Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. You cannot set the COM RunAs password on a Windows 2003 machine from a Windows Server 2008 R2 machine

You cannot set the COM RunAs password on a Windows 2003 machine from a Windows Server 2008 R2 machine

View products that this article applies to.

Symptoms

COM internally uses LSA secrets to store the runas password for a COM server. The Platform SDK DCOMPerm sample illustrates how to programmatically set the runas password of a COM server identity using LsaOpenPolicy and LsaStorePrivateData on the local server. To set the runas password of a COM server identity on a remote server, you can modify the sample by passing the remote server name to LsaOpenPolicy. The modified DCOMPerm works fine between two Windows 2003 machines. However when you run it on a Windows 7/Windows Server 2008 R2 machine and attempt to set the runas password on a remote Windows 2003 server, the remote COM server fails to run and the following error is received:

0x8000401a: The server process cannot be started because the configured identity is incorrect. Check the username and password.


↑ Back to the top

Cause

The MSDN doc on LSA_UNICODE_STRINGstates the length should not include the terminating NULL character. However COM incorrectly includes the NULL terminator in the Length of the KeyName of the LSA_UNICODE_STRING structure when it calls the LsaRetrievePrivateData function to retrieve the password. In order for COM to find the matching secret name, the DCOMPerm sample includes the NULL terminator for the KeyName that is passed to the LsaStorePrivateData function. This approach works on the Windows 2003 environment but breaks from Windows 7/Windows Server 2008 R2 to Windows 2003. The cause is a change that was made on LsaStorePrivateData and LsaRetrievePrivateData on Windows 7/Windows Server 2008 R2 for robustness improvement. 

The change strips the trailing NULL from LSA secret names. The trailing NULL character is removed if you attempt to create a secret from Windows 7/Windows Server 2008 R2 with the trailing NULL character. The COM code on Windows Server 2003 is searching for the secret with the trailing NULL when retrieving the password. It either finds the secret with the trailing NULL in the registry but the password stored in the secret is not set by your call and is not for the current COM server identity or it can’t find the secret with the trailing NULL at all and thus LsaRetreivePrivateData fails with error code 2 or file not found. In either case, the COM server will fail to run.

↑ Back to the top

Resolution

Set the runas password for the COM server on the system where it runs in dcomcnfg or execute the original local version of DCOMPerm on a remote system, for example using PsExec.

↑ Back to the top

More Information

The modified DCOMPerm described in the Symptoms section should continue to work between Windows 7/Windows Server 2008 R2 and Windows 7/Windows Server 2008 R2. From Windows 2003 to Windows 7/Windows Server 2008 R2, there are other changes in the LSA encryption algorithm on Windows 7/Windows Server 2008 R2 that prevent the sample from working. That failure is not associated with the change in the LSA API described in this article.

Relevant article:
PRB: "Access Denied" When You Programmatically Configure the Identity of a COM Server to a Specific User Account

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2757277
Revision : 1
Created on : 1/7/2017
Published on : 9/19/2012
Exists online : False
Views : 946