The application-specific permission settings do not grant Local Activation permission - iis

A colleague of mine suggested that I could fix this error in the GPO. It is a windows 2016 server.
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

I’m not sure if this issue affects the functionality of your app, and as the documentation says, you don't need to fix this issue if it has no effect on function.
These events can be safely ignored because they do not adversely affect functionality and are by design. This is the recommend action for these events.
If it has effect on your application, you can follow these steps to fix it:
Open the registry editor as an administrator and nagvigate to HKEY_CLASSES_ROOT\CLSID{D63B10C5-BB46-4990-A94F-E40B9D520160}. If you are in the right location, you also see the APPID as a value. Remember the application name, you can see in the Data column, the corresponding Name column shows (Default).
Right click the {D63B10C5-BB46-4990-A94F-E40B9D520160} and click Permissions, then choose Advanced.
In the advance security setting window, click Change and type your administrator account. Then click OK.
In the "Permissions for..." windows, select the Administrators and activate the Full Permissions checkbox.
Repeat step 1 to 4 to add permissions for APPID{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}.
Open Component Services as administrator. Navigate to Component Services-Computers-My Computer-DCOM Config. Find the application by application name remembered in step 1 and right click the Properties.
Go to the Secutiry tab, choose the appropriate action. You can choose Launch and Activation Permissions, set to Customize, and Edit.
Click the name that applies to you and click the appropriate permission.

If permissions can't be changed, you may need to take ownership first.
See also https://www.kapilarya.com/fix-event-10016-error-the-application-specific-permission-settings-do-not-grant-local-activation-permission-in-windows-10

Related

Can not open Excel Workbook in ASP classic with Excel.Application

I have a Windows 2016 Server and I have installed and activated Office 2013 64bit in it.
I have a classic ASP application that is trying to open an Excel workbook like this:
<%
Set appExcel = CreateObject("Excel.Application")
appExcel.Workbooks.Open("C:\intranet\web\Libro1.xlsx")
%>
I'm aware that this kind of Office automation is discouraged by Microsoft but this is a legacy app that I've inherited and has to manage to make it work on Windows 2016.
If I execute this piece of code as a VBS script there is no issue but if I try to execute it as an ASP page i get:
Microsoft Office Excel error '800a03ec' Microsoft Office Excel cannot access the file 'C:\intranet\web\Libro1.xlsx'.
There are several possible reasons:
• The file name or path does not exist.
• The file is being used by another program. (...)
I have discarded all the suggested reasons, I have also checked that if I really use a file that does not exist the error message is different.
I'm running my ASP application pool as user "Administrator" (Administrador in my spanish installation).
I have given permissions for everyone in all three sections of the permissions for Microsoft Excel DCOM Configuration entry in components services.
I have checked an installed updates in my operating system and my office package.
I'm running out of ideas, any reasonable clue will be welcome.
Recommendations for Setting up Websites in IIS
Things to consider while setting up IIS websites
Anonymous Access Account
Application Pool
NTFS Permissions
Setting up an Anonymous Account
Method One - Use ApplicationPoolIdentity Instead of IUSR
The ApplicationPoolIdentity is a special term for one of the corresponding IIS AppPool\<AppPoolAccounts> in the IIS_IUSRS security group.
The reason is it ties the security context to the Application Pool rather than having the Anonymous Account running as IUSR and the Application pool running as ApplicationPoolIdentity leaving two security contexts to manage.
Method Two - Use a Custom Account as the Identity of the Application Pool
For more control use a Custom Account in place of ApplicationPoolIdentity in the Application Pool Advanced Settings. Borrowing from Method One the Anonymous Account should be set to ApplicationPoolIdentity so there is now only one security context to manage.
The main benefit to this approach over using IUSR is you know the password for the Custom Account, whereas IIS controls the IUSR password making using it in place of the ApplicationPoolIdentity as the Application Pool Identity troublesome.
Assigning NTFS Permissions
WARNING: UAC (User Account Control) can modify the NTFS permissions when running in "Admin Approval Mode", make sure the setting User Account Control: Run all administrators in Admin Approval Mode is set to False in the Local Group Policy located under Computer settings\Windows settings\Security settings\Local policies\Security options.
Depending on the method used for adding an Anonymous Account to a IIS Website there should be one of two accounts added to the Websites root folder;
Method One - IIS_IUSRS (Read Permission)
Method Two - Custom Account (Read Permission)
At the basic level the Websites root folder should contain the following permissions;
| User Account | Permission | Notes
| ------------------ | --------------------- | ---------------------
| Administrators | Full Control | For File System access.
| <IIS Anonymous> | Read & Execute | Either IIS_IUSRS or a Custom Account.
Don't Inherit Permissions
Recommend disabling Inheritance on the Websites root folder to stop parent permissions propagating down and overwriting any existing permissions, which can be a costly exercise to restore.
Finally I found what the issue was.
Following some pointers about DCOM permissions I had configured "Microsoft.Excel" DCOM configuration permissions using the "Components service" tool. But this wasn't enough.
Today I saw that apart from "Permissions" tab there is an "Identity" tab there. By default it chooses to use the "initial user", which I expected to be the user that is running the IIS application pool. I had already executed the pool with a "real" user so I was not expecting this to be related but when I changed it and selected an specific user there everything started to work.
So to sum-up my solution was:
Open "Components services administration"
Find in "DCOM Configs" section the entry related to "Microsoft.Excel" and right click on "Properties".
In the "Identity" tab set a "real" user that will run Excel when the Interop API's are used.
In the "Permissions" tab adjust the permission so that the user you have set in the identity tab has the required right
Hope this gives some clues to anyone.

