Link to home
Start Free TrialLog in
Avatar of bcolladay
bcolladayFlag for United States of America

asked on

Acces Permissions for DCOM dll in ASP.NET IIS

I am working on a website that uses DCOM for access to a proprietary database.  This is .NET 2.0.  I added it to the project through the add reference using the COM tab I selected the .exe file for the program as they suggest.  This works and I have a dll in my bin folder for my site.  I was able to make everything work in the Visual Studio environment on my local machine.  

I tried to implement the website on our web server and am getting permission errors:
Retrieving the COM class factory for component with CLSID {92A04261-BE5C-11D1-99CC-00C04FD3695E} failed due to the following error: 80070005.

I have added everyone I can think of into the Component Services-Security tab for the specified DCOM object:
IUSR_{LOCALMACHINE}
IWAM_{LOCALMACHINE}
{LOCALMACHINE}\ASPNET (ASP.NET Machine account)
NETWORK
NETWORK SERVICE
INTERACTIVE
Administrator
Internet Guest Account
SYSTEM

I even tried - Everyone

I have tried to change the Identity tab to use my credential but still  no joy.

Between each change I am restarting IIS Admin Service

I added the .exe file to the isapi section in my local IIS, This is the same exe I used to add the reference in Visual Studio.

I have registered the dll in the bin folder with regsvr32 just in case.

When I get the error, this is the error in the system event viewer:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{92A04261-BE5C-11D1-99CC-00C04FD3695E}
 to the user {LOCALMACHINE}\ASPNET SID (S-1-5-21-1177600299-2965752541-197591168-1012).  This security permission can be modified using the Component Services administrative tool.

I tried to add the user it said was being denied but it would only accept the ASPNET part not the SID or the number following.

In IIS IUSR_{LOCALMACHINE} is the username for the Authentication Method with Anonymous access checked and Allow IIS to control password.  Nothing else on that form is checked.

And to reiterate, this works in my Visual Studio Development Server on the same machine.

So my question is:
What is going on behind the scenes in visual studio that allows this to work, and how can I duplicate it.

Disclaimer:
I am testing this out on my XP IIS, but will be going live with 2003 server once I figure it out.  I originally tried all of this on the 2003 server but it was to inconvenient to restart IIS when I made a change.  There are many public websites on that server.  I was getting the same errors on 2003 server.

I attached a picture of the Solution explorer for the functioning Visual Studio Environment.

The code seems irrelevantbut here it is:
it is throwing the exception on this line:
 FormOA.CommenceDB CommenceData = new FormOA.CommenceDB();
using System;
using System.Configuration;
using System.Data;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using FormOA;
 
public partial class _Default : System.Web.UI.Page 
{
    string ViewType = "";
    protected void Page_Load(object sender, EventArgs e)
    {
        
        try
        {
            if (Request.QueryString["n"].Length > 0)
            {
                ViewType = Request.QueryString["n"].ToString();
                GetTickets();
            }
        }
        catch
        {
 
        }
    }
    private void GetTickets()
    {
 
        string orgid = "XXX";
        FormOA.CommenceDB CommenceData = new FormOA.CommenceDB();
        int mode = 0;
        int flags = 0;
        string search = "Closed";
        string search2 = "Not Equal to";
        string CMview = "Ticket";
        string BuildTheTickets = "";
        if (ViewType == "Closed")
        {
            search = "Closed";
            search2 = "Equal to";
        }
        if (ViewType == "Open")
        {
            search = "Closed";
            search2 = "Not Equal to";
        }
        if (ViewType == "All")
        {
            search = "Pending RMA";
            search2 = "Not Equal to";
        }
 
        FormOA.ICommenceCursor MyCommenceCursor;
        try
        {
            MyCommenceCursor = CommenceData.GetCursor(mode, CMview, flags);
            MyCommenceCursor.SetFilter("[ViewFilter(1,F,,Status, " + search2 + ", " + search + ")]", 0);
            string s2 = @"[ViewFilter(2,CTCF,, Relates to, Account, accountKey, Contains, """ + orgid + @""",)]";
            MyCommenceCursor.SetFilter(s2, 0);
            //MyCommenceCursor.SetFilter("[ViewFilter(2,CTCF,, Relates To, Account, accountKey, Equal To, " + orgid + ",)]", 0);
            MyCommenceCursor.SetSort("[ViewSort(Refers To Applications, ascending)]", 0);
            MyCommenceCursor.SetRelatedColumn(0, "Relates To", "Account", "Ticker", 0);
            MyCommenceCursor.SetColumn(1, "ticketKey", 0);
            MyCommenceCursor.SetColumn(2, "dateNew", 0);
            MyCommenceCursor.SetColumn(3, "Problem", 0);
            MyCommenceCursor.SetRelatedColumn(4, "Relates To", "Account", "accountKey", 0);
            MyCommenceCursor.SetColumn(5, "Status", 0);
            MyCommenceCursor.SetColumn(6, "Source", 0);
            MyCommenceCursor.SetRelatedColumn(7, "Relates To", "Employee", "properName", 0);
            MyCommenceCursor.SetRelatedColumn(8, "Relates To", "Contact", "properName", 0);
            MyCommenceCursor.SetColumn(9, "Resolution", 0);
            MyCommenceCursor.SetColumn(10, "Refers To Applications", 0);
 
            int RowCount = MyCommenceCursor.RowCount;
            FormOA.ICommenceQueryRowSet ars = MyCommenceCursor.GetQueryRowSet(RowCount, 0);                
}
                
            }
            ars = null;
            MyCommenceCursor = null;
            CommenceData = null;
        }
        catch (Exception Ex)
        {
 
        }
    }
}

Open in new window

commence.jpg
Avatar of alimu
alimu
Flag of Australia image

In Visual Studio because it's not really launching as part of a website, it's probably all executing under your credentials (which I'd guess are a member of the Administrators group on the local machine).
Administrators will have launch and activation permissions by default.
Going from the error you're seeing in Event Viewer, you should be going to the object in Component Services --> DCOM Config -->"Object Name".
Right Click on it --> properties --> Security Tab.
Under "Launch and Activation Permissions" select "Customize" and click on the Edit button.
Add <servername>\ASPNET to the list and make sure "Local Activation" is allowed.
If you're still having issues, go back and check the event log again.
You'll probably have to unload/kill remaining processes from your .NET application before testing the change to force a restart of the application and so that the changes take effect. (This is different to an IISRESET)
Additional note: your website files and anything done using standard html or asp code will use the IUSR_computername account if you are using anonymous BUT your .NET code will still be executing using the aspnet account (think of it as a distinct application within an application)..  Sidenote: I'm not a developer and will probably not be able to assist with coding related issues.
If still having problems, could you please post your current Launch and Activation permissions and any errors that are still showing up in the event log when you try to kick this off.
Avatar of bcolladay

ASKER

"If still having problems, could you please post your current Launch and Activation permissions and any errors that are still showing up in the event log when you try to kick this off."

Here are the settings from my post above:

I have added everyone I can think of into the Component Services-Security tab for the specified DCOM object:
IUSR_{LOCALMACHINE}
IWAM_{LOCALMACHINE}
{LOCALMACHINE}\ASPNET (ASP.NET Machine account)
NETWORK
NETWORK SERVICE
INTERACTIVE
Administrator
Internet Guest Account
SYSTEM

I even tried - Everyone

Here is the error I recieve in Event Viewer - DCOM

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{92A04261-BE5C-11D1-99CC-00C04FD3695E}
 to the user BCOLLADAY_LAP\ASPNET SID (S-1-5-21-1177600299-2965752541-197591168-1012).  This security permission can be modified using the Component Services administrative tool.

When I set the DCOM security settings I shut down IIS Admin Services and WWW Oublishing and ASP.NET State

This user name :
ASPNET SID (S-1-5-21-1177600299-2965752541-197591168-1012)
is set up in the permissions and in IIS except for the SID and the Alpha Numeric Following.
OK, just wanted to confim that you were setting the permissions in the
"Launch and Activation Permissions" section of the security tab as there are 3 different types of security access you can set from the Security tab.  
What COM Server application is CLSID 92A04261-BE5C-11D1-99CC-00C04FD3695E?
It is a proprietary Database/Customer Relationship Manager called Commence RM.  The Desktop exe is called from the interop dll and calls can be made to the product.
Has BCOLLADAY_LAP\ASPNET got NTFS permissions to the dll itself? (i.e. just basic file system permissions to read the file?)
I had assigned "Everyone" on the file level permissions.  I went back and added ASPNET FUll COntrol but still no joy.  I am trudging through the Process Monitor to see where the difference is between Visual Studio and IIS to see exactly what permission is getting denied/accepted  It seems to be coming down to IIS is using HK-User while Web.Dev is using HKCU.
You're on the same track I would've been - process monitor was what I would've suggested next but didn't want to inflict that particular suggestion on you until the obvious had been exhausted.. It pulls so much data it'll do your head in.
I'd still be leaning toward a permission issue with the aspnet account because of the particular errors you're seeing but you seem to have pretty much ruled out the potential causes (you've confimed the problem CLSID in the registry is actually your component,  that the place you're changing security is the launch permission section of the security tab and that the aspnet account has ntfs permissions to the dll so that rules out the main stuff that might have been jumped over).
Are you seeing any other .NET issues on this server (is the framework healthy?) or any other errors/warnings being logged when you try to spin up the app?
anothery I just thought of (but you've probably checked this too) - check your dll isn't set to read-only. Also Does your application need write access somewhere when it spins up to create temporary or other files?
Last question first:  Which dll do you mean.  I have the inreop.FormOA.dll that was created in my bin directory when I added a reference to the DCOM object which is an exe file.  It is not set to read only in the bin directory, neither is the exe file in question.

