my opc da server logs into the Windows Event Log the following message:
The server-side authentication level policy does not allow the user OPCDASRV\user SID (...) from address x.x.x.x to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
How can I do that for my jinterop client?
I am thankful for any hint,
Tobias
(This may have to do with kb5004442 microsoft describes that I have to raise the )
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
my opc da server logs into the Windows Event Log the following message:
The server-side authentication level policy does not allow the user
OPCDASRV\user SID (...) from address x.x.x.x to activate DCOM server.
Please raise the activation authentication level at least to
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
Hi and thank you for your answer. I think I managed to find the property that controlls the authentication level: rpc.ntlm.sign. This property is false by default, I changed it to true. That way, the NtlmConnection creates a Type1 message (whatever this is) with the NtlmFlags.NTLMSSP_NEGOTIATE_SIGN set and a AuithenticationVerifier with the protectionLevel 5, which is rpc.Security.PROTECTION_LEVEL_INTEGRITY.
But now my j-interop client throws the following exception with the suspicious unknown code 5. So what am I doing wrong? Do I have to sign my client now?
Hi and thank you for your answer. I think I managed to find the property
that controlls the authentication level: rpc.ntlm.sign. This property is
false by default, I changed it to true. That way, the NtlmConnection
creates a Type1 message (whatever this is) with the
NtlmFlags.NTLMSSP_NEGOTIATE_SIGN set and a AuithenticationVerifier with the
protectionLevel 5, which is rpc.Security.PROTECTION_LEVEL_INTEGRITY.
But now my j-interop client throws the following exception with the
suspicious unknown code 5. So what am I doing wrong? Do I have to sign my
client now?
Again, I am thankful for any help,
Tobias
org.jinterop.dcom.common.JIException: Message not found for errorCode: j-interop-client_1 | at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:661)j-interop-client_1 | at org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:496)j-interop-client_1 | at org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:460)j-interop-client_1 | at org.openscada.opc.lib.da.Server.connect(Server.java:108)j-interop-client_1 | at my.client.Client.connect(OpcDaClient.java:46)
...j-interop-client_1 | Caused by: rpc.FaultException: Received fault. (unknown)j-interop-client_1 | at rpc.ConnectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:142)j-interop-client_1 | at rpc.Stub.call(Stub.java:113)j-interop-client_1 | at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:645)j-interop-client_1 | ... 27 common frames omitted</init>
Ok, where do you see that? And why should it be an access denied if the client does not get an access denied without setting the rpc.ntlm.sign to true?
I am sorry, but I am not familiar with DCOM.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
can you please help me with this? I found out more:
It is the ping requests and the SCMActivator that produces the error messages in the windows 10 server
I managed to get the ping requests work without errors by setting the default of rpc.ntlm.sign to true in JIComOxidStub
But the SCMActivator does not work that way. I debugged into the code and think that I have to set rpc.ntlm.ntlm2 to true in the JIComServer in order to let the DefaultConnection signAndSeal the ndr. But doing so results in a 0x00000721 telling me that something with the security provider.
I really need to fix this because KB5004442, which will be activated by Microsoft by default in June this year and cannot be deactivated anymore starting from the 14th of March next year, breaks our DCOM client.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We had a similar problem with KB5004442 in some legacy code. Looks like it's a bug in JIComServer - the session security flags need to be set before the call to JIComServer.init(). I was only interested in a quick patch, so I copied the seal and sign flags set by session.isSessionSecurityEnabled() to JIComServer.initialize(...) just before the call. The flags are actually used in NTLMConnection.outgoingRebind().
Seemed to fix the problem, bought us some time so we can remove the COM access.
Hope that helps,
aep
Last edit: Alex Pound 2022-05-27
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
we have the same problem with KB5004442 in some legacy code...
Could you please post your solution?
Did you use the current 3.0 version ? I can't find the latest version of the source code ...