Kentico file permissions for image editor

I've given IIS_User modify access and confirmed this on the media disk folder, but i'm still getting a 'Insufficient file system permissions to edit this image.'
Could there be a permission level conflict between IIS_USER and the service level account Kentico is using through the app pool?
Mark, if I understood you correct you are not using IIS_USER as Kentico app pool account. If this it correct - you do not have to grant any permission for it, but only for account configured for Kentico app pool instead.
It can depend on how you set up the site, but what i would do is in IIS hit the "Basic Settings" on the right and see what your app pool is.
If it's a named one, try to right click on the website -> Permissions, and add the user "IIS APPPOOL\TheNameOfTheAppPool" and give full permissions there.
If that user doesn't show up, then try giving the IIS_IUSER full permission, test if it works, if it does then you can start scaling back permissions till it 'breaks' and stops working. If it does't work, then you need to try the other users.

How to stop TFS 2012 users from seeing security settings

I created a user and added them to the 'Contributors' group so they can access code and change items. However, I don't want them to see any security settings. As of right now, using just the contributors group they can go to the web access portal and see all the security settings (even though they cannot modify them). I do not want them to see ANY security settings or groups. How do I do this?
I suggest you to create new custom Group TFS and disable permission : View project level information.
he will have this message if he clicks : "TF50309: the following account does not have sufficient ... "

Access Denied when activating Web application Features in SharePoint 2007

I got the folloiwng exception while activating a web application feature using Stsadm:
Access denied! Only SRP admin can remove property or section.
I have no ideas what a SRP admin is. I'm also at a loss to explain what kind of access does it need. The account I'm log into the box has the maximum access possible, and I would assume that stsadm runs all its commands as the super user. Googling didn't reveal much either.
Any help would be appreciated. TIA.
Taken from here:
The account that you use to run, must be granted Personalization rights in Shared Services Administration for the Default SSP.
Go to Central Administration
Click on SSP-Public
Click on Personalization services permissions
Add the account and grant Manage user profiles
What feature are you trying to activate (if it's not a custom feature of course)? What is corresponding application pool identity? Are you farm administrator? If not, try to add yourself to farm admins. Also be sure you do "Run as administrator" when launching cmd for stsadm. If all this will not help, try to add your application pool identity to farm administrators.

Force sharepoint to ask for authentication

Is there a way to force sharepoint 2010 to popup the dialog to ask the user for a username and password and not use the computers logged in user, if that user doesn't have access.
We need an internal sharepoint website to not use the windows credentials, since these are computers used by many people. The windows user doesn't have access to the site, so currently it shows an access denied, click here to log in as another user. We would prefer if it just asked for credentials in a more graceful manner.
There is a way to configure Internet Explorer to do this. In Internet Explorer(IE),
Go to Tools
Click Internet Options
Click on the Security tab
Click on the button labeled Custom Level.
Scroll to the very bottom of the list
Select the option labeled Prompt for user name and password.
The default option Automatic logon only in Intranet zone' is what is causing IE to send the credentials to SharePoint. This of course would force everyone to log in on that computer.
Forms Based Authentication is the answer. You can modify the Login page and even where the users credentials (username/password) are stored (e.g. a SQL database rather then AD).
Use browser other than IE to access the SharePoint site from the community computers.
I am guessing you work in a corporate environment, which would mean your computers are probably managed by your IT department and part of your domain. Because they are part of your company's AD (Active Directory), your systadmins Should be able to modify the existing policy (i say existing, because in IE, the defaults for the settings relating to logging on are by default set so that you WOULD have gotten a logon prompt, i am guessing a group policy is already in effect). If it does not exist, have your admins create one.
The setting Jeremy mentions is one option. It could also be that the site is in included in your IE's "Local Intranet Zone". If it is, or, more probable, there is a wildcard *.yourdomainname.yourdomainextension).
Use the setting mentioned by jeremy to override the default logon behavior (automatic logon) associated with sites listed in the intranet zone.
A group policy can be applied to a group of computers or all the computers in the domain. If the policy should be applied to a small group of computers only, put those computers in a separate OU (Organisation Unit) in AD and apply the policy to that OU.
What about creating a new zone, secured with FBA, for those community computers? As long as the users of the community computers are given only URL for the new zone, you should be OK.
You can create 2 registry files to turn this behavior on and off for the Internet Explorer. Use Notepad to paste the values below, ensure that Windows Registry Editor Version 5.00is the first line, and that you're appending 2 blank lines at the end of the file (press 2x Enter).
To turn it on (i.e. always ask for credentials): AlwaysAsk.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
To turn it off (automatically use credentials, only ask if necessary): AutomaticLogon.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
This is useful for testing, espcecially if you're a developer in a corporate environment where you can't easily change the policy settings on your PC (but you need elevated rights, i.e. you have to run it as Administrator).
Note that the 1st key is for the local machine, the 2nd key is for the current user (currently logged in), which is needed to activate it immediately.
If you need more details about the values, check out this link:
Internet Explorer security zones registry entries for advanced users

Resources