Configuring DCOM for MSMQ and J-Integra
Before you can run any J-Integra application, you must ensure that DCOM is
properly configured. Failure to do so typically results in one of the following
errors:
- AutomationException: 0x80070005 - General access denied error
- AutomationException: 0x5 - access is denied
- Run-time error '70': Permission denied
DCOM Authentication
Before you can access a COM component via DCOM, you must provide the
authentication credentials of a user who has been granted permission to
access/launch the component. There are two ways to do this.
- Native Authentication
By default, J-Integra will use native code to determine the user
credentials of the user who is currently logged in. This will only work if the
following conditions are met:
- The Java client resides on a Windows machine. If the Java client is
located on a non-Windows machine, you must use AuthInfo.setDefault()
to provide authentication credentials (see below).
- The %JINTEGRA_HOME%\bin directory must be in the system
PATH, and ntvauth.dll must reside there. This DLL contains the
native code J-Integra uses to determine the local authentication
credentials.
- If the Java client is running on machine A, then the credentials of the
user who is currently logged on to machine A must be configured on machine B
to have access/launch permissions to the COM component being accessed. For
more information on DCOM Configuration, see below.
- AuthInfo.setDefault
If you are running on a non-Windows platform, or you wish to use the
credentials of someone other than the user who is currently logged in, then
you need to use the method AuthInfo.setDefault().
This identitiy will be used on a process-wide basis when accessing and using
COM components.To use this method, place the following line in your Java
client before any calls to the COM component:
com.linar.jintegra.AuthInfo.setDefault("DOMAIN", "USER",
"PASSWORD");
* Using AuthInfo.setDefault() will only work if the Windows
machine hosting the COM component belongs to a domain or is a domain
controller.
DOMAIN - The domain to which the user belongs. If the user
does not belong to a domain, then pass the name of the machine to which the
user belongs. Note that COMPUTER\USER and DOMAIN\USER are two
completely different security principles. For more information, please refer
to Microsoft's http://support.microsoft.com/default.aspx?scid=kb;en-us;158508"USER - The username
being used to access the COM component.
PASSWORD - The
password of the above username.
You may override the process-wide default using AuthInfo.setThreadDefault().
This method establishes the authentication to be used for the current
thread only. To clear the authentication for the current thread, call
AuthInfo.setThreadDefault(null). Please note that
setThreadDefault() will behave differently if the COM component
is a "single instance" component. For more information, see AuthInfo.setThreadDefault(...) and Single-Instance COM
Objects in the Knowledge Base.
Regardless of whether or not you set the authentication on a per-thread
basis, it is strongly recommended that you call
AuthInfo.setDefault() early in your Java code to establish the
authentication to be used on a process-wide basis. This is needed to allow
J-Integra daemon threads to perform authenticated communications (such as when
releasing COM object references that have been garbage collected).
name=non-ansi>
- DCOM Authentication for Usernames with Non-ANSI Characters
Because Java supports non-ANSI characters, you can use
domain/username/password combinations with non-English characters. In order to
use non-English characters, you need to make sure that the same non-English
language is set as the default language on both the computer running the Java
client and the computer hosting the COM component.
Follow the steps below to configure the Windows 2000/XP English version
machine hosting the COM component:
- Click Start, click Control Panel, click Regional and
Language Options.
- Click Advanced, select your language in Code page conversion
tables, and select your language from the Language for non-Unicode
programs dropdown combo box. This will set the new default language and
allow non-English characters.
- Click OK button. Then reboot the machine for the settings to take
effect.
- href="http://j-integra.intrinsyc.com/support/com/doc/remoteaccess.html#Config">Configure
DCOM to grant DCOM access/launch permissions to the non-English
username.
Follow the steps below to configure the Windows NT English version machine
hosting the COM component:
- Click Start, click Control Panel, click Regional
Settings.
- Click Reginal Settings tab, select your language in from the
Many programs support international settings... dropdown combo box,
check Set as system default local checkbox. Click Input Locals
tab, add your language to Installed input locals and layouts list
box, select the language you just added, and click Set as Default
button.
- Click the OK button. Then reboot the machine for the settings to
take effect.
- href="http://j-integra.intrinsyc.com/support/com/doc/remoteaccess.html#Config">Configure
DCOM to grant DCOM access/launch permissions to the non-English
username.
If your Java client machine is also Windows, follow steps 1-3 above to
configure the machine. You can then pass non-English characters to
com.linar.jintegra.AuthInfo.setDefault().
Please refer to your platform manual to set the default language if your
Java client machine is a non-Windows platform.
