Solved: enterprise vault 10.0.3 issues related to DCOM

xavier_john · ‎07-15-2013

Hi

i am using enterprise vault 10.0.3 running on windows 2008 r2 server, every thing is working fine apart from users unable to browse enterprise vault server or using archive explorer if i put these users in local admin group on ev servers its working fine other wise no page is displaying.

If no W3WP process is active (such as upon server restart or idle timeout,) the first user to make a request to the EV web app will cause IIS to initialize the application. If the first user is an end-user with no admin rights on the EV server, windows will prevent the blocked files from loading and executing. If the first user to make a request to the EV web app is a local administrator on the EV server, the webapp will initilalize successfully despite the files being blocked.

iis log showing premission denied message and dtrace log showing impersonated user = hr [000080405] event viewer throwing 8390 error.

any thought for this issue.

JesusWept3 · ‎07-17-2013

Can you check "Users" to see if Authenticated Users is listed?

It should have

YOURDOMAIN\Domain Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\Interactive

https://www.linkedin.com/in/alex-allen-turl-07370146

View solution in original post

GabeV · ‎07-15-2013

Quick question ... do you have UAC enabled on the Enterprise Vault server? I would also take a look at the authentication settings on the IIS.

xavier_john · ‎07-15-2013

uac not enabled on ev server, authentication is set to basic and integrated windows authentication.

JesusWept3 · ‎07-15-2013

Sounds like your C:\Program Files (x86)\Enterprise Vault\ install directory has been locked down
add Authenticated Users and have it propogate down to subdirectories and files and you should be OK
It's not enough to add Authenticated Users just to \webapp\ though, as it uses impersonation and will launch DirectoryService.exe and others under the context of the calling user

https://www.linkedin.com/in/alex-allen-turl-07370146

xavier_john · ‎07-15-2013

i checked by adding authenticating users read,write execute permission on enterprise vault installation folder. still the result same.

JesusWept3 · ‎07-15-2013

Hmmm You can try procmon and see where the access denied is coming from I seem to remember another customer had something very similar and it was bizarro, something like a local group like authenticated users wasn't part of another group that it should have by default I can't remember the exact details, will try and find out

https://www.linkedin.com/in/alex-allen-turl-07370146

JesusWept3 · ‎07-16-2013

OK So i found the issue.
It was due to the fact that Authenticated Users was not a member of the Local Users group which it is by default, so even though they added Authenticated Users, the issue still remained

https://www.linkedin.com/in/alex-allen-turl-07370146

EV_Ajay · ‎07-16-2013

Confirm the DCOM settings are properly configured for EV.

1. Check that the EV Admin and Directory Services are running.

2. Stop all EV Services, restart the IIS Admin Service and start all EV Services.

3. Check DCOM running status and set the needed DCOM permissions:

a. Log on to the EV Server as the Vault Service Account.

b. Click Start | Run execute: dcomcnfg

c. Click Component Services | Computers Confirm that DCOM is running

d. Expand My Computer, expand DCOM Config

e. Locate DirectoryService right click and open Properties.

f. On the Security tab, click Edit on the section Launch and Activation Permissions select Customize

g. Click over the Group Everyone andset all permissions as Allow and remove any permission as Deny.

h. Add the AD User Account for the VSA and set all permissions as Allow.

i. Click OK then Apply and OK.

j. Close the Component Services MMC Console.

4. Reset DCOM permissions:

a. Open the VAC: Enterprise Vault and right click over Directory on ... and select Properties.

b. On the Service Account tab, delete and reenter the credential details of the VSA.

5. EV services will need to be restarted.

a. This operation can be performed by restarting the EV Admin Service or by rebooting the EV server.

xavier_john · ‎07-16-2013

through DCOM once assigned EV service account necessary permissions after restarting the ev services, configurations get changed that means newly added account permissions are getting removed.

JesusWept3 · ‎07-16-2013

yeah the Admin Service will always automatically set the DCOM permissions
It could be an old password etc, and you can just change the password in the VAC and it will update all the DCOM packages, all the Services etc

You could also make sure that ASP.NET Impersonation is enabled in IIS
Check that the Authenticated Users is part of the Local Users group and has proper read/write/execute permissions on the EV Install folder, all the way down.
Also try the IIS 7 failed tracing options along with procmon to see where the deny is coming from

Tracing replaced AuthDiag that IIS6 used to use
also maybe look at Fiddler2 tracing to see if you can see what response you're getting from the IIS server

https://www.linkedin.com/in/alex-allen-turl-07370146

xavier_john · ‎07-17-2013

hi,

once i add authenticated users to the local admin group of EV Server, its working fine and clients are getting authenticated properly.i know its not a good practise what should be alternative.

JesusWept3 · ‎07-17-2013

Can you check "Users" to see if Authenticated Users is listed?

It should have

YOURDOMAIN\Domain Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\Interactive

https://www.linkedin.com/in/alex-allen-turl-07370146

xavier_john · ‎07-17-2013

in the local users group both domain users and authenticated users are listed but not interactive.

VOX

enterprise vault 10.0.3 issues related to DCOM