none
secure rpc

    Question

  • I have rpc server and client working through SCHANNEL.
    And my client always raise exception Access denied.
    What's wrong with this code?
     

    Client

    RPC_STATUS lStatus;

    WCHAR* wStringBinding = NULL;

    lStatus = RpcStringBindingCompose( NULL,

    (RPC_WSTR) L"ncacn_ip_tcp",

    (RPC_WSTR) L"127.0.0.1",

    (RPC_WSTR) L"27000",

    NULL, (RPC_WSTR*) &wStringBinding );

     

    // Bind to server

    RPC_BINDING_HANDLE hBind;

    lStatus = RpcBindingFromStringBinding( (RPC_WSTR) wStringBinding, &hBind );

    RpcStringFree( (RPC_WSTR*) &wStringBinding );

     

    // Certificate store

    HCERTSTORE hCertStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, (void*) L"My" );

    if ( hCertStore == NULL )

    {

    //return NULL;

    }

     

    // Certificate

    PCCERT_CONTEXT pCert = CertFindCertificateInStore( hCertStore,

    X509_ASN_ENCODING|PKCS_7_ASN_ENCODING,

    0, CERT_FIND_SUBJECT_STR, L"test", NULL );

    if ( pCert == NULL )

    {

    //return NULL;

    }

     

    // Schannel

    SCHANNEL_CRED sCred;

    ZeroMemory( &sCred, sizeof(SCHANNEL_CRED) );

    sCred.dwVersion = SCHANNEL_CRED_VERSION;

    sCred.cCreds = 1;

    sCred.paCred = &pCert;

     

    WCHAR* wPrnName = NULL;

    RpcMgmtInqServerPrincName( hBind, RPC_C_AUTHN_GSS_SCHANNEL, (RPC_WSTR*) &wPrnName );

     

    lStatus = RpcBindingSetAuthInfo(

    hBind, (RPC_WSTR) wPrnName,

    RPC_C_AUTHN_LEVEL_PKT_PRIVACY,

    RPC_C_AUTHN_GSS_SCHANNEL,

    (RPC_AUTH_IDENTITY_HANDLE) &sCred,

    RPC_C_AUTHZ_NAME );

     

    // Check server status

    lStatus = RpcMgmtIsServerListening( hBind );

     

    RpcTryExcept

    RpcPrint( hBind, L"testing..." );

    RpcExcept(1)

    printf( "Error." );

    RpcEndExcept

     

    // End connection

    RpcBindingFree( &hBind );

     

    Server

    RPC_STATUS lStatus;

     

    // Select protocol and endpoint

    lStatus = RpcServerUseProtseqEp(

    (RPC_WSTR) L"ncacn_ip_tcp",

    RPC_C_PROTSEQ_MAX_REQS_DEFAULT,

    (RPC_WSTR) L"27000", NULL );

    if ( lStatus != NO_ERROR )

    {

    return lStatus;

    }

     

    // Register security interface

    lStatus = RpcServerRegisterIfEx( ITest_v1_0_s_ifspec, NULL, NULL, 0, RPC_C_LISTEN_MAX_CALLS_DEFAULT, (RPC_IF_CALLBACK_FN*) RpcCheckSecurity );

    if ( lStatus != NO_ERROR )

    {

    return lStatus;

    }

     

    // Certificate store

    HCERTSTORE hCertStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, (void*) L"My" );

    if ( hCertStore == NULL )

    {

    return NULL;

    }

     

    // Certificate

    PCCERT_CONTEXT pCert = CertFindCertificateInStore( hCertStore,

    X509_ASN_ENCODING|PKCS_7_ASN_ENCODING,

    0, CERT_FIND_SUBJECT_STR, L"test", NULL );

    if ( pCert == NULL )

    {

    return NULL;

    }

     

    WCHAR* wPrnName = NULL;

    lStatus = RpcCertGeneratePrincipalName( pCert, RPC_C_FULL_CERT_CHAIN, (RPC_WSTR*) &wPrnName );

     

    // Schannel

    SCHANNEL_CRED sCred;

    ZeroMemory( &sCred, sizeof(SCHANNEL_CRED) );

    sCred.dwVersion = SCHANNEL_CRED_VERSION;

    sCred.cCreds = 1;

    sCred.paCred = &pCert;

     

    // Security

    lStatus = RpcServerRegisterAuthInfo( (RPC_WSTR) wPrnName, RPC_C_AUTHN_GSS_SCHANNEL, NULL, &sCred );

    if ( lStatus != NO_ERROR )

    {

    return lStatus;

    }

     

    // Start rpc server

    lStatus = RpcServerListen( 1, RPC_C_PROTSEQ_MAX_REQS_DEFAULT, FALSE );

    if ( lStatus != NO_ERROR )

    {

    return lStatus;

    }

     

     

    Monday, October 29, 2007 8:17 AM

All replies

  • up
    Wednesday, October 31, 2007 7:49 AM
  • i've same problem in past and i didn't recieve any understandable answers from ms guys...

    ps: is every one who has a solution how to work through SCHANNEL
    Wednesday, October 31, 2007 10:43 AM
  • I found the problem!

    When you use security callback in
    RpcServerRegisterIf2 or RpcServerRegisterIfEx
    flag RPC_IF_ALLOW_SECURE_ONLY set up automatically...

    This flag DOESN'T WORK with Schannel security.

    You can use callback with RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag.
    Then in callback you can check level of authentication and authentication service.
    Friday, December 28, 2007 1:13 PM