DCOM Configuration (DCOMCNFG)
DCOMCNFG is a tool that comes with Windows that allows users to configure the
DCOM settings of a COM application. J-Integra provides its own DCOM
configuration tool called href="http://j-integra.intrinsyc.com/support/com/doc/tools/dcomconfig.html">DCOMConfig.exe.
J-Integra's DCOMConfig tool is a simplified version of Window's DCOMCNFG meant
for users who are new to J-Integra and/or DCOM. If you'd rather use
DCOMConfig.exe, please refer to the href="http://j-integra.intrinsyc.com/support/com/doc/tools/dcomconfig.html">tool
description.
We recommend the following DCOM configuration settings as a starting point if
you are unfamiliar with J-Integra and/or DCOM. Once you are more comfortable
with DCOM configuration, feel free to modify your settings based on your own set
of requirements.
* Configuring DCOM is mandatory when running J-Integra in href="http://j-integra.intrinsyc.com/support/com/doc/dcom_native.html">DCOM
mode. However, if you are using href="http://j-integra.intrinsyc.com/support/com/doc/dcom_native.html">native
mode, DCOM configuration is seldom necessary (since standard COM is used for
communication between components, not DCOM). However, if you are running in
native mode and you are still getting "access denied" errors, please configure
DCOM as instructed below.
Configuring DCOM on Windows 2000
- Click Start, click Run, and then type DCOMCNFG.
- Click Default Properties. Select Enable Distributed COM on this
computer. Set the Default Authentication Level to Connect
(None also works). Set the Default Impersonation Level to
Identify (Impersonate also works).
Here are the rules regarding Authentication Level for J-Integra
applications:
- The Authentication Level doesn't matter if you are running in native
mode.
- The machine hosting the COM client/server application must be set to
Connect or None level authentication, as this is
all that J-Integra supports. It doesn't matter what the Authentication Level
is on the machine running J-Integra.
- For COM-accessing-Java applications, the Authentication Level on the COM
client machine must be set to Connect or None.
- For Java-accessing-COM applications, the Authentication Level on the COM
server machine must be set to Connect or None.
- Click Default Security.
- Under Default Access Permissions click Edit Default. Add
SYSTEM and INTERACTIVE. The user whose authentication
credentials will be used to access the COM application must also be included
in this list. There are many ways to do this. You can add the specific user or
simply add a group the user belongs to. Possible values include:
- Domain\Username (A specific user)
- Domain\Administrators (All administrators on a specific domain)
- Everyone (All users)
- Under Default Launch Permissions click Edit Default. Make
sure the Default Launch Permissions have the same values as the
Default Access Permissions.
- Click Default Protocols. Make sure Connection-oriented
TCP/IP is listed first.
- You must now configure the COM application you wish to access. Click
Applications and right-click on the application you wish to configure.
Select Properties. If your COM application is a DLL, you must first
create a surrogate EXE for it using the href="http://j-integra.intrinsyc.com/support/com/doc/tools/SetDllHost.html">SetDllHost
tool. Once a surrogate EXE is created, the surrogate name will appear in
the list of applications. Select Properties for the surrogate and
continue on.
- Click General. Set the Authentication Level to
Default.
- Click Location. Select Run application on this computer.
- Click Security. Select Use default access permissions and
Use default launch permissions.
- For Windows 2000 Workstation - Click Identity. Select The
launching user. Depending on the COM application you are accessing, you
may need to change this to The interactive user (e.g. if you are going
to access MS Excel and make it visible).
For Windows 2000 Terminal Server - Click Identity. Select
The launching user. Depending on the COM application you are accessing,
you may need to change this to The interactive user, otherwise you may
get AutomationException: 0x8000401a - The server process could not be
started because the configured identity is incorrect. Check the username and
password. See the href="http://j-integra.intrinsyc.com/support/com/doc/remoteaccess.html#references">References
section at the bottom of this page for more information on "configuring Office
applications to run under the Interactive User Account with Terminal Servers".
- Click Endpoints. Select default system protocols.
- If you still get an "access denied" or "permission denied" error after
configuring your DCOM settings, try rebooting your machine to allow the new
settings to take effect.
Configuring DCOM on Windows XP and Windows Server 2003
- If the computer belongs to a workgroup instead of a domain, make sure that
it does not use simple file sharing. Open Windows Explorer or double
click My Computer, click Tools, then go to Folder
Options, click View and uncheck Use simple file sharing
(Recommended) in Advanced settings.
- Click Start, click Programs, click Administrative
Tools, click Component Services.
- Expand Component Services, expand Computers, and right-click
My Computer. Select Properties.
