIFY, // Impersonation level NULL, // No credentials EOAC_NONE // No capabilities *);
I am getting error :* 0x800706d3 i.e. The authentication service is unknown.
Did you got it working? thanks in advance
Sign in to comment
Sign in to answer