Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Error message when you try to use a DCOM application on a Windows NT 4.0-based computer in a Windows Server 2003 environment: "Access denied"


View products that this article applies to.

Symptoms

When you try to use a DCOM application on a Microsoft Windows NT 4.0-based computer, a remote procedure call (RPC) returns the following error message:
Access denied
This problem occurs in the following scenarios.

Scenario 1

A Windows NT Server 4.0-based or Windows NT Workstation 4.0-based computer (computer A) resides in a Windows NT 4.0 resource domain (domain X).
A Windows NT Server 4.0-based computer (computer B) that is running DCOM applications resides in a Microsoft Windows Server 2003 domain (domain Y).
Domain X trusts domain Y.
Computer A calls methods on a DCOM application that is running on computer B. The DCOM application has packet-level integrity specified.
Note This problem may also occur if the following conditions are true:
Computer B is running Microsoft Windows 2000 Server or a later version of Windows.
Computer A is running Windows NT 4.0.
However, this problem does not occur if computer A is running Windows 2000 Server or a later version of Windows.

Scenario 2

A Windows NT Server 4.0-based or Windows NT Workstation 4.0-based computer (computer A) resides in a Windows NT 4.0 resource domain (domain X).
A Windows NT Server 4.0-based computer (computer B) that is running DCOM applications resides in domain X.
A Windows Server 2003 domain (domain Y) trusts domain X, and domain X trusts domain Y.
You log on to computer A as a user of domain Y.
Computer A calls DCOM remote methods on computer B.

↑ Back to the top


Cause

This problem occurs when the NoLMHash policy is enabled at the Domain Controllers level in the Windows Server 2003 domain. In this situation, the DCOM server cannot authenticate users.

↑ Back to the top


Resolution

To resolve this problem, use one of the following methods.

Method 1

Use a password that is at least 15 characters long when the NoLMHash policy is enabled in the Active Directory directory service. Make sure that this password cannot be disabled because of security considerations.

Method 2

Use Group Policy in Active Directory to enable the storage of the LAN Manager Hash (LMHash) algorithm of a user password. To do this, follow these steps:
1.In the Domain Controllers Group Policy console, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
2.In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change.
3.Click Disabled, and then click OK.

↑ Back to the top


Keywords: KB911862, kbprb, kbtshoot, kberrmsg

↑ Back to the top

Article Info
Article ID : 911862
Revision : 4
Created on : 10/11/2007
Published on : 10/11/2007
Exists online : False
Views : 354