- Click Default Properties. Select Enable Distributed COM on this
computer. Set the Default Authentication Level to Connect
(None also works). Set the Default Impersonation Level to
Identify (Impersonate also works).
Here are the rules regarding Authentication Level for J-Integra
applications:
- The Authentication Level doesn't matter if you are running in native
mode.
- The machine hosting the COM client/server application must be set to
Connect or None level authentication, as this is
all that J-Integra supports. It doesn't matter what the Authentication Level
is on the machine running J-Integra.
- For COM-accessing-Java applications, the Authentication Level on the COM
client machine must be set to Connect or None.
- For Java-accessing-COM applications, the Authentication Level on the COM
server machine must be set to Connect or None.
- Click Default COM Security.
- Under Default Access Permissions click Edit Default. Add
SYSTEM, INTERACTIVE, and NETWORK. The user whose
authentication credentials will be used to access the COM application must
also be included in this list. There are many ways to do this. You can add the
specific user or simply add a group the user belongs to. Possible values
include:
- Domain\Username (A specific user)
- Domain\Administrators (All administrators on a specific domain)
- Everyone (All users)
- Under Default Launch Permissions click Edit Default. Make
sure the Default Launch Permissions have the same values as the
Default Access Permissions.
- Click Default Protocols. Make sure Connection-oriented
TCP/IP is listed first.
- You must now configure the COM application you wish to access. Expand
Component Services, expand Computers, expand My Computer,
and click DCOM Config. Right-click on the application you wish to
configure. Select Properties. If your COM application is a DLL, you
must first create a surrogate EXE for it using the href="http://j-integra.intrinsyc.com/support/com/doc/tools/SetDllHost.html">SetDllHost
tool. Once a surrogate EXE is created, the surrogate name will appear in
the list of applications. Select Properties for the surrogate and
continue on.
- Click General. Set the Authentication Level to
Default.
- Click Location. Select Run application on this computer.
- Click Security. Set Launch Permissions to Use
Default. Set Access Permissions to Use Default. Set
Configuration Permissions to Use Default.
- Click Identity. Select The launching user. Depending on the
COM application you are accessing, you may need to change this to The
interactive user (e.g. if you are going to access MSExcel and make it
visible).
- Click Endpoints. Select default system protocols.
- If you still get an "access denied" or "permission denied" error after
configuring your DCOM settings, try rebooting your machine to allow the new
settings to take effect.
Configuring DCOM on Windows XP SP2
Microsoft has added some DCOM security enhancements to Windows XP Service
Pack 2. In addition to the href="http://j-integra.intrinsyc.com/support/com/doc/remoteaccess.html#winxp">above
Windows XP DCOM configuration settings, you will need to perform the following
steps.
- If the computer belongs to a workgroup instead of a domain, make sure that
it does not use simple file sharing. Open Windows Explorer or double
click My Computer, click Tools, then go to Folder
Options, click View and uncheck Use simple file sharing
(Recommended) in Advanced settings.
- Click Start, click Programs, click Administrative
Tools, click Component Services.
- Expand Component Services, expand Computers, and right-click
My Computer. Select Properties.
- Click Default COM Security.
- Under Default Access Permissions click Edit Default. Make
sure SYSTEM, INTERACTIVE, NETWORK, and the user whose
authentication credentials will be used to access the COM application all have
Local and Remote Access permissions.
- Under Default Access Permissions click Edit Limits. Service
Pack 2 comes with the following default values: ANONYMOUS LOGON (Local
Access) and Everyone (Local and Remote Access). Make sure these values
are listed, and then add the user whose authentication credentials will be
used to access the COM application. Allow this user to have Local and
Remote Access permissions.
- Under Default Launch Permissions click Edit Default. Make
sure SYSTEM, INTERACTIVE, NETWORK, and the user whose
authentication credentials will be used to access the COM application all have
Local and Remote Launch permissions, as well as Local and Remote
Activation permissions.
- Under Default Launch Permissions click Edit Limits. Service
Pack 2 comes with the following default values: MACHINE\Administrators
(Local and Remote Launch, Local and Remote Activation) and Everyone
(Local Launch and Local Activation). Make sure these values are listed, and
then add the user whose authentication credentials will be used to access the
COM application. Allow this user to have Local and Remote Launch
permissions, as well as Local and Remote Activation permissions.
- Service Pack 2 comes with a built-in Windows Firewall. If the firewall is
turned on, you will have to allow your COM application network access to your
machine. You can do this by opening Windows Firewall and adding your COM
application to the list of programs under the Exceptions tab. If
Display a notification when Windows Firewall blocks a program is
selected, then you will be prompted to unblock the COM application when you
run your J-Integra application the first time. Select Unblock when
prompted.
