20,212 questions
DCOM Interface Call fails with Kerberos
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 92%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
TRoll
0
Reputation points
We try to move one of our current DCOM Applications that Impersonates a Client from NTLM over to Kerberos. So I tryed to get a minimal Example running.
I Init the Server and Client as follows:
CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_MUTUAL_AUTH, NULL);
Then I create the Remote Server from the Client via:
COSERVERINFO serverInfo;
ZeroMemory(&serverInfo, sizeof(COSERVERINFO));
COAUTHINFO athn;
ZeroMemory(&athn, sizeof(COAUTHINFO));
athn.dwAuthnLevel = RPC_C_AUTHN_LEVEL_PKT_PRIVACY;
athn.dwAuthnSvc = RPC_C_AUTHN_GSS_KERBEROS;
athn.dwAuthzSvc = RPC_C_AUTHZ_DEFAULT;
athn.dwCapabilities = EOAC_MUTUAL_AUTH;
athn.dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE;
athn.pAuthIdentityData = NULL;
athn.pwszServerPrincName = L"HOST/<FQDN>";
serverInfo.pwszName = L"<FQDN>";
serverInfo.pAuthInfo = &athn;
serverInfo.dwReserved1 = 0;
serverInfo.dwReserved2 = 0;
MULTI_QI qi = {&IID_ITestKerbAuth, NULL, S_OK};
HRESULT hr = CoCreateInstanceEx(CLSID_TestKerbAuth, NULL, CLSCTX_REMOTE_SERVER , &serverInfo, 1, &qi);
And after that I try to call the Interface:
if (SUCCEEDED(qi.hr)) {
ITestKerbAuth* pMyInterface = reinterpret_cast<ITestKerbAuth*>(qi.pItf);
hr = pMyInterface->TestCall();
pMyInterface->Release();
}
If I Configure the Application Identity via dcomcnfg with a system Account, a Specific User Account or for the interactive User everything works fine. But if I try to set the Application Identity to Launching User, I get:
Error: 80070721 A security package specific error occurred.
The Initial logon to start the Server still succeeds, but all following calls to the Interface fail with the above mentioned Error. If I dont disable NTLM, DCOM is able to fallback to NTLMv2 to call the Interface.
I already tried to set a Service Specific SPN, enabled all the login for Kerberos, enabled logon auditing, tried to call with administrator Privileges, but still have no clue what exactly is wrong.
Can anyone provide any input on how to debug or troubleshoot this issue?
Thanks!
Windows for business Windows Server User experience Other
Windows for business Windows Client for IT Pros User experience Other
Developer technologies C++
3,972 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 57.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMY%3C/text%3E%3C/svg%3E)
Minxin Yu 13,501 Reputation points Microsoft External Staff2024-05-03T01:40:05.4066667+00:00 May I know which version of Windows Server are you using? Can you provide detailed steps to reproduce the problem and a minimal code example without personal privacy that can be run directly?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 16%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Mr. B 0 Reputation points2025-01-07T11:50:43.6133333+00:00 I am facing same issue. Additonally, before making DCOM call I am calling CoSetProxyBlanket with:
// Use the correct SPN for the COM Server hr = CoSetProxyBlanket( pComObject, // No proxy for the COM object RPC_C_AUTHN_GSS_KERBEROS, // Authentication service (Kerberos) RPC_C_AUTHZ_NONE, // No authorization service szSpn, // Default server RPC_C_AUTHN_LEVEL_PKT_PRIVACY, // Privacy level RPC_C_IMP_LEVEL_IDENTIFY, // Impersonation level NULL, // No credentials EOAC_NONE // No capabilities *);
I am getting error :* 0x800706d3 i.e. The authentication service is unknown.
Did you got it working? thanks in advance
Sign in to comment
Sign in to answer