I'm trying to use the IRASrv COM interface from my Windows service which runs as NetworkService.
When I instantiate the IRASrv interface from a console app running as the logged-on user, everything works fine:
IRASrv srv = null;
try
{
srv = (IRASrv)Activator.CreateInstance(Type.GetTypeFromCLSID(raSrvCLSID, true));
if (srv != null)
{
Array sessionUsers = null;
int sessionCount = 0;
srv.GetSessionInfo(ref sessionUsers, ref sessionCount);
if (sessionCount > 0)
{
string result = string.Empty;
srv.GetNoviceUserInfo(ref result);
Console.Out.WriteLine(result);
}
}
}
catch (COMException e)
{
Console.WriteLine(e.Message);
}
finally
{
if (srv != null)
{
Marshal.ReleaseComObject(srv);
}
}
When I try the same code from my NetworkService service, IRASrv object instantiation fails with an Access Denied error:
Retrieving the COM class factory for component with CLSID {3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D} failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
Next I tried impersonating the logged on user by using successive calls to:
- LogonUser(..., LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ...)
- WindowsImpersonationContext.Impersonate()
Impersonation succeeds but I still get the Access Denied error when I subsequently attempt to instantiate the COM server object.
My understanding of COM interop in C# is somewhat flaky. What could be going wrong here?
Update
I see this error in event logs:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D} and APPID {F8FD03A6-DDD9-4C1B-84EE-58159476A0D7} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
So apparently impersonating the logged-on interactive user is not sufficient to activate the COM server.
