DCOM and Vista - Access denied

Thanks a lot Jesper,

I will try this out on Monday because my Vista machine is at the office.
You are right it could be because of the LAN manager authentication level.
Is there a way to control this setting programmatically? It is possible to
be changed by DCOMCNFG or with the UI. The best way that I found is to
change the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\lsa
lmcompatibilitylevel

Is there an API function to change this value per process? I do not want to
change the global OS settings. I just want to change this value per my
application only.

There is one more thing that I cannot explain with the LAN manager
authentication level: If the client and the server machines are Vista and XP
it make sense to have Access Denied because XP has
"Send LM & NTLM responses" set by default and Vista default setting is "Send
NTLMv2 response only...". I also mentioned that I tried to use Vista
machines for the client and the server as well and I still got Access
Denied.
If the only reason for the Access Denied was the LAN manager authentication
level in the case of two Vista machines it would be possible to establish
connection (the default settings are the same).
At least this is what I think.

Once again, thanks a lot for your time

Regards
"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:1A9BC301-2244-4639-B2D0-004FF5A899AA@microsoft.com...

> Which authentication protocols are you permitting in your service? Vista
> does
> not volunteer NTLM or LM by default. If your service requires those you
> would
> get the access denied. You need to make sure your service supports NTLMv2
> to
> permit incoming connections from Vista.
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/047...otectyourwi-20
>
>
> "Ivco" wrote:
>

>> Hello
>>
>> I have a DCOM server up and running on a machine with XP. I can connect
>> to this server from another XP machine without any problems (running a
>> DCOM client). I have callbacks working as well. The problem comes when I
>> run the client on a Vista machine and try to connect to the same DCOM
>> server on the XP machine. I tried a lot of settings with DCOMCNFG I also
>> switched off the firewall on both of the machines. The result is always
>> the same "Access denied".
>>
>> The next step was to setup the DCOM server on a Vista machine and to try
>> to access it from XP - again "Access denied".
>>
>> I also tried to access the server on Vista machine from another Vista
>> machine - "Access denied".
>>
>> Next attempt was to leave only TCP as a communication protocol for DCOM
>> on both (client and server) machines. From the Ethereal trace I saw that
>> there is a communication between the two machines, there are RPC packets
>> back and forth but it looks like that the server side always says
>> "Access denied" if there is a Vista machine involved.
>>
>> There must be something else that I do not know or that I am missing
>> while configuring Vista.
>>
>>
>> Any help is highly appreciated
>>
>>

> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\lsa

> lmcompatibilitylevel

That enables the protocols for use, subject to the application actually
using them.

> Is there an API function to change this value per process? I do not want to
> change the global OS settings. I just want to change this value per my
> application only.

I think you would just do it in CoInitializeSecurity(). I'm not really an
expert at RPC but you need to make sure the parameters match on both sides
for asAuthSvc and dwAuthnLevel. It sounds really weird that it should fail
because of this as Windows XP supports inbound NTLMv2, but check if the
server on XP has it set to RPC_C_AUTHN_WINNT. It could be that the XP box
expects only NTLM and Vista sends only NTLMv2, causing the failure. If you
use RPC_C_AUTHN_GSS_NEGOTIATE instead they should negotiate. There may also
be a mismatch in the RPC_C_AUTHN_LEVEL parameters. Take a look at what they
say.

> There is one more thing that I cannot explain with the LAN manager
> authentication level: If the client and the server machines are Vista and XP
> it make sense to have Access Denied because XP has
> "Send LM & NTLM responses" set by default and Vista default setting is "Send
> NTLMv2 response only...".

Not really. XP and Vista will both accept LM, NTLM, and NTLMv2 inbound. The
settings only configure what they send outbound. See
http://www.microsoft.com/technet/tec...SecurityWatch/ for
more info.

> I also mentioned that I tried to use Vista
> machines for the client and the server as well and I still got Access
> Denied.

