Microsoft hardening DCOM, forcing packet integrity on March 14, 2023

Randy Berry 1 Reputation point
2022-07-01T14:16:41.91+00:00

DCOM = Distributed Com Object Model

Update Release Behavior Change
June 8, 2021 Hardening changes disabled by default, but with ability to enable them using a register key.
June 14, 2022 Hardening changes enabled by default, but with ability to disable them using a register key.
March 14, 2023 Hardening changes enabled by default, with no ability to disable them. By this point, you must resolve any
compatibility issues with the hardening changes and applications in your environment.

Microsoft is saying that applications must leverage "Packet Integrity" or higher for COM + communications.
Packet Integrity = Authenticates credentials and verifies that no call data has been modified in transit.
Packet Privacy = Authenticates credentials and encrypts the packet, including the data and the sender's identity and signature.

I am using VB6 with my DataEnvironment.Dsr connecting with the following Data Link Connection:
Provider=SQLNCLI.1;Persist Security Info=False;Extended Properties="Server=MyServer;Database=MyDataBase;Uid=MyUserID;"

My registry setting that is turned off for Packet Integrity is: Computer>HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole>AppCompat
Registry Name = RequireIntegrityActivationAuthenticationLevel
Registry Value = 0x00000000 (Base Hexadecimal) (disabling Packet Integrity)

When I change the registry value to 0x00000001 (Base Hexadecimal) (enabling Packet Integrity) to test what will happen March 14, 2023, my apps no longer work.

Microsoft SQL Server Login

Connection failed:
SQL State: '08001'
SQL Server Error: 10061
TCP Provider: No connection could be made because the target machine actively refused it.

Connection failed:
SQL State: '08001'
SQL Server Error: 10061

Connection failed:
SQL State: 'HYT00'
SQL Server Error: 0

How must I change my connection string to be able to run with Packet Integrity?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,323 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Erland Sommarskog 99,546 Reputation points MVP
    2022-07-01T21:31:29.827+00:00

    I know very little, or rather nothing about DCOM. However, I note that you are using SQLNCLI as the OLE DB provider. It is not exactly this years model. I would suggest that you try MSSQLOLEDB19 instead. Look here for download.

    0 comments No comments

  2. Seeya Xi-MSFT 16,416 Reputation points
    2022-07-13T07:04:01.837+00:00

    Hi @Randy Berry ,

    Please read this blog about this error: https://blog.sqlauthority.com/2010/10/20/sql-server-could-not-connect-to-tcp-error-code-10061-no-connection-could-be-made-because-the-target-machine-actively-refused-it/
    You can check your firewall following this video in the above link.
    Here is a related thread you can refer to: https://www.ibm.com/mysupport/s/question/0D50z00005q4IB8CAM/tcp-error-code-10061-no-connection-could-be-made-because-the-target-machine-actively-refused-it?language=en_US
    Generally, it happens that something is preventing a connection to the port or hostname. Either there is a firewall blocking the connection or the process that is hosting the service is not listening on that specific port. This may be because it is not running at all or because it is listening on a different port.
    Try running netstat -anb from the command line to see if there's anything listening on the port you were entered. If you get nothing, try changing your port number and see if that works for you. In Windows operating systems, you can use the netstat services via the command line (cmd.exe) . On Linux you may need to do netstat -anp instead.

    Best regards,
    Seeya


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments