BUG: MTS Impersonation Returns Incorrect Caller When Using RDS

ID: Q184702

The information in this article applies to:

SYMPTOMS

When using Remote Data Service (RDS) to call a local or remote COM server, the server only recognizes the first caller into the object. If subsequent calls are made to the object by different clients, the server only impersonates them as the initial caller. This behavior has some far reaching side effects that can cause serious security problems. For example, it renders the Microsoft Transaction Server (MTS) role based security model unusable with RDS. It also causes the MTS ISecurityProperty interfaces to return incorrect information.


The Windows NT 4.0 Service Pack 4 (SP4) changes the behavior slightly. When the service pack is installed on a computer, the caller will be seen as the process identity if the MTS package is set to run as a server process on the same computer as the Internet Information Server (IIS). In most cases the identity will be that of the system account (NT_AUTHORITY\SYSTEM).


CAUSE

This is a limitation of COM on the current Windows platforms. COM does not support clients that impersonate many different users such as IIS. The problem is that for performance reasons, COM caches remote procedure call (RPC) connections. In doing so, it also caches authentication information. This caching causes COM security to incorrectly report identities if the client impersonates many different users.

The behavior in Windows NT 4.0 was to simply show the identity of the first caller for the duration of the connection. Since the connections timeout after a period of 2 minutes of inactivity, you could see a somewhat random identity at the server.

To partially correct this in SP4, the COM behavior was changed to always report the process identity for local calls. Remote calls behave the same. While far from optimal, it at least allows the server to reliably obtain some client identity.


RESOLUTION

There is currently no workaround for this problem in the general case. However a hotfix is available for RDS 2.1 calling MTS 2.0 components. Please contact Microsoft Product Support for more information on this hotfix.


STATUS

Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article.


MORE INFORMATION

Steps to Reproduce Behavior

  1. Open Visual Basic and select the project type to be an ActiveX DLL.


  2. Create a class in the project with the following code:



    3. 
   Public Function WhoAmI() As String

   On Error GoTo handler
   WhoAmI = GetObjectContext.Security.GetDirectCallerName
   Exit Function

     handler:
      WhoAmI = "Error"

   End Function

  3. From the Project menu, select Properties. In the Project Properties dialog box, change the project name to WhoCalled.


  4. Change the class name to clsWho.


  5. Compile and Save this component.


  6. Place the component into an MTS package on your server computer. 
    
      a. To add the component to Microsoft Transaction Server (MTS) open the MTS Management Console. 
    
      b. Expand the Microsoft Transaction Server and then the My Computer
         directories. 
    
      c. Select Packages Installed, then right-click and select New and
         Package. 
    
      d. Click Create an Empty Package. 
    
      e. Enter MTSRDS for the package name and click Next. 
    
      f. Click Finish on the following page excepting the page defaults. 
         You now have a MTS package named MTSRDS. 
    
      g. To add the component to the MTSRDS Package expand the MTSRDS
         package and select Components. Right-click and select
         New and Component. 
    
      h. Click Install New Component, and then select Add File. Locate the
         Whocalled.dll, select it, and click Open and then Finish.


  7. Add the Visual Basic Business Object to the RDS ADCLaunch Key. Add Whocalled.clsWho to the following Registry key:



    8. HKEY_LOCAL_MACHINE\SYSTEM
    \CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch
  8. Create a Standard EXE client application in Visual Basic using the following code:


    9. (Place one command button and one label control on a form) 
    
     Dim myobj As Object

      Private Sub Command1_Click()

        label1.Caption = myobj.WhoAmI

      End Sub

      Private Sub Form_Load()

        Set ds = CreateObject("RDS.DataSpace")
        Set myobj = ds.CreateObject("WhoCalled.clsWho", _
             "http://IISServerName")
      End Sub
    NOTE: Change the IISServerName to your IIS Server name.
  9. Go to your server computer. In Internet Information Server (IIS) right-click your default Web Site, and choose properties.


  10. Select the Directory Security tab and click Edit. Make sure that Windows NT Challenge/Response is the only thing selected. Click OK until you are back to IIS.


  11. Run the client as User A. Clicking on the Command button will return the User ID.


  12. Have User B run the same client application.


RESULTS: User A gets their own ID back from the Server as expected. User B incorrectly gets User A's ID.

Additional query words: kbdse 


Keywords          : 
Version           : WINDOWS:1.5
Platform          : WINDOWS 
Issue type        : kbbug

Last Reviewed: February 16, 1999