I missed that. Check the value of the NTLMSSP settings too. The article I
pointed to above has a sidebar on them.

> If the only reason for the Access Denied was the LAN manager authentication
> level in the case of two Vista machines it would be possible to establish
> connection (the default settings are the same).
> At least this is what I think.

The DCOM hardening that came out with Windows XP SP2 made this a fair bit
more complicated. Anything that uses anonymous RPC basically fails with
Access Denied now. This KB article explains it at a basic level:
http://support.microsoft.com/kb/838191

Thanks for all the info that you gave me, Jasper.


I tried to set the Local Security Policy to use only NTLMv2 on both
machines(Vista and XP) - the result was Access Denied again.

My current configuration is:
1. The client is running on Vista, the server on XP.
2. I am calling CoInitializeSecurity on the client and on
the server side like this:
hr = CoInitializeSecurity( NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IDENTIFY, NULL, EOAC_NONE, NULL );

3. The Local Security Policy is set to use only NTLMv2 on both machines(Vista and XP).

I took the trace while trying to establish a connection and here it is:

No Source Dest. Protocol Info
1 client server TCP 60682 > epmap [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=8
2 server client TCP epmap > 60682 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
3 client server TCP 60682 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0
4 client server DCERPC Bind: call_id: 1, 2 context items, 1st UUID: IOXIDResolver
5 server client DCERPC Bind_ack: call_id: 1 Provider rejection, reason: Proposed transfer syntaxes not supported
6 client server IOXIDResolver ServerAlive2 request
7 server client IOXIDResolver ServerAlive2 response
8 client server TCP 60683 > epmap [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=8
9 server client TCP epmap > 60683 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
10 client server TCP 60683 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0
11 client server DCERPC Bind: call_id: 2 UUID: ISystemActivator, NTLMSSP_NEGOTIATE
12 server client DCERPC Bind_ack: call_id: 2, NTLMSSP_CHALLENGE accept max_xmit: 5840 max_recv: 5840
13 client server DCERPC AUTH3: call_id: 2, NTLMSSP_AUTH, User: Ivco-VISTA\Administrator
14 client server ISystemActivator RemoteCreateInstance request
15 server client TCP epmap > 60683 [ACK] Seq=183 Ack=1347 Win=62894 Len=0
16 server client DCERPC Fault: call_id: 2 ctx_id: 1 status: nca_s_fault_access_denied
17 client server TCP 60683 > epmap [FIN, ACK] Seq=1347 Ack=215 Win=65280 Len=0
18 server client TCP epmap > 60683 [FIN, ACK] Seq=215 Ack=1347 Win=62894 Len=0
19 server client TCP epmap > 60683 [ACK] Seq=216 Ack=1348 Win=62894 Len=0
20 client server TCP 60683 > epmap [ACK] Seq=1348 Ack=216 Win=65280 Len=0
21 client server TCP 60684 > epmap [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=8
22 server client TCP epmap > 60684 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
23 client server TCP 60684 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0
24 client server DCERPC Bind: call_id: 3 UUID: ISystemActivator
25 server client DCERPC Bind_ack: call_id: 3 accept max_xmit: 5840 max_recv: 5840
26 client server ISystemActivator RemoteCreateInstance request
27 server client DCERPC Fault: call_id: 3 ctx_id: 1 status: nca_s_fault_access_denied
28 server client TCP epmap > 60684 [FIN, ACK] Seq=93 Ack=897 Win=63344 Len=0
29 client server TCP 60684 > epmap [FIN, ACK] Seq=897 Ack=93 Win=65536 Len=0
30 client server TCP 60684 > epmap [ACK] Seq=898 Ack=94 Win=65536 Len=0
31 server client TCP epmap > 60684 [ACK] Seq=94 Ack=898 Win=63344 Len=0
32 client server TCP 60682 > epmap [ACK] Seq=141 Ack=217 Win=65280 Len=0

I do not like packets number 5 and 16. There is one more fault on line 27 but I think that it
is a second attempt to establish the connection.

