Wednesday, June 29, 2011

SharePoint Event 10016, DistributedCOM error "The application-specific permission settings do not grant Local Activation permission..."

Problem Description: After installing SharePoint 2010 Application event log filles with following error messages:

Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 29/06/2010 4:32:45 AM
Event ID: 10016
Task Category: None
Level: Error
Keywords: Classic
Computer: sharepoint.katwal.local
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

CAUSE: LOCAL ACTIVATION permissions missing for "IIS WAMREG admin Service"


First of all you might already know how did I know its "IIS WAMREG admin service", just in case you do not know, for every single com object there is GUID assigned by WINDOWS. In the error message above we could see it {61738644-F196-11D0-9953-00C04FD919C1}

Now what we needed to do was to find out what this GUID represents, registry of the server is the friend that could tell us. We need to open registory editor, select Edit menu and select Find. Now paste the GUID number and search for it. Registry editor will already have the GUID selected when its found. On the right side pane we should be able to see (Default) - Reg_SZ - IIS WAMREG admin service

That is how we know which COM component needs to be checked for activation permissions. To get to this componet follow the steps below

1. Select Start
2. Select Run
3. Type DCOMcnfg and select open.
4. Expand Component Services >Computer > My Computer > DCOM CONFIG
5. Right click on "IIS WAMREG admin Service" and select properties
6. Here you will find out that you were meant to change permissions under Security Tab but that option is all gray out and cannot be changed.

Problem is that as we checked earlier this component is tied to a registry key and on that registry key only trusted installer has full permissions all other users got READ permission. We need to provide full permission to the Administrator or the FarmAdmin Group. In my case I were using an account that was part of domain admins so I just gave permission on HKEY_CLASSES_ROOT\AppID\{61738644-F196-11D0-9953-00C04FD919C1} registry key.

Here is another issue that when you try to add full permission you will not be able to do it because ownership is not assigned to your group. Since my account was member of domain admin group I selected, "Advanced" option under permissions and selected OWNER tab. Here I added Domain Admins group ad the owner.

Now we can give full permission to Domain Admins on the registry key.

If DCOMcnfg is alreay open we will have to close and re-open because refresh does not work.

Again we will have to go to the properties on the "IIS WAMREG admin Service" under DCOMcnfg as mentioned above. but this time under SECURITY tab, we will be able to change "launch and Activation permissions". We need to add service account for sharepoint with "Local launch" and "Local Activation" permissions. In my case I selected Domain Admins again because it was a small setup.

No comments: