PRB: Access Check Is Enabled by Default When a COM+ Application Is Created (810153)


The information in this article applies to:

  • Microsoft COM+ 1.5

SYMPTOMS

When you access COM+ components that are installed on a Microsoft Windows Server, you may receive an access denied error with E_ACCESSDENIED HRESULT value.

The following events may appear in the System event log on a server that is running COM+ component:

Event Type: Error
Event Source: DCOM Event
Category: None
Event ID: 10002
Date: 1/1/2003
Time: 8:00:00 AM
User: <ComputerName>\IWAM_<ComputerName>
Computer: <ComputerName>
Description: Access denied attempting to launch a DCOM Server. The server is:{12345678-1234-1234-1234-123456789ABC} The user is IWAM_<ComputerName>/<ComputerName>

CAUSE

In Windows Server, some of the security defaults of a COM+ applications are modified. Enforce access checks for this application security default at the application level is modified from disabled to enabled. Enforce component level access checks security default at the component level is modified from enabled to disabled. If your application does not have any roles and any users in those roles, then because the COM+ services enforce access checks, you receive access denied for that particular COM+ component.

RESOLUTION

The COM+ application owner or an administrator must determine the users who need access to the COM+ application.

If you, as a COM+ application owner or as an administrator, determine that limited users must have access to the application, then you must explicitly add those users to a role. If no suitable role exists, then you must add a new role.

To add users to roles, follow these steps:
  1. Open the Component Services Administrative Tools window.
  2. On the tree, expand Component Services folder.
  3. Expand Computers folder.
  4. Expand COM+ Applications folder.
  5. Right-click the application with the attributes that you have to modify.
  6. Expand Roles folder.
  7. Expand the role for which you have to add a user.
  8. Right-click Users folder.
  9. Select New and then click User.
  10. In the Select Users or Groups dialog box, double-click the user or group that you have to add to the role and then click OK.
If you, as a COM+ application owner or as an administrator, determine that the COM+ application must not be secure, then you can disable the COM+ application access check. In this case, not secure means that there is no access check and that everyone has access to this application.

To disable access checks at the application Level, follow these steps:
  1. Open the Component Services Administrative Tools window.
  2. On the tree, expand Component Services folder.
  3. Expand Computers folder.
  4. Expand COM+ Applications folder.
  5. Right-click the application with the attributes that you have to modify.
  6. Click Properties.
  7. In the Properties dialog box, click the Security tab.
  8. Under Authorization, click to clear the Enforce access checks for this application option and then click OK.
If you, as a COM+ application owner or as an administrator, determine that the application needs the old defaults in Microsoft Windows 2000 and in Microsoft Windows XP, then you can set the old defaults.

To disable access checks at the application level and enable access checks at the component Level, follow these steps:
  1. Open the Component Services Administrative Tools window.
  2. On the tree, expand Component Services folder.
  3. Expand Computers folder.
  4. Expand the COM+ Applications folder.
  5. Right-click the application with the attributes that you have to modify.
  6. Click Properties.
  7. In the Properties dialog box, click the Security tab.
  8. Under Authorization, click to clear the Enforce access checks for this application option and then click OK.
  9. On the tree, expand Components folder.
  10. Right-click the component with the attributes that you have to modify.
  11. Click Properties.
  12. In the Properties dialog box, click the Security tab.
  13. Under Authorization, click to select the Enforce component level access checks option and then click OK.

MORE INFORMATION

By default, the new COM+ applications do not have access checks that are enabled on Windows 2000 (all versions) and on Windows XP. When you access COM+ components for these COM+ applications, you do not receive an access denied error.

You receive an access denied error when all the following conditions are satisfied:
  • Access checks are enabled at either or both the application level and at the component level.
  • The user who accesses this application is not associated with any role.
The default security settings for a new COM+ application on Windows 2000 (all versions) and on Windows XP are:
  • Access checks are not enabled at the application level.
  • Access checks are enabled at the component level.
You do not receive an access denied error on Windows 2000 (all versions) and on Windows XP when the access checks are disabled at the application level.

The default security settings for a new COM+ application on the Windows Server are:
  • Access checks are enabled at the application level.
  • Access checks are not enabled at the component level.
You receive an access denied error in Windows Server when the access checks are enabled at the application level, and the user is not associated with any role in the COM+ application.

REFERENCES

For additional information about COM+ Security, visit the following Microsoft Web site:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/pgservices_security_4fw3.asp
Modification Type:MajorLast Reviewed:11/6/2003
Keywords:kbprb KB810153 kbAudDeveloper
©2003 Microsoft Corporation. All rights reserved.