Question

Acces Permissions for DCOM dll in ASP.NET IIS

Asked by: bcolladay

I am working on a website that uses DCOM for access to a proprietary database.  This is .NET 2.0.  I added it to the project through the add reference using the COM tab I selected the .exe file for the program as they suggest.  This works and I have a dll in my bin folder for my site.  I was able to make everything work in the Visual Studio environment on my local machine.  

I tried to implement the website on our web server and am getting permission errors:
Retrieving the COM class factory for component with CLSID {92A04261-BE5C-11D1-99CC-00C04FD3695E} failed due to the following error: 80070005.

I have added everyone I can think of into the Component Services-Security tab for the specified DCOM object:
IUSR_{LOCALMACHINE}
IWAM_{LOCALMACHINE}
{LOCALMACHINE}\ASPNET (ASP.NET Machine account)
NETWORK
NETWORK SERVICE
INTERACTIVE
Administrator
Internet Guest Account
SYSTEM

I even tried - Everyone

I have tried to change the Identity tab to use my credential but still  no joy.

Between each change I am restarting IIS Admin Service

I added the .exe file to the isapi section in my local IIS, This is the same exe I used to add the reference in Visual Studio.

I have registered the dll in the bin folder with regsvr32 just in case.

When I get the error, this is the error in the system event viewer:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{92A04261-BE5C-11D1-99CC-00C04FD3695E}
 to the user {LOCALMACHINE}\ASPNET SID (S-1-5-21-1177600299-2965752541-197591168-1012).  This security permission can be modified using the Component Services administrative tool.

I tried to add the user it said was being denied but it would only accept the ASPNET part not the SID or the number following.

In IIS IUSR_{LOCALMACHINE} is the username for the Authentication Method with Anonymous access checked and Allow IIS to control password.  Nothing else on that form is checked.

And to reiterate, this works in my Visual Studio Development Server on the same machine.

So my question is:
What is going on behind the scenes in visual studio that allows this to work, and how can I duplicate it.

Disclaimer:
I am testing this out on my XP IIS, but will be going live with 2003 server once I figure it out.  I originally tried all of this on the 2003 server but it was to inconvenient to restart IIS when I made a change.  There are many public websites on that server.  I was getting the same errors on 2003 server.

I attached a picture of the Solution explorer for the functioning Visual Studio Environment.

The code seems irrelevantbut here it is:
it is throwing the exception on this line:
 FormOA.CommenceDB CommenceData = new FormOA.CommenceDB();

using System;
using System.Configuration;
using System.Data;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using FormOA;
 
public partial class _Default : System.Web.UI.Page 
{
    string ViewType = "";
    protected void Page_Load(object sender, EventArgs e)
    {
        
        try
        {
            if (Request.QueryString["n"].Length > 0)
            {
                ViewType = Request.QueryString["n"].ToString();
                GetTickets();
            }
        }
        catch
        {
 
        }
    }
    private void GetTickets()
    {
 
        string orgid = "XXX";
        FormOA.CommenceDB CommenceData = new FormOA.CommenceDB();
        int mode = 0;
        int flags = 0;
        string search = "Closed";
        string search2 = "Not Equal to";
        string CMview = "Ticket";
        string BuildTheTickets = "";
        if (ViewType == "Closed")
        {
            search = "Closed";
            search2 = "Equal to";
        }
        if (ViewType == "Open")
        {
            search = "Closed";
            search2 = "Not Equal to";
        }
        if (ViewType == "All")
        {
            search = "Pending RMA";
            search2 = "Not Equal to";
        }
 
