FIX: MTS Impersonation Returns Incorrect Caller When Using RDS
ID: Q184702
|
The information in this article applies to:
-
Remote Data Service for ADO versions 1.5, 2.0, 2.1 SP1
SYMPTOMS
When using Remote Data Service (RDS) to call a local or remote COM server,
the server only recognizes the first caller into the object. If subsequent
calls are made to the object by different clients, the server only
impersonates them as the initial caller. This behavior has some far reaching side effects that can cause serious security problems. For example, it renders the Microsoft Transaction Server (MTS) role based security model unusable with RDS. It also causes the MTS ISecurityProperty interfaces to return incorrect information.
The Windows NT 4.0 Service Pack 4 (SP4) changes the behavior slightly. When the service pack is installed on a computer, the caller will be seen as the
process identity if the MTS package is set to run as a server process
on the same computer as the Internet Information Server (IIS). In most
cases the identity will be that of the system account (NT_AUTHORITY\SYSTEM).
CAUSE
This is a limitation of COM on the current Windows platforms. COM does not
support clients that impersonate many different users such as IIS. The
problem is that for performance reasons, COM caches remote procedure call (RPC) connections. In doing so, it also caches authentication information. This caching causes COM security to incorrectly report identities if the client impersonates many different users.
The behavior in Windows NT 4.0 was to simply show the identity of the
first caller for the duration of the connection. Because the connections
timeout after a period of two minutes of inactivity, you could see a
somewhat random identity at the server.
To partially correct this in sp4, the COM behavior was changed to always
report the process identity for local calls. Remote calls behave the same.
While far from optimal, it at least allows the server to reliably obtain
some client identity.
STATUS
Microsoft has confirmed this to be a bug in the Microsoft products listed
at the beginning of this article.
This bug has been fixed in Microsoft Data Access Components 2.1 Service Pack 2 and later.
You can download the latest version of the Microsoft Data Access Components from the following site:
http://www.microsoft.com/data/download.htm
It is recommended that you download and install the latest version of MDAC to resolve this issue. However, a hotfix is available for RDS 2.1 calling MTS 2.0 components. Please contact Microsoft Product Support for more information on this hotfix.
MORE INFORMATION
Steps to Reproduce Behavior
- Open Visual Basic and select the project type to be an ActiveX DLL.
- Create a class in the project with the following code:
Public Function WhoAmI() As String
On Error GoTo handler
WhoAmI = GetObjectContext.Security.GetDirectCallerName
Exit Function
handler:
WhoAmI = "Error"
End Function
- From the Project menu, select Properties. In the Project Properties
dialog box, change the project name to WhoCalled.
- Change the class name to clsWho.
- Compile and Save this component.
- Place the component into an MTS package on your server computer.
- To add the component to Microsoft Transaction Server (MTS), open the MTS Management Console.
- Expand the Microsoft Transaction Server and then the My Computer
directories.
- Select Packages Installed, then right-click and select New and
Package.
- Click Create an Empty Package.
- Enter MTSRDS for the package name and click Next.
- Click Finish on the following page, accepting the page defaults.
You now have a MTS package named MTSRDS.
- To add the component to the MTSRDS Package, expand the MTSRDS
package and select Components. Right-click and select
New and Component.
- Click Install New Component, and then select Add File. Locate the
Whocalled.dll, select it, and click Open and then Finish.
- Add the Visual Basic Business Object to the RDS ADCLaunch Key. Add
Whocalled.clsWho to the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch
- Create a Standard EXE client application in Visual Basic using the following code: (Place one command button and one label control on a form.)
Dim myobj As Object
Private Sub Command1_Click()
label1.Caption = myobj.WhoAmI
End Sub
Private Sub Form_Load()
Set ds = CreateObject("RDS.DataSpace")
Set myobj = ds.CreateObject("WhoCalled.clsWho", _
"http://IISServerName")
End Sub
NOTE: Change the IISServerName to your IIS Server name.
- Go to your server computer. In Internet Information Server (IIS) right-click your default Web Site, and choose properties.
- Select the Directory Security tab and click Edit. Make sure that Windows NT Challenge/Response is the only thing selected. Click OK until you are back to IIS.
- Run the client as User A. Clicking on the Command button will return the User ID.
- Have User B run the same client application.
RESULTS: User A gets their own ID back from the Server as expected. User B
incorrectly gets User A's ID.
Additional query words:
Keywords :
Version : WINDOWS:1.5,2.0,2.1 SP1
Platform : WINDOWS
Issue type : kbbug