4

I have a legacy DCOM server and client application both written in Delphi v6. The DCOM server is currently configured to run once and service all clients. The main reason for it running once is that the server provides an interface to an accounts application and must logon and can only do this once for a given user name.

Our customer now wants to upgrade their server to Windows Server 2008 R2 leaving the clients on Windows XP but I have been unable to replicate the current set-up.

The current set up that I can get to work on a test rig is slightly odd!

  1. I have to configure DCOM settings to allow remote launch or I get access denied on the client
  2. If the DCOM server is not already running, when the client tries to connect to it I get server execution failed.
  3. If the server is running and the launch permission is set to allow remote launch, the client starts a new instance of the DCOM server rather than using the instance already started. This then causes problems in the accounts application as the same user tries to logon which is not allowed.
  4. If I close the DCOM server running on the server, the client happily works away with its own instance. I cannot see the DCOM servers main form though as its running in the background (can see it in task manager)

I've found various articles to do with this problem but nothing so far has worked. These include running the DCOM server as administrator, not running the DCOM server as administrator, allowing COM+ in the firewall, adding the DCOM server to the firewall, the DCOM server located in SysWOW64, using the 32 bit version of DCOMCNFG, etc.

Now not sure where to go...

Thanks for any help

Simon

Warren P
  • 65,725
  • 40
  • 181
  • 316
Simon Bowyer
  • 45
  • 1
  • 5
  • Do you have terminal services installed on this system? That complicates things a lot. – Warren P May 03 '12 at 01:13
  • Hi Warren, Terminal services is not installed on this server. – Simon Bowyer May 03 '12 at 07:44
  • I had activation+security problems exactly like this, in Windows Server 2003. The problems became intractable (unfixable) only when Terminal Services was added upon it. From the incident was born my deep loathing of DCOM, MSMQ, and in fact, all Enterprise Microsoft technologies. Such loathing persists to this day, despite me being an "MCP certified" guy on Windows Server 2008 R2. I suggest you wander on over to the Microsoft forums/community/newsgroups and find a DCOM god over there. – Warren P May 03 '12 at 14:58

1 Answers1

3

DCOM default permissions has changed in XP SP2 and 2003 SP1. You'll need to configure the properly to make your service running properly. Usually, unless you implement the DCOM server in a service (something Delphi doesn't allow due to limited DCOM support), the DCOM server is started when a user connects, and that's why you may need the "remote launch" permissions. Moreover a DCOM server may be started in the context of a given user, the interactive user (must be avoided for remote clients!), or the launching user. What mode are you using? - if it is set to "launching user" it will always create a new instance. How was your server instanced before the new OS? How is its class factory implemented? See here for some interesting information about DCOM and Delphi implementations.

BTW:

  • Never run your DCOM server with Administrators privileges unless it really needs it. Otherwise you can create a security hole.
  • If a firewall is present, both the RPC endpoint port and the ports configured for DCOM must be opened to the calling clients.
  • Don't mess system directories with your application. There's no need, if your app works only there you have a privileges misconfiguration, and you won't solve it properly putting files where they don't belong to.
Mad Hatter
  • 772
  • 5
  • 5
  • "limited DCOM support"? A long long time ago I remember trying to find a way around this, and I got things fixed by calling CoInitializeSecurity (more here: http://yoy.be/item.asp?i282 ), but as I said, it's eons ago (i.e. 2006) – Stijn Sanders May 03 '12 at 12:19
  • DCOM support is "limited" because it is mostly written for NT/W9x APIs and doesn't support DCOM services (without third partly libraries), and many DCOM improvements added since NT aren't available in Delphi out-of-the-box support. More or less, since D4 very little was added. – Mad Hatter May 03 '12 at 14:33
  • These seem very general points, nevertheless +1. Do you think that the activation problems are in fact, DCOM's security oriented problems (DCOM config changes needed) or something else (perhaps domain or computer security role problems, or other weird registry or group profile hackery required?). – Warren P May 03 '12 at 15:00
  • Those are general points because without looking at the OP configuration and implementation there's little to diagnose the problem. When MS made default DCOM settings stricter, it broke a lot of sloppy configured DCOM applications. It made it even worse removing DCOM documentation from MSDN. Most of the issue I see when deploying DCOM applications are usually due to wrong configuration settings. – Mad Hatter May 04 '12 at 06:56
  • I have configured the server in a similar way to that suggested in the book Delphi COM Programming (Eric Harmon). My configuration that I have now is: A user group to control access; Ran the DCOM server with the /INSTALL switch; I ran mmc -32 and added the snap in for component services; I enabled DCOM; For my DCOM server and the new user group, I set launch permissions to Remote Launch, local activation and remote activation; I set access permission to local and remote access; Under identity I selected This User and currently am trying with the administrator user name and password – Simon Bowyer May 04 '12 at 08:38
  • You should install the DCOM server with the /regserver switch. /install is for services, but Delphi won't generate a proper DCOM service without modifications. In DCOMCnfg, also checks what "limits" are set. See here: http://technet.microsoft.com/en-us/library/cc738214%28v=ws.10%29.aspx. Beware of using an high privileged user. If it works as Administrator only, it has some permission issues (i.e. writing to folders or registry keys which are privileged). – Mad Hatter May 04 '12 at 10:45