Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / Languages / C# / April 2008

Tip: Looking for answers? Try searching our database.

Problems with security requirements in Windows WorkGroups.

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
womin - 05 Mar 2008 15:21 GMT
Hello everybody,

I have a .NET C# client-server application that is being used in two
machines with Windows XP installed. Both the client and the server are
executed into users of a Work Group.

I am using .NET Remoting to connect the client and the server with a TCP
channel. The registration of the channel is made by using the following code:

"ChannelServices.RegisterChannel(channel, true);"

Where "channel" is a TCP channel. The ensureSecurity option is set to "true"
in order to ensure the channel encryption.

Both the client and sever must send objects to each other (usually using a
proxy).

The problem is, although this environment works well in most of the cases, I
have an example where I obtain the following error text when the server tries
to access the client proxy (the error is displayed in the client):

"A remote side security requirement was not fulfilled during authentication.
Try increase the ProtectionLevel and/or ImpersonationLevel".

It is important to remark that the (.NET Remoting) proxies have right
permissions when accessing the server from the client.

After that, I have proved making the following change to the TCP channel:

"ChannelServices.RegisterChannel(channel, false);"

That is, setting "false" the ensureSecurity option. So this means (as the
Microsoft documentation says) that the channel will be encrypted only in case
it is possible. So in this case the error is resolved because although the
server does not have the proper client credentials, the channel will not be
encrypted.

Finally, my question: I mandatory need to ensure the encryption of the
channel, and I need to know which could be the problem with the impersonation
and credentials in the wrong example. Is it machine configuration dependant?
Which is the reason for having two environment apparently identical (Windows
XP, WorkGroup, same users) but with different behavors?

Could you please give me some help about my problem?

Thanks a lot in advance.

Regards,

Domingo.

Signature

Domingo López.
Software Engineer & Project Manager.
Visual Tools.

Reply to this Message
Steven Cheng - 06 Mar 2008 06:13 GMT
Hi Domingo,

From your description, I got that you're encountering some security error
when using .net remoting to communicate between client , server
application, correct?

Based on my experience, this general error message could be caused by many
things such as user identity not supplied,  or the client and server
channel's security setting not match.....

As for the error, what's the innerException, generally the inner exception
may provide some further information. Also, for non-domain machines that
need to communicate under windows authentication, you need to use a
duplicated account(with same username/password) on both sides.   If
convenient, you can try creating a simplified client/server project
pair(with a very simple remoting class) to demonstrate the problem. And you
can send me the package so that I can also perform some tests on my side.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================
   

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: =?Utf-8?B?d29taW4=?= <vt_supervisor@grupodenoticias.anti-spam>
>Subject: Problems with security requirements in Windows WorkGroups.
[quoted text clipped - 50 lines]
>
>Domingo.
Reply to this Message
womin - 06 Mar 2008 16:57 GMT
Hello Steven, first of all, thank you for your quick answer.

Yes, of course I have a security error as you can read in the error message
I obtain:

"A remote side security requirement was not fulfilled during authentication.
Try increase the ProtectionLevel and/or ImpersonationLevel".

(No Inner Exception is thrown)

I can give you some code generated for the error purpose. It consists in a
small chat application between a client (ChatClient) and a server
(ChatServer). By the way, how should I send you the code? I can not find a
way in my web news interface... :(

I am executing the example in two machines with Windows XP, the same users
and passwords in both machines and belonging to a WorkGroup.

When I try to use the TCP channel I get the error (with NO inner exception
messages) I have written above.

Thanks again and regards,

Domingo.
Signature

Domingo López.
Software Engineer & Project Manager.
Visual Tools.

> Hi Domingo,
>
[quoted text clipped - 112 lines]
> >
> >Domingo.
Reply to this Message
Steven Cheng - 10 Mar 2008 02:03 GMT
Thanks for your reply Domingo,

You can reach me through the following email:

"stcheng" + "@" + "microsoft.com"

Best regards,

Steven Cheng
Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we

can improve the support we provide to you. Please feel free to let my
manager know what you think of

the level of service provided. You can send feedback directly to my manager
at: msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: =?Utf-8?B?d29taW4=?= <vt_supervisor@grupodenoticias.anti-spam>
>References:  <800CF03C-C49C-4E08-B27F-681FEBC8F60D@microsoft.com>
<p3vBGF1fIHA.4200@TK2MSFTNGHUB02.phx.gbl>
>Subject: RE: Problems with security requirements in Windows WorkGroups.
>Date: Thu, 6 Mar 2008 08:57:02 -0800

>Hello Steven, first of all, thank you for your quick answer.
>
[quoted text clipped - 50 lines]
>>
>> Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
>> ications.
>>
[quoted text clipped - 82 lines]
>> >
>> >Domingo.
Reply to this Message
womin - 12 Mar 2008 10:40 GMT
Hi again, Steven.

I have sent you an email some days ago with the example code to the address
you wrote me below. Did you receive it? If not, please let me know to try to
send it again.

Thank you very much, sincerally,

Domingo.

Signature

Domingo López.
Software Engineer & Project Manager.
Visual Tools.

