none
W7 Microsoft.Interop.Security.AzRoles COMException when run on network path 0x800704C9 RRS feed

  • Question

  • Hello everybody,

    my configuration:

    Windows 7 Pro 64, .NET 2.0, 3.0, 3.5 SP1, 4.0 installed.

    AzRoles.dll : 6.1.7600.16385

    Microsoft.Interop.Security.AzRoles: 2.0.0.0

    My issue is that connecting to an msldap azman store fails when my application is run from a network path. If I run it locally it works and if I use an XML azman store then it also works (both locally and on/from the network). Traditionally we have configured CASPOL to allow our applications to run off the network and when we use XP everything behaves itself (our users are still on XP).

    The code I wrote to exhibit the issue is below. It's taken almost verbatim from the Enterprise Library 5's security block (AzMan). I've tried compiling it against .NET 4.0, 3.5, and 2.0 and all fail with the same issue. Software Restriction Policy is empty on my workstation. Is there another security setting that I have missed?

    The output of the code below, run from a local drive:

    Store created
    Store Initializing msldap://CN=AzManStore,CN=Program Data,DC=whatever,DC=com
    Store Initialized
    Store OpenApplication MyApplication
    Hit a key to exit.

    The output of the code below, run from a network mapped drive:

    Store created
    Store Initializing msldap://CN=AzManStore,CN=Program Data,DC=whatever,DC=com
    The remote computer refused the network connection. (Exception from HRESULT: 0x800704C9)
    System.Runtime.InteropServices.COMException
       at Microsoft.Interop.Security.AzRoles.AzAuthorizationStoreClass.Initialize(Int32 lFlags, String bstrPolicyURL, Object varReserved)
       at AzRolesBroken.Program.AuthorisationTest.GetClientContext(WindowsIdentity identity, String applicationName, IAzApplication& azApp) in D:\Random\AzRolesBroken\AzRolesBroken\Program.cs:line 56
       at AzRolesBroken.Program.Main(String[] args) in D:\Random\AzRolesBroken\AzRolesBroken\Program.cs:line 25
    Hit a key to exit.

    Here's the code. To compile it you'll have to add an assembly reference to Microsoft.Interop.Security.AzRoles.dll and set Embed Interop Types to false:

    using System;
    using System.Security;
    using System.Security.Principal;
    using System.Threading;
    using Microsoft.Interop.Security.AzRoles;

    [assemblyAllowPartiallyTrustedCallers]
    [assemblySecurityTransparent]
    [assemblySecurityRules(SecurityRuleSet.Level1)]

    namespace AzRolesBroken
    {
        class Program
        {

            static void Main(string[] args)
            {
                try
                {
                    AppDomain.CurrentDomain.SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal);
                    
                    // @"msxml://X:\dev\DotNet4_SecurityTest\Test.xml" works fine, where X: is a mapped drive
                    AuthorisationTest authTest = new AuthorisationTest(@"msldap://CN=AzManStore,CN=Program Data,DC=whatever,DC=com");
                    IAzApplication azApp;
                    IAzClientContext ctxt = authTest.GetClientContext((WindowsIdentity)Thread.CurrentPrincipal.Identity, "MyApplication"out azApp);
                }
                catch (Exception ex)
                {
                    Console.WriteLine(ex.Message ?? "(none)");
                    Console.WriteLine(ex.GetType());
                    Console.WriteLine(ex.StackTrace);
                }
                Console.WriteLine("Hit a key to exit.");
                Console.ReadKey();
            }

            class AuthorisationTest
            {
                private string storeLocation;
                public AuthorisationTest(string storeLocation)
                {
                    this.storeLocation = storeLocation;
                }

                private static object contextLock = new object();
                /// <devdoc>
                /// Gets the client context for the call based on the identity, system and parameters.
                /// </devdoc>
                public IAzClientContext GetClientContext(WindowsIdentity identity, String applicationName, out IAzApplication azApp)
                {
                    lock (contextLock)
                    {
                        AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();
                        Console.WriteLine("Store created");
                        Console.WriteLine(string.Format("Store Initializing {0}"this.storeLocation));
                        store.Initialize(0, this.storeLocation, null);
                        Console.WriteLine("Store Initialized");
                        azApp = store.OpenApplication(applicationName, null);
                        Console.WriteLine(string.Format("Store OpenApplication {0}", applicationName));
                    }

                    ulong tokenHandle = (ulong)identity.Token.ToInt64();
                    IAzClientContext clientCtx = azApp.InitializeClientContextFromToken(tokenHandle, null);
                    return clientCtx;
                }
            }
        }
    }

    Any help would be very much appreciated. If you need more environmental information or other tests run then please let me know.

    Many thanks,

    Tim.

    • Edited by refractor Monday, February 14, 2011 2:36 PM SecurityException -> COMException
    Wednesday, February 9, 2011 9:11 AM

Answers

  • This isn’t code access security – the fact that you get the same failure in .NET4 confirms that. There is no CAS policy for console applications running in the native host so you’re running full trust. You’re also not getting a System.Security exception. This sounds like a COM error from AzRoles.dll

     

    Do you get the error running under and elevated command prompt?

     

    This is a question that could best be handled in the Enterprise Library forums.

    Your question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone


    bill boyce
    • Marked as answer by eryang Thursday, February 24, 2011 10:08 AM
    Monday, February 14, 2011 12:43 PM
    Moderator

All replies

  • Hi Tim,

    We are doing on research on this issue, it may take some time to feed back to you.

    Thanks for your understanding.


    Cookie Luo[MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, February 10, 2011 9:52 AM
  • This isn’t code access security – the fact that you get the same failure in .NET4 confirms that. There is no CAS policy for console applications running in the native host so you’re running full trust. You’re also not getting a System.Security exception. This sounds like a COM error from AzRoles.dll

     

    Do you get the error running under and elevated command prompt?

     

    This is a question that could best be handled in the Enterprise Library forums.

    Your question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone


    bill boyce
    • Marked as answer by eryang Thursday, February 24, 2011 10:08 AM
    Monday, February 14, 2011 12:43 PM
    Moderator
  • Hello Bill.

    Sorry, yes, I was getting a SecurityException on something else that I was doing and maybe got confused.

    It is indeed a COM error from AzRoles.dll... but that's occuring through the Microsoft.Interop.Security.AzRoles library. The particular DLL that's at fault in this is not really my concern, I just need a fix/workaround/progress. I'm talking to a .NET DLL and it's failing. Regarding EntLib, I was sent here from their forum, who suggested that I replicate the issue as low-level as I could; I don't believe that EntLib is relevant here.

    Running it under an admin command prompt exhibits the same issue: local executable works, network executable fails.

    Does your comment about paid support invalidate Cookie's comment about looking into? I'll talk to our account manager and see what support options we have available nonetheless...

    Regards,

    Tim.

    Monday, February 14, 2011 2:35 PM
  • Hi, Yes in consultation with that team per Cookie request is how this came into review.
    bill boyce
    Thursday, February 17, 2011 11:51 PM
    Moderator