共用方式為

Troubleshooting Access Denied issue when launch remote COM+ application as Anonymous user

  • 發行項

Customer has setup COM+ application server in one Win2K3 Domain environment, and the client side is a workgroup machine.

To make this scenario work, we have followed steps to allow Anonymous call to the remote COM+ application like we mentioned before: How to call COM+ remotely with anonymous user, but still get Access Denied error message on client side.

From network monitor, it shows the Access Denied error (status=0x5) was returned from server side:

Customer has lots of clients to use this COM+ application from other places, cannot add all of them into this Domain environment.

As a quick test, we followed below steps:

1. Created the same user and password on two machines. Change the COM+ identity from "Interactive User" to this test user account.

2. On COM+ Application Server side, enable security logging on the machine. Go to the Local Security policy-> Local Policies-> Audit Policy and enable failure audits on the audit account logon events and audit logon events policies

On a domain controller instead of the Local Security Policy, we need to check the Domain controller security policy. After this do a "gpupdate /force". This was done just to ensure that appropriate event log entries are generated in the security log.

3. Reproduce this issue again, found that Security log reported this type of error:

 

Event Type: Failure AuditEvent Source: SecurityEvent Category: Logon/Logoff Event ID: 534Description:Logon Failure:Reason: The user has not been granted the requestedlogon type at this machineUser Name: Domain Test User accountLogon Type: 8Logon Process: Advapi

 

 

 

 

 

 

 

Logon Type 8 got error here means "Access this computer from network" user right was not allowed.

4. Check the Win2K3 domain environment, found customer excluded normal Domain Users from the "Access this computer from network" user right.

To fix this, we created a test OU on DC, and move this COM+ application server to this test OU, ensure the Domain Group Policy applied on it doesn't define user rights on "Access this computer from network". And then on this COM+ application server, open GPEDIT.MSC, go to the Local Security policy-> Local Policies-> User Rights, give everyone the "Access this computer from network" user right.

This solution can work.

Freist from APGC DSI Team