c++ - Calling QueryInterface with custom identity -


issue:

i call cosetproxyblanket on proxy (if that's right term it) , call queryinterface on same proxy, receive result of 0x80070005 ("access denied"). however, if first call coinitializesecurity (which trying avoid) same credentials call succeeds.

question:

how can interface need without having call coinitializesecurity? understand, process can call method once not compatible making dll , can substituted calls cosetproxyblanket.

details:

i experimenting building own opc client can communicate computers running on different domains without matching user accounts.

first, create identity structure domain, username, , password valid on server:

coauthinfo      authinfo; coauthidentity  authidentity;  authidentity.domain             = (unsigned short *) w_domain; authidentity.domainlength       = wcslen( w_domain); authidentity.flags              = sec_winnt_auth_identity_unicode; authidentity.password           = (unsigned short *) w_password; authidentity.passwordlength     = wcslen(w_password); authidentity.user               = (unsigned short *) w_username; authidentity.userlength         = wcslen(w_username);  authinfo.dwauthnlevel           = rpc_c_authn_level_call; authinfo.dwauthnsvc             = rpc_c_authn_winnt; authinfo.dwauthzsvc             = rpc_c_authz_none; authinfo.dwcapabilities         = eoac_none; authinfo.dwimpersonationlevel   = rpc_c_imp_level_impersonate; authinfo.pauthidentitydata      = &authidentity; authinfo.pwszserverprincname    = null;  serverinfo.pauthinfo = &authinfo;

then able call cocreateinstanceex server info obtain handle (m_iopcserver) opc server (iid_iopcserver).

after obtain handle, i've found necessary once again set more permissions (see how impersonation in dcom work?) call:

hr = cosetproxyblanket(m_iopcserver, rpc_c_authn_winnt, rpc_c_authz_none,           null, rpc_c_authn_level_call, rpc_c_imp_level_impersonate,           &authidentity, eoac_none);

after able obtain handle opc item group:

hr = m_iopcserver->addgroup(l"", false, requptrate, clienthandle,           null, null, lcid, &m_hservergroup, &reviseduptrate,           iid_iopcitemmgt,(lpunknown*)&m_iopcitemmgt);

however, when try use code:

hr = m_iopcitemmgt->queryinterface(iid_iopcsyncio, (void**)&m_iopcsyncio);

the result 0x80070005 ("access denied"). case if call cosetproxyblanket on m_iopcitemmgt. if first call coinitializesecurity, call succeeds.

i believe issue related how impersonation in dcom work? in queryinterface function form of object creation doesn't use same security other method calls addgroup. in microsoft reference queryinterface, under notes implementer, makes sound queryinterface shouldn't checking acls , under return values, access denied not mentioned possibility. don't think issue implementation specific though because have tried code on known commercial opc servers (e.g. matrikon simulation server) opensource lightopc doesn't implement security.

i guessing need find way replicate command 

hr = m_iopcitemmgt->queryinterface(iid_iopcsyncio, (void**)&m_iopcsyncio);

but while supplying authidentity. possible? can done cocreateinstanceex or cogetclassobject or other com call?

without going detail: coinitializesecurity invoked @ least once per process. can done implicitly or explicitly. if code doesn't make explicit call, dcom runtime parameters populated registry. can try tweak appropriate registry values force dcom using values similar used in explicit call. registry key holds values "hkey_local_machine\software\classes\appid{appid_guid}" key described here:https://msdn.microsoft.com/en-us/library/windows/desktop/ms693736(v=vs.85).aspx


-

Comments

Post a Comment

Popular posts from this blog

javascript - Thinglink image not visible until browser resize -

Image
i trying repurpose pre-existing theme, includes drop down menu displays image. trying embed thinglink drop down menu's content section, not visible until resize browser window. here menu looks like: then when clicked, can see empty space image should show: then when browser resized, image appears: this code content of menu: <div class="ajax_accordion_content" style="display: none;"> <div class="report-detail"> <table border="0" cellpadding="0" cellspacing="0" width="100%" class="table_basic"> <tbody> <!-- thinglink image embedded --> <img style="max-width: 100%;" src="http://cdn.thinglink.me/api/image/832705713204625409/1024/10/scaletowidth#tl-832705713204625409;1043138249'" class="alwaysthinglink"/> <script async charset="utf-8" src="http://cdn.thinglink.me/jse/embed.j
Read more

firebird - Error "invalid transaction handle (expecting explicit transaction start)" executing script from Delphi -

i'm developing update app delphi 10. i'm running windows 7 64x, firebird 2.5.1.26351 32x. execution order: checks current version(select statement firebird database) downloads update(via ftp) apply it(.exe files, , execute .sql) error code -901 pops out when try execute .sql files. know there incompatibility issue w7 64x , fdb 32x, but, can everything: backup , restore(gbak), db commands(all). tried fdb 64x instead, , not working. code: //components fdwaitcursor: tfdguixwaitcursor; fddriverlink: tfdphysfbdriverlink; fdconnection:tfdconnection; fdscript: tfdscript; function tthr_script.createcomponents:boolean; begin try fddriverlink := tfdphysfbdriverlink.create(fddriverlink); fdwaitcursor := tfdguixwaitcursor.create(fdwaitcursor); fdconnection := tfdconnection.create(fdconnection); fdconnection begin drivername := 'fb'; params.username := thrbanco.bduser; params.password := thrbanco.bdpass; params.database :=
Read more

mongodb - How to keep track of users making Stripe Payments -

i'm trying figure out way mean stack application keep track of users have paid grant them access portion of webpage. i've considered several options: stripe customer id, mongodb record, , html attribute can update. my mean stack keeps track of users jwt, , appears stripe assigns them own customer id isn't ideal. can done jwt opposed forced cutomer id? mongodb record. i'm thinking might best option. when new user has been created, i'll give attribute of haspaid = no. update record of customer when payment submitted. guess run script set unpaid each day? html element/attribute. don't know if possible; cool create key carried during html session after payment received. if person closers browser session closed? i'm looking guidance on 3 options determine if they're best solution. also, if has suggestions alternatives, i'm ears! thanks in advance. speaking generally, common approach second one: use attribute in data model indicates
Read more