secure rpc

Question

I have rpc server and client working through SCHANNEL.
And my client always raise exception Access denied.

What's wrong with this code?

 

Client

RPC_STATUS lStatus;

WCHAR* wStringBinding = NULL;

lStatus = RpcStringBindingCompose( NULL,

(RPC_WSTR) L"ncacn_ip_tcp",

(RPC_WSTR) L"127.0.0.1",

(RPC_WSTR) L"27000",

NULL, (RPC_WSTR*) &wStringBinding );

 

// Bind to server

RPC_BINDING_HANDLE hBind;

lStatus = RpcBindingFromStringBinding( (RPC_WSTR) wStringBinding, &hBind );

RpcStringFree( (RPC_WSTR*) &wStringBinding );

 

// Certificate store

HCERTSTORE hCertStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, (void*) L"My" );

if ( hCertStore == NULL )

{

//return NULL;

}

 

// Certificate

PCCERT_CONTEXT pCert = CertFindCertificateInStore( hCertStore,

X509_ASN_ENCODING|PKCS_7_ASN_ENCODING,

0, CERT_FIND_SUBJECT_STR, L"test", NULL );

if ( pCert == NULL )

{

//return NULL;

}

 

// Schannel

SCHANNEL_CRED sCred;

ZeroMemory( &sCred, sizeof(SCHANNEL_CRED) );

sCred.dwVersion = SCHANNEL_CRED_VERSION;

sCred.cCreds = 1;

sCred.paCred = &pCert;

 

WCHAR* wPrnName = NULL;

RpcMgmtInqServerPrincName( hBind, RPC_C_AUTHN_GSS_SCHANNEL, (RPC_WSTR*) &wPrnName );

 

lStatus = RpcBindingSetAuthInfo(

hBind, (RPC_WSTR) wPrnName,

RPC_C_AUTHN_LEVEL_PKT_PRIVACY,

RPC_C_AUTHN_GSS_SCHANNEL,

(RPC_AUTH_IDENTITY_HANDLE) &sCred,

RPC_C_AUTHZ_NAME );

 

// Check server status

lStatus = RpcMgmtIsServerListening( hBind );

 

RpcTryExcept

RpcPrint( hBind, L"testing..." );

RpcExcept(1)

printf( "Error." );

RpcEndExcept

 

// End connection

RpcBindingFree( &hBind );

 

Server

RPC_STATUS lStatus;

 

// Select protocol and endpoint

lStatus = RpcServerUseProtseqEp(

(RPC_WSTR) L"ncacn_ip_tcp",

RPC_C_PROTSEQ_MAX_REQS_DEFAULT,

(RPC_WSTR) L"27000", NULL );

if ( lStatus != NO_ERROR )

{

return lStatus;

}

 

// Register security interface

lStatus = RpcServerRegisterIfEx( ITest_v1_0_s_ifspec, NULL, NULL, 0, RPC_C_LISTEN_MAX_CALLS_DEFAULT, (RPC_IF_CALLBACK_FN*) RpcCheckSecurity );

if ( lStatus != NO_ERROR )

{

return lStatus;

}

 

// Certificate store

HCERTSTORE hCertStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, (void*) L"My" );

if ( hCertStore == NULL )

{

return NULL;

}

 

// Certificate

PCCERT_CONTEXT pCert = CertFindCertificateInStore( hCertStore,

X509_ASN_ENCODING|PKCS_7_ASN_ENCODING,

0, CERT_FIND_SUBJECT_STR, L"test", NULL );

if ( pCert == NULL )

{

return NULL;

}

 

WCHAR* wPrnName = NULL;

lStatus = RpcCertGeneratePrincipalName( pCert, RPC_C_FULL_CERT_CHAIN, (RPC_WSTR*) &wPrnName );

 

// Schannel

SCHANNEL_CRED sCred;

ZeroMemory( &sCred, sizeof(SCHANNEL_CRED) );

sCred.dwVersion = SCHANNEL_CRED_VERSION;

sCred.cCreds = 1;

sCred.paCred = &pCert;

 

// Security

lStatus = RpcServerRegisterAuthInfo( (RPC_WSTR) wPrnName, RPC_C_AUTHN_GSS_SCHANNEL, NULL, &sCred );

if ( lStatus != NO_ERROR )

{

return lStatus;

}

 

// Start rpc server

lStatus = RpcServerListen( 1, RPC_C_PROTSEQ_MAX_REQS_DEFAULT, FALSE );

if ( lStatus != NO_ERROR )

{

return lStatus;

}

 

 

Answer 1

up

Answer 2

i've same problem in past and i didn't recieve any understandable answers from ms guys...

ps: is every one who has a solution how to work through SCHANNEL

Answer 3

I found the problem!

When you use security callback in
RpcServerRegisterIf2 or RpcServerRegisterIfEx
flag RPC_IF_ALLOW_SECURE_ONLY set up automatically...

This flag DOESN'T WORK with Schannel security.

You can use callback with RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag.
Then in callback you can check level of authentication and authentication service.