I tried to set EnableAuthEpResolution to 0 on the XP box(in fact this key was not there, so I created it). According to the doc-s that I read even if the EnableAuthEpResolution is not in the registry
its default value is 1.


Any help is appreciated

Jesper wrote:

>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\lsa
>> lmcompatibilitylevel

>
> That enables the protocols for use, subject to the application actually
> using them.
>

>> Is there an API function to change this value per process? I do not want to
>> change the global OS settings. I just want to change this value per my
>> application only.

>
> I think you would just do it in CoInitializeSecurity(). I'm not really an
> expert at RPC but you need to make sure the parameters match on both sides
> for asAuthSvc and dwAuthnLevel. It sounds really weird that it should fail
> because of this as Windows XP supports inbound NTLMv2, but check if the
> server on XP has it set to RPC_C_AUTHN_WINNT. It could be that the XP box
> expects only NTLM and Vista sends only NTLMv2, causing the failure. If you
> use RPC_C_AUTHN_GSS_NEGOTIATE instead they should negotiate. There may also
> be a mismatch in the RPC_C_AUTHN_LEVEL parameters. Take a look at what they
> say.
>

>> There is one more thing that I cannot explain with the LAN manager
>> authentication level: If the client and the server machines are Vista and XP
>> it make sense to have Access Denied because XP has
>> "Send LM & NTLM responses" set by default and Vista default setting is "Send
>> NTLMv2 response only...".

>
> Not really. XP and Vista will both accept LM, NTLM, and NTLMv2 inbound. The
> settings only configure what they send outbound. See
> http://www.microsoft.com/technet/tec...SecurityWatch/ for
> more info.
>

>> I also mentioned that I tried to use Vista
>> machines for the client and the server as well and I still got Access
>> Denied.

>
> I missed that. Check the value of the NTLMSSP settings too. The article I
> pointed to above has a sidebar on them.
>

>> If the only reason for the Access Denied was the LAN manager authentication
>> level in the case of two Vista machines it would be possible to establish
>> connection (the default settings are the same).
>> At least this is what I think.

>
> The DCOM hardening that came out with Windows XP SP2 made this a fair bit
> more complicated. Anything that uses anonymous RPC basically fails with
> Access Denied now. This KB article explains it at a basic level:
> http://support.microsoft.com/kb/838191
>

Aah. I see a few things that could be wrong there:

1. The reason you are getting an access denied is because you are trying to
connect to the XP machine with the admin account from the Vista machine. Look
at the trace, it is clearly using specifying the account domain as
ivco-vista. That won't work because that account does not have any rights on
XP. You need to specify the name of an account that does have permissions on
XP. Further, why are you using the Administrator account on the Vista
machine? That doesn't work so well because that account is normally disabled
under Vista and should not be used.
2. You have let COM chose the auth-service. That does seem to work, but it
might be better to force it.
3. You have trned off the authentication levels. Why is that? Why not use
RPC_C_AUTHN_LEVEL_DEFAULT and let the system figure it out?
4. Same with impersonation level. Why not just use default?


---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Ivco" wrote:

