PRB: Warning from COM+ Components When Using Role-Based Security (300567)


The information in this article applies to:

  • Microsoft Windows 2000, when used with:
    • the operating system: Microsoft Windows 2000 SP1
    • the operating system: Microsoft Windows 2000 SP2
This article was previously published under Q300567

SYMPTOMS

If you pass a reference to a Component Object Model (COM) object (non-configured) from a COM+ object (configured) that uses role-based security at the Interface level, you may get this warning in the Application Event Log.
A method call to an object in a COM+ application was rejected because the caller is not properly authorized to make this call. The COM+ application is configured to use Application and Component level access checks, and enforcement of these checks is currently enabled.
The rest of this message provides information about the Component method that the caller tries to invoke, plus the identity of the caller.
Destination of the rejected call:
Application Id: {B7FE210F-1088-4BBD-B549-CF4D8E6675CF}
CLSID: {D4CC349B-063B-4256-9AE7-B14630C6B9A8}
IID: {0193088D-396D-4455-9573-33DCB872B2AE}
Method #: 7
Class: SecClient.SecCl1
Interface: (unknown)
Method: (unknown)
Caller Information:
Svc/Lvl/Imp = 10/6/1, Identity = NORTHAMERICA\useraccount

CAUSE

The warning is generated when the client makes a method call on the interface (corresponding to a non-configured object) returned to it by the configured COM+ component.

This occurs because the non-configured COM object is created in the same context as the COM+ configured component. When the client makes a call to the non-configured COM object, the object context has no information about the destination interface and the security requirements of the destination interface. Because this is a non-configured component, the call is rejected.

RESOLUTION

You must not pass out references of non-configured objects from configured components. You can experience issues similar to the one discussed earlier.

To work around this problem assign the Role at the Component level. Another suggestion is to make the non-configured component configured. Then, you can specifically apply or you can deny role-based security.

STATUS

This behavior is by design.

MORE INFORMATION

Steps to Reproduce the Behavior

  1. Write two COM components that you name A and B.

    You can use either Microsoft Visual Basic or a C-language program.
  2. Add a method to one COM component (A) that returns a reference to the other COM component (B).
  3. Add a dummy method to B that puts some information in the Application Event Log to indicate that it has been called.
  4. Add the first COM component (A) to a COM+ application and use the default settings.
  5. Add a Role to the COM+ application that includes the Everyone group.
  6. Assign that Role to the Interface.
  7. Enable Security at the Application level and at the Component level.
  8. Write a simple client that creates the COM+ component (A), calls its method to get the reference to the component (B), and then makes a call to the dummy method of B.
  9. View the Application Log. You can see the earlier warning, and the client receives a
    Permission Denied
    error message.
Modification Type:MajorLast Reviewed:5/28/2003
Keywords:kbprb KB300567
©2002 Microsoft Corporation. All rights reserved.