Is it possible to resolve a DCOM Interactive User permission error, when using DCOM with IIS and .aspx pages displaying data from a database?

问题

There are a number of similar-sounding questions to this, but none of them quite address this specific question.

• https://social.technet.microsoft.com/Forums/systemcenter/en-US/dfc465bc-7bbd-483e-b98b-2ba56fa98313/the-applicationspecific-permission-settings-do-not-grant-local-launch-permission-for-the-com-server?forum=configmgrgeneral

• https://social.technet.microsoft.com/Forums/windowsserver/en-US/353d381d-0911-41c3-98fb-2475b65c32f6/dcom-was-unable-to-communicate-with-the-computer-xxxx-using-any-of-the-configured-protocols?forum=winservergen

• https://social.technet.microsoft.com/Forums/windows/en-US/4aa643b6-f90d-4672-aba4-6c0a290e22d4/distributedcom-permissions?forum=win10itprosecurity

• https://social.technet.microsoft.com/wiki/contents/articles/17914.fim-troubleshooting-event-id-10016-the-application-specific-permission-settings-do-not-grant-local-activation-permission-for-the-com-server-application.aspx

• DCOM/IIS Issues

• https://www.automation.com/pdf_articles/Troubleshooting_OPC_and_DCOM.pdf

I'm sure there are many other pages that are similar to this, but I'll stop here.

The scenario is this: Windows 10... ...hosting an application (or cluster of applications) that takes near-real-time data from real sensors parses the numbers, writes them to a database, and presents them onto a browser .aspx page via IIS and DCOM (this is an archaic mysterious application/set of applications for which there is limited or no source code or documentation).

Occasionally, after working through all the installation and configuration steps, you are presented with a localhost/something.aspx page and whilst you can see the variables by hovering over the fields, the values are not populated. Looking in Windows event viewer, you may see errors like this:

Event ID 10016 - The application-specific permission settings do not grant Local Activation permission for the COM Server application

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID{...long hex number found in registry ...}

i.e.: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID{8D8B8E30-C451-421B-8553-D2976AFA648C} There are two more keys, but I don't have them on this PC that I'm typing on; one is an installed component for handling DCOM, and another one is to do with the Interactive User as well.

The installed one, is usually the one that reports having no permissions, typically for the "NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20)" user (formed into a group of admin and user accounts) [https://www.experts-exchange.com/questions/24205909/NT-AUTHORITY-NETWORK-SERVICE-SID-S-1-5-20-on-Windows-Server-2003.html... can't access this page at the moment]; then when you go into the security and add specific permissions for it, you're left with it reporting the above Interactive User keys, the 8d8... one and a 726... one, which you can't edit permissions for.

What bugs me about this is that it's apparently a complete magical mystery, which is unacceptable in a computer system! :D The current solution is to just no bother fiddling, and just format the machine, redo windows, work through all the application installation, IIS, and DCOM steps, and .aspx config again from scratch, and hope for the best - i.e.: that the magical special order that you do things in just makes it work, "because it does". I think this is a bit ridiculous, and time-consuming, more to the point, it bugs me intensely that there's not really a clear notion of what the actual problem is and what the solution might be.

There must be something specific happening or not happening that is causing the DCOM to not talk to the .aspx webpage; surely something that can be tweaked after the event without zapping the whole systems and spending ages redoing it all. It's as if something is "unplugged" or has a different identity/name/number from what is being looked at or filtered by what the .aspx page ingests, maybe something in the code? something in the IIS selections? something that needs resetting? Not sure...

I'm not asking for a silver bullet, but if anyone is willing to help work through this, that would be appreciated, it's just annoying and frustrating, and I'd like to get to the bottom of it, and hopefully create a definitive thread that others might benefit from.

回答1:

This appears to be the exact same issue 4 years ago.

https://answers.microsoft.com/en-us/windows/forum/windows8_1-winapps/weather-application/e4630db3-50c2-4cc5-9813-f089494a1145

Hi Not sure if this will fix your issue but I was able to fix mine.

1. Open Regedit.

2. Go to HKEY_Classes_Root\CLSID*CLSID*. Note: CLSID stand for the ID that appears in your event viewer error. In your case, it's {C2F03A33-21F5-47FA-B4BB-156362A2F239}.

3. Right click on it then select permission.

4. Click Advance and change the owner to administrator. Also click the box that will appear below the owner line.

5. Apply full control.

6. Close the tab then go to HKEY_LocalMachine\Software\Classes\AppID*APPID*. Note: AppID is the ID that appears in your event viewer. In your case it's {316CDED5-E4AE-4B15-9113-7055D84DCC97}.

7. Right click on it then select permission.

8. Click Advance and change the owner to administrators.

9. Click the box that will appear below the owner line.

10. Click Apply and grant full control to Administrators.

11. Close all tabs and go to Administrative tool.

12. Open component services.

13. Click Computer, click my computer, then click DCOM.

14. Look for the corresponding service that appears on the error viewer. Note: For this step, look for the one that appeared at the right panel of the RegEdit. For example, the AppID Registry (316CDED5-E4AE-4B15-9113-7055D84DCC97) contains the "Immersive Shell" Data with a (Default) as a name. Now look for "Immersive Shell".

15. Right click on it then click properties.

16. Click security tab then click Add User. Add SYSTEM then apply.

17. Tick the Activate local box.

    Restart.

    Hope that helps.

    EDIT: I edited the step number 14 for it to be clearer. I am glad that I was able to help out.

回答2:

Before going into these lengthy procedures and editing registry. I would you look at TCP/IPv6 in the Local Area Connection Settings. If it is enabled then disable it and flush the dns or restart your server. Hope it helps the future seekers.

Stay blessed everyone..

来源：https://stackoverflow.com/questions/49208958/is-it-possible-to-resolve-a-dcom-interactive-user-permission-error-when-using-d