DOCUMENT:Q259615 12-JUL-2001 [utilities] TITLE :PRB: "Access Denied" When You Configure Identity of COM Server PRODUCT :Microsoft Programming Utilities PROD/VER::4.0 OPER/SYS: KEYWORDS:kbCOMt kbGrpDSCom kbDSupport ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft COM, used with: - the operating system: Microsoft Windows 2000 - the operating system: Microsoft Windows NT 4.0 ------------------------------------------------------------------------------- SYMPTOMS ======== After you programmatically set the identity of a Component Object Model (COM) server to a specific user account, when you attempt to activate the server, you may receive an "Access Denied" error message. The following event appears in the event log: EventID 10004 Source DCOM DCOM got error "Logon failure: unknown user name or bad password. " and was unable to logon redmond\comstud in order to run the server: {5e9ddec7-5767-11cf-beab-00aa006c3606} This problem does not occur when you use DCOMCNFG.exe to configure the identity of a COM server. CAUSE ===== When you programmatically set the identity of a COM server to a specific user account, it stores the password of this account in a secure part of the registry. This requires a call to the LsaStorePrivateData function. The second argument to this function takes a LSA_UNICODE_STRING structure, which is the name of the registry key where the private data is stored. One member of this structure is Length. The LSA_UNICODE_STRING documentation states that the length should not include the null terminator. However, for COM to work, you must include the null terminator in the length. When COM calls the LsaRetrievePrivateData function, the null terminator is included as part of the key name where the private data is stored in the registry. If the null terminator is not included in the length of the string, the error occurs when you attempt to activate the COM server. RESOLUTION ========== To resolve this problem, make sure that the null terminator is included in the length of the LSA_UNICODE_STRING structure that represents the KeyName where the password is stored. The DCOMPerm sample illustrates how to programmatically set the identity of a COM server to a specific account. Specifically, the SrvcMgmt.cpp file contains the SetRunAsPassword function, which illustrates how to correctly set the password. The DCOMPerm sample is included in the Platform Software Development Kit (SDK) in the Samples\COM\Fundamentals\DCOM\DCOMPerm subfolder. This sample is also located at the following Microsoft Developer Network (MSDN) Web site: http://msdn.microsoft.com/library/devprods/vs6/visualc/vcsample/vcsmpdcompermpermissionsforcomserver.htm REFERENCES ========== For more information, see the following topics in the Platform SDK documentation at the following Microsoft Developer Network (MSDN) Web sites: LsaStorePrivateData http://msdn.microsoft.com/library/psdk/lsapol/lsapol_1e5d.htm LsaRetrievePrivateData http://msdn.microsoft.com/library/psdk/lsapol/lsapol_8dlt.htm LSA_UNICODE_STRING http://msdn.microsoft.com/library/psdk/lsapol/lsapol_91wn.htm Additional query words: 10004 ====================================================================== Keywords : kbCOMt kbGrpDSCom kbDSupport Technology : kbAudDeveloper kbCOM kbCOMPlusSearch Version : :4.0 Issue type : kbprb Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.