Holger Grund

I have an application on XP SP2 that marshals an object into a memory stream via CoMarshalInterface with MSHCTX_DIFFERENTMACHINE (and FWIW MSHLFLAGS_TABLESTRONG) sends the data to a remote Vista machine and waits for a connection.

The remote machine receives the data and calls CoUnmarshalInterface. Both sides use CoInitializeSecurity with anonymous authentication levels. Both register standard marshallers via CoRegisterPSClsid and CoRegisterClassObject on the fly.

It seems CoUnmarshalInterface reads the OXID from the stream and does a LRPC to resolve it, which fails with ERROR_ACCESS_DENIED. Now what's really odd, is that this request never seems to hit wire. I think I've tweaked everything I can think of (RPC Policy settings, DCOM launch limits, Firewall)

All of this work fine on XP SP1 (can't test SP2 right now). Any ideas

-hg



Re: Application Compatibility for Windows Vista CoUnmarshalInterface fails with E_ACCESSDENIED across machines in different domains

Bruce N. Baker - MSFT

On Vista I would expect anonymous to fail.






Re: Application Compatibility for Windows Vista CoUnmarshalInterface fails with E_ACCESSDENIED across machines in different domains

Holger Grund

As I've said, I get the error on the receiving end on Vista. Would you care to elaborate on "I would expect anonymous to fail"

The documentation clearly suggests that anonymous RPC should work just fine. And it does on the same machine. But even if there is a problem on the server, why should CoUnmarshalInterface fail without ever pinging the server machine

-hg





Re: Application Compatibility for Windows Vista CoUnmarshalInterface fails with E_ACCESSDENIED across machines in different domains

Bruce N. Baker - MSFT

What documentation for Vista says anonymous RPC should work out of the box

There's quite a few pieces of info related to security changes, here's just a quick samples starting with XP SP2 (also changes apply to a Server 2003 service pack I suspect.

XP SP2 changes

http://support.microsoft.com/kb/838191

Another note on the XP SP2 changes

http://msdn2.microsoft.com/en-us/library/ms932680.aspx

Note that this is interprocess communication only

http://msdn2.microsoft.com/en-us/library/ms686632.aspx

RPC data structures

http://msdn2.microsoft.com/en-us/library/aa378505.aspx

Here's a quote from another post:

"...anonymous RPC call to remote machine

from xp,sp2,by default,remote machine won't accept anonymous calls,so it is giving you access denied error message (OX5 error code)

if you disable RestrictRemoteClients key,remote machine accepts anonymous calls

http://msdn.microsoft.com/security/productinfo/XPSP2/networkprotection/restrict_remote_clients.aspx..."

That should get you started :-)






Re: Application Compatibility for Windows Vista CoUnmarshalInterface fails with E_ACCESSDENIED across machines in different domains

Holger Grund

Bruce N. Baker - MSFT wrote:

Here's a quote from another post:

"...anonymous RPC call to remote machine

from xp,sp2,by default,remote machine won't accept anonymous calls,so it is giving you access denied error message (OX5 error code)

if you disable RestrictRemoteClients key,remote machine accepts anonymous calls

http://msdn.microsoft.com/security/productinfo/XPSP2/networkprotection/restrict_remote_clients.aspx..."

That should get you started :-)

As I said in my first post I had the setting already but apparently never rebooted after that. Now XP happily accepts the calls.

Thanks

-hg