I am thankful for any help
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have tested your approach in our system but cannot get it running. So, i have copied following into JIComServer.initialize(...) right before the init() call:
Hello, Has anyone had any luck with raising the auth level as suggested in the Windows event log and gaining access to the DOM server. I have tried the suggestions above, however I still get an access denied message. I have also set the required registry setting as outlined in KB5004442 but that doesn't make a difference on Windows Server 2022 (However it does do the trick on an older version of Windows 2012)
What am I missing? Any help would be greatly appreciated.
Thanks
Phil
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
which let me double check that the session security was enabled. If you're still having trouble, break in NTLMConnection.outgoingRebind() to check that the protectionLevel is set:
I've set the Auth Level to 6 now and the windows system event is no longer present warning that the auth level needs to be raised. However, I now get the general 0x80080005 message which is proving harder to track down!
Kind Regards
Phil
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello everyone,
We also facing similar problem with windows server 2022 and set the sign and seal flags to true before init() as mentioned above and raise the auth level to packet privacy (6). Now didn't get the error events 10036 in windows event log. but still we are getting access denied error [dcerpc.cn_status: nca_s_access_denied (0x00000005)]. Anyone please help to resolve this issue.
Catching JIException in initialise()...5 Exception message --> Access is denied, please make sure that the domain/username/password are correct. [0x00000005]
Error reading NetBios: Access is denied, please make sure that the domain/username/password are correct. [0x00000005]
org.jinterop.dcom.common.JIException: Access is denied, please make sure that the domain/username/password are correct. [0x00000005]
at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:564)
at org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:483)
at org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:450)
at com.analyse.WMITest.getWMILocatorAndConnect(WMITest.java:35)
at com.analyse.WMITest.main(WMITest.java:85)
Caused by: rpc.FaultException: Received fault. (unknown)
at rpc.ConnectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:136)
at rpc.Stub.call(Stub.java:117)
at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:560)
... 4 more</init>
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Tirumala, As mentioned, I'm experiencing exactly the same issue. I've asked the creators of the COM object we use to try it out on Windows server 2022 and am awaiting their reply. Maybe they need to provide an software update.
Failing that I guess it could be a question that needs to raised with someone at Microsoft?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This patch automatically raises the authentication level RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. Most Windows DCOM client applications will automatically work with DCOM hardening change on server side without any modification to the DCOM client applications.
We have installed this latest patch in windows server 2022(in DC) and still WMI test connection was failed and 10036 error events in DC event viewer.
Anyone having any idea and update on this?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi, I gave up trying it with Windows 2022. I've had better success with Windows Server 2019 which had DCOM hardening switched on. With the changes to the j-interop (which I have made a PR for on GitHub https://github.com/skyghis/j-interop-ng) it can connect and activate the DCOM Server.
Good luck!
Last edit: Phil Harron 2022-12-16
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We are facing issue with Windows server 2022 DC and need to resolve this as so many customers are impacting for this.
We have updated the our application with latest j-interop-ng-3.5.0.jar and able to see that auth level was increasing to packet privacy. But still WMI test connection was failing with error code 0x80010111 which says RPC_E_INVALID_HEADER: OLE received a packet with an invalid header.
The logs trace was
Error reading NetBios: Message not found for errorCode: 0x80010111
org.jinterop.dcom.common.JIException: Message not found for errorCode: 0x80010111
at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:568)
at org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:485)
at org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:446)
at com.analyse.WMITest.getWMILocatorAndConnect(WMITest.java:35)
at com.analyse.WMITest.main(WMITest.java:85)
Caused by: org.jinterop.dcom.common.JIRuntimeException: Message not found for errorCode: 0x80010111
at org.jinterop.dcom.core.JIRemActivation.read(JIRemActivation.java:149)
at ndr.NdrObject.decode(NdrObject.java:32)
at rpc.ConnectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:111)
at rpc.Stub.call(Stub.java:112)
at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:559)
... 4 more</init>
First of all, thanks guys for sharing your fixes.
Could you explain me how to rebuild the project? I didn't find any build script in the source tree.
Thanks in advance
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi everybody,
my opc da server logs into the Windows Event Log the following message:
How can I do that for my jinterop client?
