Microsoft KB Archive/300567

= PRB: Warning from COM+ Components When Using Role-Based Security =

Article ID: 300567

Article Last Modified on 2/12/2007

-

APPLIES TO

 Microsoft Windows 2000 Standard Edition, when used with:  Microsoft Windows 2000 Service Pack 1

 Microsoft Windows 2000 Service Pack 2 

-



This article was previously published under Q300567



SYMPTOMS
If you pass a reference to a Component Object Model (COM) object (non-configured) from a COM+ object (configured) that uses role-based security at the Interface level, you may get this warning in the Application Event Log.

A method call to an object in a COM+ application was rejected because the caller is not properly authorized to make this call. The COM+ application is configured to use Application and Component level access checks, and enforcement of these checks is currently enabled.

The rest of this message provides information about the Component method that the caller tries to invoke, plus the identity of the caller.

Destination of the rejected call:

Application Id: {B7FE210F-1088-4BBD-B549-CF4D8E6675CF}

CLSID: {D4CC349B-063B-4256-9AE7-B14630C6B9A8}

IID: {0193088D-396D-4455-9573-33DCB872B2AE}

Method #: 7

Class: SecClient.SecCl1

Interface: (unknown)

Method: (unknown)

Caller Information:

Svc/Lvl/Imp = 10/6/1, Identity = NORTHAMERICA\useraccount



CAUSE
The warning is generated when the client makes a method call on the interface (corresponding to a non-configured object) returned to it by the configured COM+ component.

This occurs because the non-configured COM object is created in the same context as the COM+ configured component. When the client makes a call to the non-configured COM object, the object context has no information about the destination interface and the security requirements of the destination interface. Because this is a non-configured component, the call is rejected.



RESOLUTION
You must not pass out references of non-configured objects from configured components. You can experience issues similar to the one discussed earlier.

To work around this problem assign the Role at the Component level. Another suggestion is to make the non-configured component configured. Then, you can specifically apply or you can deny role-based security.

<div class="status_section">

STATUS
This behavior is by design.

<div class="moreinformation_section">

Steps to Reproduce the Behavior
<ol> Write two COM components that you name A and B.

You can use either Microsoft Visual Basic or a C-language program.</li> Add a method to one COM component (A) that returns a reference to the other COM component (B).</li> Add a dummy method to B that puts some information in the Application Event Log to indicate that it has been called.</li> Add the first COM component (A) to a COM+ application and use the default settings.</li> Add a Role to the COM+ application that includes the Everyone group.</li> Assign that Role to the Interface.</li> Enable Security at the Application level and at the Component level.</li> Write a simple client that creates the COM+ component (A), calls its method to get the reference to the component (B), and then makes a call to the dummy method of B.</li> View the Application Log. You can see the earlier warning, and the client receives a

Permission Denied

error message.</li></ol>

Keywords: kbprb KB300567

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.