        FormOA.ICommenceCursor MyCommenceCursor;
        try
        {
            MyCommenceCursor = CommenceData.GetCursor(mode, CMview, flags);
            MyCommenceCursor.SetFilter("[ViewFilter(1,F,,Status, " + search2 + ", " + search + ")]", 0);
            string s2 = @"[ViewFilter(2,CTCF,, Relates to, Account, accountKey, Contains, """ + orgid + @""",)]";
            MyCommenceCursor.SetFilter(s2, 0);
            //MyCommenceCursor.SetFilter("[ViewFilter(2,CTCF,, Relates To, Account, accountKey, Equal To, " + orgid + ",)]", 0);
            MyCommenceCursor.SetSort("[ViewSort(Refers To Applications, ascending)]", 0);
            MyCommenceCursor.SetRelatedColumn(0, "Relates To", "Account", "Ticker", 0);
            MyCommenceCursor.SetColumn(1, "ticketKey", 0);
            MyCommenceCursor.SetColumn(2, "dateNew", 0);
            MyCommenceCursor.SetColumn(3, "Problem", 0);
            MyCommenceCursor.SetRelatedColumn(4, "Relates To", "Account", "accountKey", 0);
            MyCommenceCursor.SetColumn(5, "Status", 0);
            MyCommenceCursor.SetColumn(6, "Source", 0);
            MyCommenceCursor.SetRelatedColumn(7, "Relates To", "Employee", "properName", 0);
            MyCommenceCursor.SetRelatedColumn(8, "Relates To", "Contact", "properName", 0);
            MyCommenceCursor.SetColumn(9, "Resolution", 0);
            MyCommenceCursor.SetColumn(10, "Refers To Applications", 0);
 
            int RowCount = MyCommenceCursor.RowCount;
            FormOA.ICommenceQueryRowSet ars = MyCommenceCursor.GetQueryRowSet(RowCount, 0);                
}
                
            }
            ars = null;
            MyCommenceCursor = null;
            CommenceData = null;
        }
        catch (Exception Ex)
        {
 
        }
    }
}

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:

Select allOpen in new window

  • commence.jpg
    • 30 KB

    Solution explorer for the functioning Visual Studio Environment

    Solution explorer for the functioning Visual Studio Environment

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-07 at 08:32:06ID24792702
Tags

IIS DCOM Permissions

Topics

DCOM

,

.NET Framework 2.x

,

Microsoft IIS Web Server

Participating Experts
1
Points
0
Comments
16

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. DCOM with php !
    How do i configure the php.ini to support dcom ? (com works !) Thanx - Mark
  2. DCOM Question!!!
    Hi, I am trying to learn DCOM using VB I made very simple ActiveX EXE below is my stupid server. Public Sub Display(Message As String) MsgBox Message End Sub This is the only function that DCOM server has below is my client code. Private Sub Command1_Click() ...
  3. C#, ASP.NET, interop & DCOM?
    I have written an interop DLL that allows a .NET winform application to call in to some legacy code that uses DCOM. From the winform application this works fine. However, if I try to port this in to ASP.NET or a Web Service the code fails when it calls in to the DCOM object ...
  4. Identify option within DCOM deosnt work
    Hi, Im trying to run a COM object on our server which needs to run under the Administrator account. I have loaded the com object into Component Services and added a role with the Administrator Account. Under the "Identify" tab, the component shows as running under ...
  5. Can't access Excel get error message: System.Unauth…
    I’m using Visual Studio 2005 to do the development. I need ASP.NET to: 1. Take data from an SQL database. 2. Put data into an Excel spreadsheet (that is already created). 3. The Excel Spreadsheet then does some calculations. 4. ASP.NET saves and copies the spreadsheet with ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: alimuPosted on 2009-10-08 at 19:53:30ID: 25532052

In Visual Studio because it's not really launching as part of a website, it's probably all executing under your credentials (which I'd guess are a member of the Administrators group on the local machine).

Administrators will have launch and activation permissions by default.

Going from the error you're seeing in Event Viewer, you should be going to the object in Component Services --> DCOM Config -->"Object Name".

Right Click on it --> properties --> Security Tab.

Under "Launch and Activation Permissions" select "Customize" and click on the Edit button.

Add <servername>\ASPNET to the list and make sure "Local Activation" is allowed.

If you're still having issues, go back and check the event log again.

You'll probably have to unload/kill remaining processes from your .NET application before testing the change to force a restart of the application and so that the changes take effect. (This is different to an IISRESET)

Additional note: your website files and anything done using standard html or asp code will use the IUSR_computername account if you are using anonymous BUT your .NET code will still be executing using the aspnet account (think of it as a distinct application within an application)..  Sidenote: I'm not a developer and will probably not be able to assist with coding related issues.