I am thankful for any hint,
Tobias
(This may have to do with kb5004442 microsoft describes that I have to raise the )
Hi,
Check the JIServer classes , I think. It's been a while since I had a look
at the code , but it's there somewhere.
Best regards,
Vikram
On Tue, Mar 22, 2022, 19:24 Tobias Neubert tobiasneubert@users.sourceforge.net wrote:
Hi and thank you for your answer. I think I managed to find the property that controlls the authentication level: rpc.ntlm.sign. This property is false by default, I changed it to true. That way, the NtlmConnection creates a Type1 message (whatever this is) with the NtlmFlags.NTLMSSP_NEGOTIATE_SIGN set and a AuithenticationVerifier with the protectionLevel 5, which is rpc.Security.PROTECTION_LEVEL_INTEGRITY.
But now my j-interop client throws the following exception with the suspicious unknown code 5. So what am I doing wrong? Do I have to sign my client now?
Again, I am thankful for any help,
Tobias
It's access denied.
https://stackoverflow.com/questions/45605656/jinterop-access-is-denied-0x00000005
On Wed, Mar 23, 2022, 15:41 Tobias Neubert tobiasneubert@users.sourceforge.net wrote:
Ok, where do you see that? And why should it be an access denied if the client does not get an access denied without setting the rpc.ntlm.sign to true?
I am sorry, but I am not familiar with DCOM.
Ah, ok, I found the list of error codes.
Ok, changing the rpc.ntlm.sign property to true makes it worse. So let me ask:
Hi Vikram,
can you please help me with this? I found out more:
I really need to fix this because KB5004442, which will be activated by Microsoft by default in June this year and cannot be deactivated anymore starting from the 14th of March next year, breaks our DCOM client.
Hi Tobias, did you ever find a solution - I am facing a similar problem.
Many thanks
Phil
Hi Guys -
We had a similar problem with KB5004442 in some legacy code. Looks like it's a bug in JIComServer - the session security flags need to be set before the call to JIComServer.init(). I was only interested in a quick patch, so I copied the seal and sign flags set by session.isSessionSecurityEnabled() to JIComServer.initialize(...) just before the call. The flags are actually used in NTLMConnection.outgoingRebind().
Seemed to fix the problem, bought us some time so we can remove the COM access.
Hope that helps,
aep
Last edit: Alex Pound 2022-05-27
Hi Alex,
we have the same problem with KB5004442 in some legacy code...
Could you please post your solution?
Did you use the current 3.0 version ? I can't find the latest version of the source code ...
I am thankful for any help
Hi Alex,
I have tested your approach in our system but cannot get it running. So, i have copied following into
JIComServer.initialize(...)
right before theinit()
call:It fails to connect no matter if the hardening introduced by KB5004442 is enabled or not.
@Alex could you post you patch, so I could try it with your changes? That would be great! Thank you in advance.
Hello, Has anyone had any luck with raising the auth level as suggested in the Windows event log and gaining access to the DOM server. I have tried the suggestions above, however I still get an access denied message. I have also set the required registry setting as outlined in KB5004442 but that doesn't make a difference on Windows Server 2022 (However it does do the trick on an older version of Windows 2012)
What am I missing? Any help would be greatly appreciated.
Thanks
Phil
Hey Guys - Sorry, the SF notifications were buried in my spam folder, just ran across them this weekend.
@Hrvoje - that's the right idea - I moved the entire section from init()
which let me double check that the session security was enabled. If you're still having trouble, break in NTLMConnection.outgoingRebind() to check that the protectionLevel is set:
(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY is 0x05, setting "rpt.ntlm.seal" should give you RPC_C_AUTHN_LEVEL_PKT_PRIVACY 0x06.
We aren't using WS 2022 yet, cannot speak to what might be going on there. Entirely possible the flag isn't read on 2022.
I'll try to keep a better eye on this thread, but have some vacation coming up and won't have internet.
Thanks,
aep
Hi Alex, thanks for the quick reply.
