Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Further DPAPI (user store) problems

Reply
Thread Tools

Further DPAPI (user store) problems

 
 
Martin
Guest
Posts: n/a
 
      09-12-2004
Hi,

I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
Enterprise Services example working on my dev machine.

Many thanks to Nicole for solving the last problem I had with this.

I can now start the DPAPI service, and once I have re-registered the
DPAPIComp.dll, I don't get problems accessing the registry entry for it's
ProgID.

However when I run the example web page to encrypt some data, I get access
denied on creating the DataProtectorComp object which is in DPAPIComp.

My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug)
another dir in that project (DPAPIComp/obj/Debug), and locally in the
DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong
name this dll, and each instance of the dll mentioned here has the same
version number. I am surprised there is no mention of adding this dll to
the GAC. When I look, it is not there after building the DPAPIComp, and
when I add it manually, it doesn't solve my problem of access denied.

I have given machine/ASPNet account (running Windows XP Pro sp1) read &
execute access to each copy of the dll.

BTW I have each project of the howto in one big solution file.

Can anyone help me get this running?

Also what is the best way to test the COM+ Application in isolation of the
windows service? Login as the DPAPI user and run a windows form
application? When I try to start the COM+ Application as either me (local
admin rights) or the local machine dpapi account it fails with "Catalog
Error, You do not have permission to perform the requested action. If
security is enabled on the System Application of the target computer make
sure you are included in the appropriate roles". As per the instructions,
security level on this COM+ app is at the process level only, and "enforce
access checks for this app" is ticked.



Thanks
Martin




 
Reply With Quote
 
 
 
 
Martin
Guest
Posts: n/a
 
      09-12-2004
On attempting to create the DPAPIComp object I get the following System
event log error:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10002
Date: 12/09/2004
Time: 12:09:51
User: DELL\ASPNET
Computer: DELL
Description:
Access denied attempting to launch a DCOM Server. The server is:
{<some guid>}
The user is ASPNET/DELL, SID=<another guid>.

I see from the help on this event message, I should have a registry value
for HKCR\Clsid\clsid value\localserver32, but I don't.
My HKCR\Clsid\clsid value\ entry has the sub entries Implemented Categories,
InProcServer32, and ProgId. Can I follow the event log help, but use
InProcServer32 instead of localserver32, or should I create a localserver32
entry?

Thanks
Martin

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

"Martin" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
>
> I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
> Enterprise Services example working on my dev machine.
>
> Many thanks to Nicole for solving the last problem I had with this.
>
> I can now start the DPAPI service, and once I have re-registered the
> DPAPIComp.dll, I don't get problems accessing the registry entry for it's
> ProgID.
>
> However when I run the example web page to encrypt some data, I get access
> denied on creating the DataProtectorComp object which is in DPAPIComp.
>
> My DPAPIComp.dll exists in it's own build directory, (DPAPIComp/bin/Debug)
> another dir in that project (DPAPIComp/obj/Debug), and locally in the
> DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to strong
> name this dll, and each instance of the dll mentioned here has the same
> version number. I am surprised there is no mention of adding this dll to
> the GAC. When I look, it is not there after building the DPAPIComp, and
> when I add it manually, it doesn't solve my problem of access denied.
>
> I have given machine/ASPNet account (running Windows XP Pro sp1) read &
> execute access to each copy of the dll.
>
> BTW I have each project of the howto in one big solution file.
>
> Can anyone help me get this running?
>
> Also what is the best way to test the COM+ Application in isolation of the
> windows service? Login as the DPAPI user and run a windows form
> application? When I try to start the COM+ Application as either me (local
> admin rights) or the local machine dpapi account it fails with "Catalog
> Error, You do not have permission to perform the requested action. If
> security is enabled on the System Application of the target computer make
> sure you are included in the appropriate roles". As per the instructions,
> security level on this COM+ app is at the process level only, and "enforce
> access checks for this app" is ticked.
>
>
>
> Thanks
> Martin
>
>
>
>



 
Reply With Quote
 
 
 
 
Martin
Guest
Posts: n/a
 
      09-12-2004
Looking further at the help for the event error, I don't seem to have a
friendly name for DPAPIComp in Component Services\My Computer\DCOM Config.