If still having problems, could you please post your current Launch and Activation permissions and any errors that are still showing up in the event log when you try to kick this off.

 

by: bcolladayPosted on 2009-10-09 at 12:23:17ID: 25538021

"If still having problems, could you please post your current Launch and Activation permissions and any errors that are still showing up in the event log when you try to kick this off."

Here are the settings from my post above:

I have added everyone I can think of into the Component Services-Security tab for the specified DCOM object:
IUSR_{LOCALMACHINE}
IWAM_{LOCALMACHINE}
{LOCALMACHINE}\ASPNET (ASP.NET Machine account)
NETWORK
NETWORK SERVICE
INTERACTIVE
Administrator
Internet Guest Account
SYSTEM

I even tried - Everyone

Here is the error I recieve in Event Viewer - DCOM

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{92A04261-BE5C-11D1-99CC-00C04FD3695E}
 to the user BCOLLADAY_LAP\ASPNET SID (S-1-5-21-1177600299-2965752541-197591168-1012).  This security permission can be modified using the Component Services administrative tool.

When I set the DCOM security settings I shut down IIS Admin Services and WWW Oublishing and ASP.NET State

This user name :
ASPNET SID (S-1-5-21-1177600299-2965752541-197591168-1012)
is set up in the permissions and in IIS except for the SID and the Alpha Numeric Following.

 

by: alimuPosted on 2009-10-11 at 17:19:37ID: 25547993

OK, just wanted to confim that you were setting the permissions in the
"Launch and Activation Permissions" section of the security tab as there are 3 different types of security access you can set from the Security tab.  

What COM Server application is CLSID 92A04261-BE5C-11D1-99CC-00C04FD3695E?

 

by: bcolladayPosted on 2009-10-12 at 05:59:05ID: 25550812

It is a proprietary Database/Customer Relationship Manager called Commence RM.  The Desktop exe is called from the interop dll and calls can be made to the product.

 

by: alimuPosted on 2009-10-12 at 16:14:45ID: 25555868

Has BCOLLADAY_LAP\ASPNET got NTFS permissions to the dll itself? (i.e. just basic file system permissions to read the file?)

 

by: bcolladayPosted on 2009-10-13 at 06:07:28ID: 25559414

I had assigned "Everyone" on the file level permissions.  I went back and added ASPNET FUll COntrol but still no joy.  I am trudging through the Process Monitor to see where the difference is between Visual Studio and IIS to see exactly what permission is getting denied/accepted  It seems to be coming down to IIS is using HK-User while Web.Dev is using HKCU.

 

by: alimuPosted on 2009-10-13 at 16:50:16ID: 25565993

You're on the same track I would've been - process monitor was what I would've suggested next but didn't want to inflict that particular suggestion on you until the obvious had been exhausted.. It pulls so much data it'll do your head in.

I'd still be leaning toward a permission issue with the aspnet account because of the particular errors you're seeing but you seem to have pretty much ruled out the potential causes (you've confimed the problem CLSID in the registry is actually your component,  that the place you're changing security is the launch permission section of the security tab and that the aspnet account has ntfs permissions to the dll so that rules out the main stuff that might have been jumped over).

Are you seeing any other .NET issues on this server (is the framework healthy?) or any other errors/warnings being logged when you try to spin up the app?

 

by: alimuPosted on 2009-10-13 at 16:55:53ID: 25566032

anothery I just thought of (but you've probably checked this too) - check your dll isn't set to read-only. Also Does your application need write access somewhere when it spins up to create temporary or other files?

 

by: bcolladayPosted on 2009-10-14 at 06:20:34ID: 25570105

Last question first:  Which dll do you mean.  I have the inreop.FormOA.dll that was created in my bin directory when I added a reference to the DCOM object which is an exe file.  It is not set to read only in the bin directory, neither is the exe file in question.

I did try 2 other computers, a new virgin XP Pro box SP3 which I installed the framework and IIS on but not Visual Studio.  

The other, other machine is server 2003 which is our production web server.  I am not doing too much testin gon it because it requires too many restarts.

