Microsoft KB Archive/184702

= FIX: MTS Impersonation Returns Incorrect Caller When Using RDS =

Article ID: 184702

Article Last Modified on 9/23/2003

-

APPLIES TO


 * Microsoft Remote Data Services 2.1
 * Microsoft Remote Data Services 1.5
 * Remote Data Service for ADO 2.0

-



This article was previously published under Q184702



SYMPTOMS
When using Remote Data Service (RDS) to call a local or remote COM server, the server only recognizes the first caller into the object. If subsequent calls are made to the object by different clients, the server only impersonates them as the initial caller. This behavior has some far reaching side effects that can cause serious security problems. For example, it renders the Microsoft Transaction Server (MTS) role based security model unusable with RDS. It also causes the MTS ISecurityProperty interfaces to return incorrect information.

The Windows NT 4.0 Service Pack 4 (SP4) changes the behavior slightly. When the service pack is installed on a computer, the caller will be seen as the process identity if the MTS package is set to run as a server process on the same computer as the Internet Information Server (IIS). In most cases the identity will be that of the system account (NT_AUTHORITY\SYSTEM).



CAUSE
This is a limitation of COM on the current Windows platforms. COM does not support clients that impersonate many different users such as IIS. The problem is that for performance reasons, COM caches remote procedure call (RPC) connections. In doing so, it also caches authentication information. This caching causes COM security to incorrectly report identities if the client impersonates many different users.

The behavior in Windows NT 4.0 was to simply show the identity of the first caller for the duration of the connection. Because the connections timeout after a period of two minutes of inactivity, you could see a somewhat random identity at the server.

To partially correct this in sp4, the COM behavior was changed to always report the process identity for local calls. Remote calls behave the same. While far from optimal, it at least allows the server to reliably obtain some client identity.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

This bug has been fixed in Microsoft Data Access Components 2.1 Service Pack 2 and later.

You can download the latest version of the Microsoft Data Access Components from the following site:

http://msdn.microsoft.com/library/default.asp?url=/downloads/list/dataaccess.asp

It is recommended that you download and install the latest version of MDAC to resolve this issue. However, a hotfix is available for RDS 2.1 calling MTS 2.0 components. Please contact Microsoft Product Support for more information on this hotfix.



Steps to Reproduce Behavior
 Open Visual Basic and select the project type to be an ActiveX DLL. Set a reference to Microsoft Transaction Server Type Library (mtxas.dll). Note: MTS and the Microsoft Transaction Server Type Library will work only on Windows versions NT 4.0 and earlier. For Windows 2000 and later, see COM+ (Component Services).

  Create a class in the project with the following code: Public Function WhoAmI As String

On Error GoTo handler WhoAmI = GetObjectContext.Security.GetDirectCallerName Exit Function

handler: WhoAmI = "Error"

End Function  From the Project menu, select Properties. In the Project Properties dialog box, change the project name to WhoCalled. Change the class name to clsWho. Compile and Save this component. Place the component into an MTS package on your server computer. <ol style="list-style-type: lower-alpha;"> To add the component to Microsoft Transaction Server (MTS), open the MTS Management Console.</li> Expand the Microsoft Transaction Server and then the My Computer directories.</li> Select Packages Installed, then right-click and select New and Package.</li> Click Create an Empty Package.</li> Enter MTSRDS for the package name and click Next.</li> Click Finish on the following page, accepting the page defaults. You now have a MTS package named MTSRDS.</li> To add the component to the MTSRDS Package, expand the MTSRDS package and select Components. Right-click and select New and Component.</li> Click Install New Component, and then select Add File. Locate the Whocalled.dll, select it, and click Open and then Finish.</li></ol> </li> Add the Visual Basic Business Object to the RDS ADCLaunch Key. Add Whocalled.clsWho to the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch

</li>  Create a Standard EXE client application in Visual Basic using the following code: (Place one command button and one label control on a form.) Dim myobj As Object

Private Sub Command1_Click

label1.Caption = myobj.WhoAmI

End Sub

Private Sub Form_Load

Set ds = CreateObject("RDS.DataSpace") Set myobj = ds.CreateObject("WhoCalled.clsWho", _            "http://IISServerName") End Sub NOTE: Change the IISServerName to your IIS Server name.

</li> Go to your server computer. In Internet Information Server (IIS) right-click your default Web Site, and choose properties.</li> Select the Directory Security tab and click Edit. Make sure that Windows NT Challenge/Response is the only thing selected. Click OK until you are back to IIS.</li> Run the client as User A. Clicking on the Command button will return the User ID.</li> Have User B run the same client application. RESULTS: User A gets their own ID back from the Server as expected. User B incorrectly gets User A's ID.</li></ol>

Keywords: kbbug kbfix kbmdacnosweep KB184702

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.