Microsoft KB Archive/911862

= Error message when you try to use a DCOM application on a Windows NT 4.0-based computer in a Windows Server 2003 environment: &quot;Access denied&quot; =

Article ID: 911862

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-





SYMPTOMS
When you try to use a DCOM application on a Microsoft Windows NT 4.0-based computer, a remote procedure call (RPC) returns the following error message:

Access denied

This problem occurs in the following scenarios.

Scenario 1

 * A Windows NT Server 4.0-based or Windows NT Workstation 4.0-based computer (computer A) resides in a Windows NT 4.0 resource domain (domain X).
 * A Windows NT Server 4.0-based computer (computer B) that is running DCOM applications resides in a Microsoft Windows Server 2003 domain (domain Y).
 * Domain X trusts domain Y.
 * Computer A calls methods on a DCOM application that is running on computer B. The DCOM application has packet-level integrity specified.

Note This problem may also occur if the following conditions are true:
 * Computer B is running Microsoft Windows 2000 Server or a later version of Windows.
 * Computer A is running Windows NT 4.0.

However, this problem does not occur if computer A is running Windows 2000 Server or a later version of Windows.

Scenario 2

 * A Windows NT Server 4.0-based or Windows NT Workstation 4.0-based computer (computer A) resides in a Windows NT 4.0 resource domain (domain X).
 * A Windows NT Server 4.0-based computer (computer B) that is running DCOM applications resides in domain X.
 * A Windows Server 2003 domain (domain Y) trusts domain X, and domain X trusts domain Y.
 * You log on to computer A as a user of domain Y.
 * Computer A calls DCOM remote methods on computer B.



CAUSE
This problem occurs when the NoLMHash policy is enabled at the Domain Controllers level in the Windows Server 2003 domain. In this situation, the DCOM server cannot authenticate users.



RESOLUTION
To resolve this problem, use one of the following methods.

Method 1
Use a password that is at least 15 characters long when the NoLMHash policy is enabled in the Active Directory directory service. Make sure that this password cannot be disabled because of security considerations.

Method 2
Use Group Policy in Active Directory to enable the storage of the LAN Manager Hash (LMHash) algorithm of a user password. To do this, follow these steps:
 * 1) In the Domain Controllers Group Policy console, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
 * 2) In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change.
 * 3) Click Disabled, and then click OK.

Keywords: kberrmsg kbtshoot kbprb KB911862

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.