I did try 2 other computers, a new virgin XP Pro box SP3 which I installed the framework and IIS on but not Visual Studio.  

The other, other machine is server 2003 which is our production web server.  I am not doing too much testin gon it because it requires too many restarts.

I am getting the same result on all three machines.

Something has changed for them though because I am no longer getting the DCOM Permissions error in the System Event Viewer.

I now just get an  exception error "Retrieving the COM class factory for component with CLSID {92A04261-BE5C-11D1-99CC-00C04FD3695E} failed due to the following error: 80070005"

It does open the exe on the desktop, but when it tries to access the DCOM object it throws the exception.

All of the settings are for the Launch and Access both using "Everyone, ASPNET IUSR, IWAN NETWORK"   I  added these people to the NTFS settings for the entire folder that the exe file is in as well.

ANd yes, the ProcMOn is very verbose.  I am not seeing anything strange in there.  I ran it side by side with the app in IIS, and Visual Studio with very similiar results, nothing is jumping out at me yet.

Thanks for helping work through this issue, I have submitted my test project to the DCOM author to see if they have answers too.  I will post here, obviously if they solve it.  So far, they have had the same ideas we have had.
sorry -  I meant whatever the component was that you located when you searched the registry for CLSID 92A04261-BE5C-11D1-99CC-00C04FD3695E - missed that it was an executable not a dll...
The exception you're getting still looks to be permissions..  ( Chris Crowe has a nice step through here but I think you've already covered all of this http://blog.crowe.co.nz/archive/2006/03/02/589.aspx )  
Out of curiosity, have you tried granting Everyone NTFS permissions to the object with CLSID 92A04261-BE5C-11D1-99CC-00C04FD3695E?
Other scenarios that might mess with the authentication picture: Are you running your app within an application pool with different credentials? How is impersonation set in your web.config? Is your component trying to hit something elsewhere on the network when it spins up?
"Thanks for helping work through this issue" .. it would be nicer still if I was actually helping you make some progress here but unfortunately I just seem to be playing sounding board.  I keep hoping someone with more ideas would drop by :)
I have both the NTFS and the DCOM permissions set with "Everyone " 

On my XP machine IIS 5 I don't see application pools like I have in IIS 6 but through files settings I have done web sharing of the entire folder that contains the exe file and it shows up in the web site like an application pool does.

I have tried three configurations in web.config:

Impersonate off
impersonate on with my domain login (Administrator)
impersonate on with Machine Administrator account

oh and plain Impersonat eon with no credentials just for kicks.
Unfortunately the aspnet account (NT AUTHORITY\NETWORK SERVICE in win2003 & later)is not part of the security group Everyone, which, contrary to its name, doesn't include everyone.  You need to add the account to the permissions list.
Yep, I meant in addition to the "usual" ASPNET, IUSR, IWAM I also did Everyone.
Ok, progress, but not really,  by setting my IIS Website settings to (All Unassigned) instead of my specific network IP, and setting Directory Security to unchecked "Anonynous Access" and selecting Integrated Windows Authentication,  The App works out of IIS from http://localhost but if I do my network ip or 127.0.0.1 it prompts me for a username and password.  These settings just seem to mimic what is happening in Visual Studio
ASKER CERTIFIED SOLUTION
Avatar of bcolladay
bcolladay
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry I couldn't be of more help.Tto me that's really a workaround not a fix because you've just forced it to go through with an account that has enough permissions to execute everything rather than fixing the situation with your aspnet and iusr accounts having insufficient permission to run your web application... I can't think of anything you haven't already tried to get them working though.  
No objection to closure - recommend refund no paq