> Thanks for your reply Domingo,
>
[quoted text clipped - 187 lines]
> >> >
> >> >Domingo.
Reply to this Message
Steven Cheng - 13 Mar 2008 10:37 GMT
Hi Domingo,

I've got the email. Seems it is origially routered to an incorrect folder
which made me miss it.  I'll perform some test on it and let you know my
results.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: =?Utf-8?B?d29taW4=?= <vt_supervisor@grupodenoticias.anti-spam>
>References:  <800CF03C-C49C-4E08-B27F-681FEBC8F60D@microsoft.com>
<p3vBGF1fIHA.4200@TK2MSFTNGHUB02.phx.gbl>
<975D4CC3-0401-4DB3-A064-C4D3E5D2C9DA@microsoft.com>
<I5VjYqkgIHA.4672@TK2MSFTNGHUB02.phx.gbl>
>Subject: RE: Problems with security requirements in Windows WorkGroups.
>Date: Wed, 12 Mar 2008 02:40:00 -0700

>Hi again, Steven.
>
[quoted text clipped - 94 lines]
>> >>
>> >> Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
>> >> ications.
>> >>
[quoted text clipped - 97 lines]
>> >> >
>> >> >Domingo.
Reply to this Message
Steven Cheng - 18 Mar 2008 11:53 GMT
Hi Domingo,

I have performed some tests on the projects, so far I've tried running it
on multiple machines (such as XP or windows 2k3 server). I have domain
environment, so I use local accounts to run both of them and here is the
result:

** with duplicated account(same username/password), it works

** with a normal local account(only exists on client machine), it fails.

I'll try establising a non-domain environment to see whether it differs. It
may take some further time since all my existing local test environment are
in domain.

Steven Cheng
Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

>Date: Thu, 13 Mar 2008 09:37:14 GMT
>Subject: RE: Problems with security requirements in Windows WorkGroups.
[quoted text clipped - 258 lines]
>>> >> >
>>> >> >Domingo.
Reply to this Message
visual_devel - 18 Mar 2008 15:43 GMT
Ok Steven, I will wait until you test a non-domain environment (remember I
tested a WorkGroup).

Thanks,

Domingo.

> Hi Domingo,
>
[quoted text clipped - 273 lines]
> will
> >>> not
Reply to this Message
Steven Cheng - 21 Mar 2008 12:04 GMT
Hi Domingo,

After testing on two workgroup(non-domain) machines, I've repro the
problem. I'll do some further research on this and let you know as soon as
I get any new update.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: =?Utf-8?B?dmlzdWFsX2RldmVs?= <visualdevel@discussions.microsoft.com>
>References:  <800CF03C-C49C-4E08-B27F-681FEBC8F60D@microsoft.com>
<p3vBGF1fIHA.4200@TK2MSFTNGHUB02.phx.gbl>
<975D4CC3-0401-4DB3-A064-C4D3E5D2C9DA@microsoft.com>
<I5VjYqkgIHA.4672@TK2MSFTNGHUB02.phx.gbl>
<885394C5-87AB-4E98-B379-520807BC5B10@microsoft.com>
<XI2Jg3OhIHA.360@TK2MSFTNGHUB02.phx.gbl>
<mQnbaZOiIHA.6264@TK2MSFTNGHUB02.phx.gbl>
>Subject: RE: Problems with security requirements in Windows WorkGroups.
>Date: Tue, 18 Mar 2008 07:43:02 -0700

>Ok Steven, I will wait until you test a non-domain environment (remember I
>tested a WorkGroup).
[quoted text clipped - 280 lines]
>> will
>> >>> not
Reply to this Message
Steven Cheng - 24 Mar 2008 04:28 GMT
Hi Domingo,

After further research, I've got some information that may help on this
issue. For two non-domain computers(with local accounts) scenario in
remoting, you can check the following setting in windows Local security
policy:

**launch  secpol.msc or use the following path to open local security
setting

"control panel-->administrative tools-->local security policy"

**In the opened mmc console, locate "Local Policies--> Security Options"
node in left view

** in the right view, find the following setting item:

Network access: Sharing and security model for local accounts

the setting could be set to "guest only". If so, switch it to "classic"

reboot the machine and test again to see whether it works.  In my local
test environment, I used two windows XP boxes, after changed the above mode
to "classic" on both ones, the local accounts works for non-domain
environment remoting.

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: stcheng@online.microsoft.com ("Steven Cheng")
>Organization: Microsoft
>Date: Fri, 21 Mar 2008 11:04:18 GMT
>Subject: RE: Problems with security requirements in Windows WorkGroups.

>Lines: 311      
>Path: TK2MSFTNGHUB02.phx.gbl
[quoted text clipped - 358 lines]
>>> will
>>> >>> not
Reply to this Message
Steven Cheng [MSFT] - 26 Mar 2008 11:20 GMT
Hi Domingo,

Does the suggestion in previous message help on this issue?

Best regards,

Steven Cheng
Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

>From: stcheng@online.microsoft.com ("Steven Cheng")
>Organization: Microsoft
>Date: Mon, 24 Mar 2008 03:28:09 GMT
>Subject: RE: Problems with security requirements in Windows WorkGroups.

>Hi Domingo,
>
[quoted text clipped - 37 lines]
>
>This posting is provided "AS IS" with no warranties, and confers no rights.
Reply to this Message
visual_devel - 28 Mar 2008 12:35 GMT
Hi again, Steven.

I have already test the suggestion you made me, and unfortunately the result
was not successfull enough.

I have changed the parameter "Network access: Sharing and security model for
local accounts" in the local policy from "guest only" to "classic" in both
server and client machines. The connection with the dummy application was
made successfull, I can send messages from client to server but I get an
exception when sending messages from server to client.

The exception is thrown in ChatCoordinator.SendMessage line. I am going to
send you a screenshot of the exception to your personal email adress.

Do you know what is happening to me?

Thanks again,

Domingo.

> Hi Domingo,
>
[quoted text clipped - 62 lines]
> >
> >This posting is provided "AS IS" with no warranties, and confers no rights.
Reply to this Message
visual_devel - 11 Apr 2008 07:20 GMT
Hello, Steven,

do you know anything else about my problem?

Thanks,

Domingo.

> Hi again, Steven.
>
[quoted text clipped - 82 lines]
> > >
> > >This posting is provided "AS IS" with no warranties, and confers no rights.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.