> Thanks for all the info that you gave me, Jasper.
>
>
> I tried to set the Local Security Policy to use only NTLMv2 on both
> machines(Vista and XP) - the result was Access Denied again.
>
> My current configuration is:
> 1. The client is running on Vista, the server on XP.
> 2. I am calling CoInitializeSecurity on the client and on
> the server side like this:
> hr = CoInitializeSecurity( NULL, -1, NULL, NULL,
> RPC_C_AUTHN_LEVEL_NONE,
> RPC_C_IMP_LEVEL_IDENTIFY, NULL, EOAC_NONE, NULL );
>
> 3. The Local Security Policy is set to use only NTLMv2 on both machines(Vista and XP).
>
> I took the trace while trying to establish a connection and here it is:
>
> No Source Dest. Protocol Info
> 1 client server TCP 60682 > epmap [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=8
> 2 server client TCP epmap > 60682 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
> 3 client server TCP 60682 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0
> 4 client server DCERPC Bind: call_id: 1, 2 context items, 1st UUID: IOXIDResolver
> 5 server client DCERPC Bind_ack: call_id: 1 Provider rejection, reason: Proposed transfer syntaxes not supported
> 6 client server IOXIDResolver ServerAlive2 request
> 7 server client IOXIDResolver ServerAlive2 response
> 8 client server TCP 60683 > epmap [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=8
> 9 server client TCP epmap > 60683 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
> 10 client server TCP 60683 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0
> 11 client server DCERPC Bind: call_id: 2 UUID: ISystemActivator, NTLMSSP_NEGOTIATE
> 12 server client DCERPC Bind_ack: call_id: 2, NTLMSSP_CHALLENGE accept max_xmit: 5840 max_recv: 5840
> 13 client server DCERPC AUTH3: call_id: 2, NTLMSSP_AUTH, User: Ivco-VISTA\Administrator
> 14 client server ISystemActivator RemoteCreateInstance request
> 15 server client TCP epmap > 60683 [ACK] Seq=183 Ack=1347 Win=62894 Len=0
> 16 server client DCERPC Fault: call_id: 2 ctx_id: 1 status: nca_s_fault_access_denied
> 17 client server TCP 60683 > epmap [FIN, ACK] Seq=1347 Ack=215 Win=65280 Len=0
> 18 server client TCP epmap > 60683 [FIN, ACK] Seq=215 Ack=1347 Win=62894 Len=0
> 19 server client TCP epmap > 60683 [ACK] Seq=216 Ack=1348 Win=62894 Len=0
> 20 client server TCP 60683 > epmap [ACK] Seq=1348 Ack=216 Win=65280 Len=0
> 21 client server TCP 60684 > epmap [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=8
> 22 server client TCP epmap > 60684 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
> 23 client server TCP 60684 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0
> 24 client server DCERPC Bind: call_id: 3 UUID: ISystemActivator
> 25 server client DCERPC Bind_ack: call_id: 3 accept max_xmit: 5840 max_recv: 5840
> 26 client server ISystemActivator RemoteCreateInstance request
> 27 server client DCERPC Fault: call_id: 3 ctx_id: 1 status: nca_s_fault_access_denied
> 28 server client TCP epmap > 60684 [FIN, ACK] Seq=93 Ack=897 Win=63344 Len=0
> 29 client server TCP 60684 > epmap [FIN, ACK] Seq=897 Ack=93 Win=65536 Len=0
> 30 client server TCP 60684 > epmap [ACK] Seq=898 Ack=94 Win=65536 Len=0
> 31 server client TCP epmap > 60684 [ACK] Seq=94 Ack=898 Win=63344 Len=0
> 32 client server TCP 60682 > epmap [ACK] Seq=141 Ack=217 Win=65280 Len=0
>
> I do not like packets number 5 and 16. There is one more fault on line 27 but I think that it
> is a second attempt to establish the connection.
>
> I tried to set EnableAuthEpResolution to 0 on the XP box(in fact this key was not there, so I created it). According to the doc-s that I read even if the EnableAuthEpResolution is not in the registry
> its default value is 1.
>
>
> Any help is appreciated
>
> Jesper wrote:

> >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\lsa
> >> lmcompatibilitylevel

> >
> > That enables the protocols for use, subject to the application actually
> > using them.
> >

> >> Is there an API function to change this value per process? I do not want to
> >> change the global OS settings. I just want to change this value per my
> >> application only.