So I don't know how I could customise the DCOM security properties anyhow.
I thought the idea was that the service application would have loaded the
DPAPIComp serviced component (the service is running in Windows Services)


Thanks
Martin

"Martin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On attempting to create the DPAPIComp object I get the following System
> event log error:
>
> Event Type: Error
> Event Source: DCOM
> Event Category: None
> Event ID: 10002
> Date: 12/09/2004
> Time: 12:09:51
> User: DELL\ASPNET
> Computer: DELL
> Description:
> Access denied attempting to launch a DCOM Server. The server is:
> {<some guid>}
> The user is ASPNET/DELL, SID=<another guid>.
>
> I see from the help on this event message, I should have a registry value
> for HKCR\Clsid\clsid value\localserver32, but I don't.
> My HKCR\Clsid\clsid value\ entry has the sub entries Implemented

Categories,
> InProcServer32, and ProgId. Can I follow the event log help, but use
> InProcServer32 instead of localserver32, or should I create a

localserver32
> entry?
>
> Thanks
> Martin
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> "Martin" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Hi,
> >
> > I am trying to get the How To: Use DPAPI (User Store) from ASP.NET with
> > Enterprise Services example working on my dev machine.
> >
> > Many thanks to Nicole for solving the last problem I had with this.
> >
> > I can now start the DPAPI service, and once I have re-registered the
> > DPAPIComp.dll, I don't get problems accessing the registry entry for

it's
> > ProgID.
> >
> > However when I run the example web page to encrypt some data, I get

access
> > denied on creating the DataProtectorComp object which is in DPAPIComp.
> >
> > My DPAPIComp.dll exists in it's own build directory,

(DPAPIComp/bin/Debug)
> > another dir in that project (DPAPIComp/obj/Debug), and locally in the
> > DPAPIService project dir (DPAPIService/bin/Debug). I have chosen to

strong
> > name this dll, and each instance of the dll mentioned here has the same
> > version number. I am surprised there is no mention of adding this dll

to
> > the GAC. When I look, it is not there after building the DPAPIComp, and
> > when I add it manually, it doesn't solve my problem of access denied.
> >
> > I have given machine/ASPNet account (running Windows XP Pro sp1) read &
> > execute access to each copy of the dll.
> >
> > BTW I have each project of the howto in one big solution file.
> >
> > Can anyone help me get this running?
> >
> > Also what is the best way to test the COM+ Application in isolation of

the
> > windows service? Login as the DPAPI user and run a windows form
> > application? When I try to start the COM+ Application as either me

(local
> > admin rights) or the local machine dpapi account it fails with "Catalog
> > Error, You do not have permission to perform the requested action. If
> > security is enabled on the System Application of the target computer

make
> > sure you are included in the appropriate roles". As per the

instructions,
> > security level on this COM+ app is at the process level only, and

"enforce
> > access checks for this app" is ticked.
> >
> >
> >
> > Thanks
> > Martin
> >
> >
> >
> >

>
>



 
Reply With Quote
 
Martin
Guest
Posts: n/a
 
      09-14-2004
When I *disable* access checks for the DPAPI Helper Application, I got an
error telling me it couldn't find DataProtection.dll.

Reading Register Serviced Components from
http://msdn.microsoft.com/library/en...asp?frame=true
I put both DataProtection.dll and DPAPIComp.dll in the gac, re-registered
DPAPIComp.dll with regsvcs, and re-installed the DPAPIService.exe service.
Start the service and the DPAPIWEb runs successfully.

However..... when I set the DPAPIHelper COM+ app back to *enable* access
checks, it *still* fails with an system event error 10002.

NB The DPAPI Help App (COM+ App) is configured to perform access checks at
the process level only, so there aren't any COM+ roles to configure I guess.

Still appreciate any help on this.

Thanks
Martin


 
Reply With Quote
 
Martin
Guest
Posts: n/a
 
      09-14-2004
Even adding local ASPNET to local Adminstrators group does not let ASPNET
launch a DCOM Server (error 10002 still occurs)!!!


"Martin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> When I *disable* access checks for the DPAPI Helper Application, I got an
> error telling me it couldn't find DataProtection.dll.
>
> Reading Register Serviced Components from
>

http://msdn.microsoft.com/library/en...asp?frame=true
> I put both DataProtection.dll and DPAPIComp.dll in the gac, re-registered
> DPAPIComp.dll with regsvcs, and re-installed the DPAPIService.exe service.
> Start the service and the DPAPIWEb runs successfully.
>
> However..... when I set the DPAPIHelper COM+ app back to *enable* access
> checks, it *still* fails with an system event error 10002.
>
> NB The DPAPI Help App (COM+ App) is configured to perform access checks

at
> the process level only, so there aren't any COM+ roles to configure I

guess.
>
> Still appreciate any help on this.
>
> Thanks
> Martin
>
>



 
Reply With Quote
 
Joseph E Shook [MVP - ADSI]
Guest
Posts: n/a
 
      09-17-2004
If you do not have any roles set up then you will need to leave the
security disabled at the Application level. By default on XP and
Win2003 it is turned on. But I think when this document was written
Windows 2000 was most likely the targeted platform and if I remember
right the Application access checks was dissabled by default. So maybe
that explains the lack of mentioning this tidbit in the doc.

 
Reply With Quote
 
Martin
Guest
Posts: n/a
 
      09-17-2004
Hi Joseph,

Thanks for the response.

I would like to have security at the application level if possible. What
concerns me is I don't have any entry that looks useful to me under DCOM
Config.

Can you give me any pointers on that?