I've set the Auth Level to 6 now and the windows system event is no longer present warning that the auth level needs to be raised. However, I now get the general 0x80080005 message which is proving harder to track down!
Kind Regards
Phil
Hey Phil -
Could be permissions - I was using WBEMTEST to isolate problems with permissions/DCOM from our code/jinterop, see Troubleshooting WMI.
Good luck,
aep
Hello everyone,
We also facing similar problem with windows server 2022 and set the sign and seal flags to true before init() as mentioned above and raise the auth level to packet privacy (6). Now didn't get the error events 10036 in windows event log. but still we are getting access denied error [dcerpc.cn_status: nca_s_access_denied (0x00000005)]. Anyone please help to resolve this issue.
Catching JIException in initialise()...5 Exception message --> Access is denied, please make sure that the domain/username/password are correct. [0x00000005]
Error reading NetBios: Access is denied, please make sure that the domain/username/password are correct. [0x00000005]
org.jinterop.dcom.common.JIException: Access is denied, please make sure that the domain/username/password are correct. [0x00000005]
at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:564)
at org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:483)
at org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:450)
at com.analyse.WMITest.getWMILocatorAndConnect(WMITest.java:35)
at com.analyse.WMITest.main(WMITest.java:85)
Caused by: rpc.FaultException: Received fault. (unknown)
at rpc.ConnectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:136)
at rpc.Stub.call(Stub.java:117)
at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:560)
... 4 more</init>
Hi Tirumala, As mentioned, I'm experiencing exactly the same issue. I've asked the creators of the COM object we use to try it out on Windows server 2022 and am awaiting their reply. Maybe they need to provide an software update.
Failing that I guess it could be a question that needs to raised with someone at Microsoft?
Hi Everyone,
Recently Microsoft latest patch (8 Nov 2022) was released which was mentioned in the below link. https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c.
This patch automatically raises the authentication level RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. Most Windows DCOM client applications will automatically work with DCOM hardening change on server side without any modification to the DCOM client applications.
We have installed this latest patch in windows server 2022(in DC) and still WMI test connection was failed and 10036 error events in DC event viewer.
Anyone having any idea and update on this?
Hi, I gave up trying it with Windows 2022. I've had better success with Windows Server 2019 which had DCOM hardening switched on. With the changes to the j-interop (which I have made a PR for on GitHub https://github.com/skyghis/j-interop-ng) it can connect and activate the DCOM Server.
Good luck!
Last edit: Phil Harron 2022-12-16
Hi Phill, Thank you for sharing info...
We are facing issue with Windows server 2022 DC and need to resolve this as so many customers are impacting for this.
We have updated the our application with latest j-interop-ng-3.5.0.jar and able to see that auth level was increasing to packet privacy. But still WMI test connection was failing with error code 0x80010111 which says RPC_E_INVALID_HEADER: OLE received a packet with an invalid header.
The logs trace was
Error reading NetBios: Message not found for errorCode: 0x80010111
org.jinterop.dcom.common.JIException: Message not found for errorCode: 0x80010111
at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:568)
at org.jinterop.dcom.core.JIComServer.initialise(JIComServer.java:485)
at org.jinterop.dcom.core.JIComServer.<init>(JIComServer.java:446)
at com.analyse.WMITest.getWMILocatorAndConnect(WMITest.java:35)
at com.analyse.WMITest.main(WMITest.java:85)
Caused by: org.jinterop.dcom.common.JIRuntimeException: Message not found for errorCode: 0x80010111
at org.jinterop.dcom.core.JIRemActivation.read(JIRemActivation.java:149)
at ndr.NdrObject.decode(NdrObject.java:32)
at rpc.ConnectionOrientedEndpoint.call(ConnectionOrientedEndpoint.java:111)
at rpc.Stub.call(Stub.java:112)
at org.jinterop.dcom.core.JIComServer.init(JIComServer.java:559)
... 4 more</init>
First of all, thanks guys for sharing your fixes.
Could you explain me how to rebuild the project? I didn't find any build script in the source tree.
Thanks in advance