> >
> > I think you would just do it in CoInitializeSecurity(). I'm not really an
> > expert at RPC but you need to make sure the parameters match on both sides
> > for asAuthSvc and dwAuthnLevel. It sounds really weird that it should fail
> > because of this as Windows XP supports inbound NTLMv2, but check if the
> > server on XP has it set to RPC_C_AUTHN_WINNT. It could be that the XP box
> > expects only NTLM and Vista sends only NTLMv2, causing the failure. If you
> > use RPC_C_AUTHN_GSS_NEGOTIATE instead they should negotiate. There may also
> > be a mismatch in the RPC_C_AUTHN_LEVEL parameters. Take a look at what they
> > say.
> >

> >> There is one more thing that I cannot explain with the LAN manager
> >> authentication level: If the client and the server machines are Vista and XP
> >> it make sense to have Access Denied because XP has
> >> "Send LM & NTLM responses" set by default and Vista default setting is "Send
> >> NTLMv2 response only...".

> >
> > Not really. XP and Vista will both accept LM, NTLM, and NTLMv2 inbound. The
> > settings only configure what they send outbound. See
> > http://www.microsoft.com/technet/tec...SecurityWatch/ for
> > more info.
> >

> >> I also mentioned that I tried to use Vista
> >> machines for the client and the server as well and I still got Access
> >> Denied.

> >
> > I missed that. Check the value of the NTLMSSP settings too. The article I
> > pointed to above has a sidebar on them.
> >

> >> If the only reason for the Access Denied was the LAN manager authentication
> >> level in the case of two Vista machines it would be possible to establish
> >> connection (the default settings are the same).
> >> At least this is what I think.

> >
> > The DCOM hardening that came out with Windows XP SP2 made this a fair bit
> > more complicated. Anything that uses anonymous RPC basically fails with
> > Access Denied now. This KB article explains it at a basic level:
> > http://support.microsoft.com/kb/838191
> >

>

Thanks for all the info that you gave me, Jesper.


I tried to set the Local Security Policy to use only NTLMv2 on both
machines(Vista and XP) - the result was Access Denied again.

My current configuration is:
1. The client is running on Vista, the server on XP.
2. I am calling CoInitializeSecurity on the client and on
the server side like this:
hr = CoInitializeSecurity( NULL, -1, NULL, NULL,
RPC_C_AUTHN_LEVEL_NONE,
RPC_C_IMP_LEVEL_IDENTIFY, NULL, EOAC_NONE, NULL );

3. The Local Security Policy is set to use only NTLMv2 on both machines(Vista and XP).

I took the trace while trying to establish a connection and here it is:

No Source Dest. Protocol Info
1 client server TCP 60682 > epmap [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=8
2 server client TCP epmap > 60682 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
3 client server TCP 60682 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0
4 client server DCERPC Bind: call_id: 1, 2 context items, 1st UUID: IOXIDResolver
5 server client DCERPC Bind_ack: call_id: 1 Provider rejection, reason: Proposed transfer syntaxes not supported
6 client server IOXIDResolver ServerAlive2 request
7 server client IOXIDResolver ServerAlive2 response
8 client server TCP 60683 > epmap [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=8
9 server client TCP epmap > 60683 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
10 client server TCP 60683 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0
11 client server DCERPC Bind: call_id: 2 UUID: ISystemActivator, NTLMSSP_NEGOTIATE
12 server client DCERPC Bind_ack: call_id: 2, NTLMSSP_CHALLENGE accept max_xmit: 5840 max_recv: 5840
13 client server DCERPC AUTH3: call_id: 2, NTLMSSP_AUTH, User: Ivco-VISTA\Administrator
14 client server ISystemActivator RemoteCreateInstance request
15 server client TCP epmap > 60683 [ACK] Seq=183 Ack=1347 Win=62894 Len=0
16 server client DCERPC Fault: call_id: 2 ctx_id: 1 status: nca_s_fault_access_denied
17 client server TCP 60683 > epmap [FIN, ACK] Seq=1347 Ack=215 Win=65280 Len=0
18 server client TCP epmap > 60683 [FIN, ACK] Seq=215 Ack=1347 Win=62894 Len=0
19 server client TCP epmap > 60683 [ACK] Seq=216 Ack=1348 Win=62894 Len=0
20 client server TCP 60683 > epmap [ACK] Seq=1348 Ack=216 Win=65280 Len=0
21 client server TCP 60684 > epmap [SYN] Seq=0 Ack=0 Win=8192 Len=0 MSS=1460 WS=8
22 server client TCP epmap > 60684 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0
23 client server TCP 60684 > epmap [ACK] Seq=1 Ack=1 Win=65536 Len=0
24 client server DCERPC Bind: call_id: 3 UUID: ISystemActivator
25 server client DCERPC Bind_ack: call_id: 3 accept max_xmit: 5840 max_recv: 5840
26 client server ISystemActivator RemoteCreateInstance request
27 server client DCERPC Fault: call_id: 3 ctx_id: 1 status: nca_s_fault_access_denied
28 server client TCP epmap > 60684 [FIN, ACK] Seq=93 Ack=897 Win=63344 Len=0
29 client server TCP 60684 > epmap [FIN, ACK] Seq=897 Ack=93 Win=65536 Len=0
30 client server TCP 60684 > epmap [ACK] Seq=898 Ack=94 Win=65536 Len=0
31 server client TCP epmap > 60684 [ACK] Seq=94 Ack=898 Win=63344 Len=0
32 client server TCP 60682 > epmap [ACK] Seq=141 Ack=217 Win=65280 Len=0