I am getting the same result on all three machines.

Something has changed for them though because I am no longer getting the DCOM Permissions error in the System Event Viewer.

I now just get an  exception error "Retrieving the COM class factory for component with CLSID {92A04261-BE5C-11D1-99CC-00C04FD3695E} failed due to the following error: 80070005"

It does open the exe on the desktop, but when it tries to access the DCOM object it throws the exception.

All of the settings are for the Launch and Access both using "Everyone, ASPNET IUSR, IWAN NETWORK"   I  added these people to the NTFS settings for the entire folder that the exe file is in as well.

ANd yes, the ProcMOn is very verbose.  I am not seeing anything strange in there.  I ran it side by side with the app in IIS, and Visual Studio with very similiar results, nothing is jumping out at me yet.

Thanks for helping work through this issue, I have submitted my test project to the DCOM author to see if they have answers too.  I will post here, obviously if they solve it.  So far, they have had the same ideas we have had.

 

by: alimuPosted on 2009-10-14 at 17:31:03ID: 25576403

sorry -  I meant whatever the component was that you located when you searched the registry for CLSID 92A04261-BE5C-11D1-99CC-00C04FD3695E - missed that it was an executable not a dll...

The exception you're getting still looks to be permissions..  ( Chris Crowe has a nice step through here but I think you've already covered all of this http://blog.crowe.co.nz/archive/2006/03/02/589.aspx )  

Out of curiosity, have you tried granting Everyone NTFS permissions to the object with CLSID 92A04261-BE5C-11D1-99CC-00C04FD3695E?

Other scenarios that might mess with the authentication picture: Are you running your app within an application pool with different credentials? How is impersonation set in your web.config? Is your component trying to hit something elsewhere on the network when it spins up?

"Thanks for helping work through this issue" .. it would be nicer still if I was actually helping you make some progress here but unfortunately I just seem to be playing sounding board.  I keep hoping someone with more ideas would drop by :)

 

by: bcolladayPosted on 2009-10-15 at 06:15:03ID: 25580145

I have both the NTFS and the DCOM permissions set with "Everyone "  

On my XP machine IIS 5 I don't see application pools like I have in IIS 6 but through files settings I have done web sharing of the entire folder that contains the exe file and it shows up in the web site like an application pool does.

I have tried three configurations in web.config:

Impersonate off
impersonate on with my domain login (Administrator)
impersonate on with Machine Administrator account

oh and plain Impersonat eon with no credentials just for kicks.

 

by: alimuPosted on 2009-10-15 at 17:09:06ID: 25586029

Unfortunately the aspnet account (NT AUTHORITY\NETWORK SERVICE in win2003 & later)is not part of the security group Everyone, which, contrary to its name, doesn't include everyone.  You need to add the account to the permissions list.

 

by: bcolladayPosted on 2009-10-16 at 07:17:10ID: 25589779

Yep, I meant in addition to the "usual" ASPNET, IUSR, IWAM I also did Everyone.

 

by: bcolladayPosted on 2009-10-16 at 10:45:00ID: 25591628

Ok, progress, but not really,  by setting my IIS Website settings to (All Unassigned) instead of my specific network IP, and setting Directory Security to unchecked "Anonynous Access" and selecting Integrated Windows Authentication,  The App works out of IIS from http://localhost but if I do my network ip or 127.0.0.1 it prompts me for a username and password.  These settings just seem to mimic what is happening in Visual Studio

 

by: bcolladayPosted on 2009-10-22 at 12:54:40ID: 25638281

Solution for this specific exe file was to set the dcom permissions to a specific domain user and set that user as "This User" in the "Identity" tab.  Then also to set the impersonate to true with that user in the web.config.  Other than that it was straight forward.

 

by: alimuPosted on 2009-10-22 at 16:44:12ID: 25640136

Sorry I couldn't be of more help.Tto me that's really a workaround not a fix because you've just forced it to go through with an account that has enough permissions to execute everything rather than fixing the situation with your aspnet and iusr accounts having insufficient permission to run your web application... I can't think of anything you haven't already tried to get them working though.  

No objection to closure - recommend refund no paq

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...