- If you still get an "access denied" or "permission denied" error after
configuring your DCOM settings, try rebooting your machine to allow the new
settings to take effect.
For more information on DCOM security enhancements in Microsoft Windows XP
Service Pack 2, see href="http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#XSLTsection126121120120"
target=blank>http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#XSLTsection126121120120.
Configuring DCOM on Windows 98
DCOM does not come pre-installed with Windows 98. If you wish to use
J-Integra on Windows 98, you must href="http://www.microsoft.com/com/dcom/dcom98/dcom1_3.asp"
target=blank>download DCOM98 from Microsoft. In addition, Windows 98 does
not support the automatic launch of a server. Therefore, you must manually start
the COM server you wish to access before running your Java client. If you do not
do this, you will get the following error message:
AutomationException: 0x80080005 - Server execution failed. Note that
Windows 95 does not support automatic launch of a server, it must be running
already.
Network Security: LAN Manager Authentication Level
Microsoft Windows has a setting that determines which challenge/response
authentication protocol is used for network logons. This choice affects the
level of authentication protocol used by clients, the level of session security
negotiated, and the level of authentication accepted by servers.
J-Integra only supports Send LM & NTLM responses. Since
this is the default setting for Windows platforms, this is typically not a
problem for most users. However, if your network administrator has changed this
setting you will probably get an error similar to:
java.io.IOException: Unable to establish RPC Connection to DCOM SCM on
192.168.4.202 (Bind returned Bind_NAK)
Please ensure that the LAN Manager Authentication Level is set to Send
LM & NTLM responses by doing the following:
- Click Start, click Settings, click Control Panel,
click Administrative Tools, click Local Security Policy.
- In the Local Security Settings dialog box, click Local
Policies, and then click Security Options.
- Double-click Network Security: LAN Manager Authentication Level.
- Select Send LM & NTLM responses.
- Click OK and exit out of Local Security Settings.
Since J-Integra implements the NT Challenge-Response Mechanism (NTLM) in pure
Java as part of its DCOM engine, user passwords are NEVER sent over the
wire. Microsoft's own documentation verifies this:
Is my password being sent across the network during NTLM
authentication?
No. NTLM authentication does not send the user's password
(or the hashed representation of the password) across the network. Instead,
NTLM authentication uses a challenge/response mechanism to ensure that the
actual password never traverses the network.
href="http://www.microsoft.com/technet/security/bulletin/MS01-001.mspx">http://www.microsoft.com/technet/security/bulletin/MS01-001.mspx
* J-Integra only supports Authentication, not
Encryption.
Accessing COM Components Within ATL Services
By default, the Microsoft ATL Service Wizard generates code which initialises
all COM components running within the service to use Packet level
authentication. J-Integra only supports Connect level
authentication (or None), so you will need to modify the generated
code as follows.
The following generated code should be changed from this...
hr = CoInitializeSecurity(sd, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_PKT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE,
NULL);
To the following...
hr = CoInitializeSecurity(sd, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL,
EOAC_NONE, NULL);
References
If you are using Windows Terminal Services, please read...
How To Configure Office Applications to Run Under the Interactive User
Account
href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;288366"
target=blank>http://support.microsoft.com/default.aspx?scid=kb;EN-US;288366
If you are configuring Microsoft Office applications server-side (e.g.
JSP/Servlet accessing Microsoft Excel), please read...
INFO: Considerations for Server-Side Automation of Office
href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;257757"
target=blank>http://support.microsoft.com/default.aspx?scid=kb;EN-US;257757
Day 1:
ure wala and got it fixed it costed us about 2 hrs there. began riding and rode for whole night at speed of 70-80kmph the target for us was to reach ahemedabad. by 6 in the moring we reached surat, the road between surat and baroda are pathetic at surat took a break for tea and sutta mavi was the only person who had been smoking the entire trip. sala abhi tho mein tb se bahar aaya hun wapas daal dega mere ko dhuaa chod chod ke. now were not aware of a typical but interesting habbit of anna, he generally is awake the whole night and killing his time on orkut and sleeps the whole day like a pig. so since it was morning now his rings started ringing, and started feeling sleepy. at about 9 am tragedy struck again n that too with anna. he just dozed off on the bike and had a fall on the side of the road and it was a amazing fall no one can beet his record. anna bolu kya kidhar gira? guess any one? well our anna slipped on the side of the road his bike went down the side of the road and our anna goes down in the manhole, yes u read it correct anna went down in the manhole which was being constructed, and he hit it so hard that the concrete broke off on the top and this guy was inside upside down now u can imagine how he might have been worth watching hehehe.