Thanks
Martin
PS I can't see any steps involving the security tab of my COM+ App in the
January 2004 version of this document.


"Joseph E Shook [MVP - ADSI]" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> If you do not have any roles set up then you will need to leave the
> security disabled at the Application level. By default on XP and
> Win2003 it is turned on. But I think when this document was written
> Windows 2000 was most likely the targeted platform and if I remember
> right the Application access checks was dissabled by default. So maybe
> that explains the lack of mentioning this tidbit in the doc.
>



 
Reply With Quote
 
Joseph E Shook [MVP - ADSI]
Guest
Posts: n/a
 
      09-17-2004
You shouldn't need to do any configuration with DCOM Config. But you
will have to create a role in the roles folder of the ES application.
Then add the users or groups to this role.

Look at the chapter called How To: Use Role-based Security with
Enterprise Services in the same doc.
Basically you will have to implement an interface to be able to see your
component methods in ES and you will have to create roles.
Another thing you will need to do is add a Marshaler Role with the
everyone group in it. It is most convenient to just add the following
line to your assemblyinfo:
[assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)]

Ok, after saying all of that you could just user standard role based
security in your component. Look up Declarative and Imperative in the
help files. But remember you can only use ES roles or .NET role based
security; no mixing of the two.

I would be more specific but I have to revisit some of my work from last
year to better tell this story. I hope this will help.



Martin wrote:

> Hi Joseph,
>
> Thanks for the response.
>
> I would like to have security at the application level if possible. What
> concerns me is I don't have any entry that looks useful to me under DCOM
> Config.
>
> Can you give me any pointers on that?
>
> Thanks
> Martin
> PS I can't see any steps involving the security tab of my COM+ App in the
> January 2004 version of this document.
>
>
> "Joseph E Shook [MVP - ADSI]" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
>
>>If you do not have any roles set up then you will need to leave the
>>security disabled at the Application level. By default on XP and
>>Win2003 it is turned on. But I think when this document was written
>>Windows 2000 was most likely the targeted platform and if I remember
>>right the Application access checks was dissabled by default. So maybe
>>that explains the lack of mentioning this tidbit in the doc.
>>

>
>
>

 
Reply With Quote
 
Martin
Guest
Posts: n/a
 
      09-22-2004
Thanks Joseph,

I'll have another look.

Martin

"Joseph E Shook [MVP - ADSI]" <(E-Mail Removed)> wrote in
message news:%(E-Mail Removed)...
> You shouldn't need to do any configuration with DCOM Config. But you
> will have to create a role in the roles folder of the ES application.
> Then add the users or groups to this role.
>
> Look at the chapter called How To: Use Role-based Security with
> Enterprise Services in the same doc.
> Basically you will have to implement an interface to be able to see your
> component methods in ES and you will have to create roles.
> Another thing you will need to do is add a Marshaler Role with the
> everyone group in it. It is most convenient to just add the following
> line to your assemblyinfo:
> [assembly: SecurityRole("Marshaler", SetEveryoneAccess = true)]
>
> Ok, after saying all of that you could just user standard role based
> security in your component. Look up Declarative and Imperative in the
> help files. But remember you can only use ES roles or .NET role based
> security; no mixing of the two.
>
> I would be more specific but I have to revisit some of my work from last
> year to better tell this story. I hope this will help.
>
>
>
> Martin wrote:
>
> > Hi Joseph,
> >
> > Thanks for the response.
> >
> > I would like to have security at the application level if possible.

What
> > concerns me is I don't have any entry that looks useful to me under DCOM
> > Config.
> >
> > Can you give me any pointers on that?
> >
> > Thanks
> > Martin
> > PS I can't see any steps involving the security tab of my COM+ App in

the
> > January 2004 version of this document.
> >
> >
> > "Joseph E Shook [MVP - ADSI]" <(E-Mail Removed)> wrote in
> > message news:(E-Mail Removed)...
> >
> >>If you do not have any roles set up then you will need to leave the
> >>security disabled at the Application level. By default on XP and
> >>Win2003 it is turned on. But I think when this document was written
> >>Windows 2000 was most likely the targeted platform and if I remember
> >>right the Application access checks was dissabled by default. So maybe
> >>that explains the lack of mentioning this tidbit in the doc.
> >>

> >
> >
> >



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DPAPI - decrypt error: Decryption failed. Key not valid for use in specified state. BigLuzer ASP .Net 1 11-21-2006 04:05 PM
DpAPI Encrypted Aes Key Problems Phil C. ASP .Net Security 0 03-05-2005 05:51 PM
Problems with Dpapi Tools zip download link Dominick Baier [DevelopMentor] ASP .Net Security 0 01-25-2005 12:07 AM
error DPAPI afsheen ASP .Net Security 0 10-24-2003 01:54 AM
DPAPI and connection string Kevin Cunningham ASP .Net Security 1 10-16-2003 06:04 PM



Advertisments