I do not like packets number 5 and 16. There is one more fault on line 27 but I think that it
is a second attempt to establish the connection.

I tried to set EnableAuthEpResolution to 0 on the XP box(in fact this key was not there, so I created it). According to the doc-s that I read even if the EnableAuthEpResolution is not in the registry
its default value is 1.


Any help is appreciated

Jesper wrote:

>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\lsa
>> lmcompatibilitylevel

>
> That enables the protocols for use, subject to the application actually
> using them.
>

>> Is there an API function to change this value per process? I do not want to
>> change the global OS settings. I just want to change this value per my
>> application only.

>
> I think you would just do it in CoInitializeSecurity(). I'm not really an
> expert at RPC but you need to make sure the parameters match on both sides
> for asAuthSvc and dwAuthnLevel. It sounds really weird that it should fail
> because of this as Windows XP supports inbound NTLMv2, but check if the
> server on XP has it set to RPC_C_AUTHN_WINNT. It could be that the XP box
> expects only NTLM and Vista sends only NTLMv2, causing the failure. If you
> use RPC_C_AUTHN_GSS_NEGOTIATE instead they should negotiate. There may also
> be a mismatch in the RPC_C_AUTHN_LEVEL parameters. Take a look at what they
> say.
>

>> There is one more thing that I cannot explain with the LAN manager
>> authentication level: If the client and the server machines are Vista and XP
>> it make sense to have Access Denied because XP has
>> "Send LM & NTLM responses" set by default and Vista default setting is "Send
>> NTLMv2 response only...".

>
> Not really. XP and Vista will both accept LM, NTLM, and NTLMv2 inbound. The
> settings only configure what they send outbound. See
> http://www.microsoft.com/technet/tec...SecurityWatch/ for
> more info.
>

>> I also mentioned that I tried to use Vista
>> machines for the client and the server as well and I still got Access
>> Denied.

>
> I missed that. Check the value of the NTLMSSP settings too. The article I
> pointed to above has a sidebar on them.
>

>> If the only reason for the Access Denied was the LAN manager authentication
>> level in the case of two Vista machines it would be possible to establish
>> connection (the default settings are the same).
>> At least this is what I think.

>
> The DCOM hardening that came out with Windows XP SP2 made this a fair bit
> more complicated. Anything that uses anonymous RPC basically fails with
> Access Denied now. This KB article explains it at a basic level:
> http://support.microsoft.com/kb/838191
>