07-15-2013 09:37 AM
Hi
i am using enterprise vault 10.0.3 running on windows 2008 r2 server, every thing is working fine apart from users unable to browse enterprise vault server or using archive explorer if i put these users in local admin group on ev servers its working fine other wise no page is displaying.
If no W3WP process is active (such as upon server restart or idle timeout,) the first user to make a request to the EV web app will cause IIS to initialize the application. If the first user is an end-user with no admin rights on the EV server, windows will prevent the blocked files from loading and executing. If the first user to make a request to the EV web app is a local administrator on the EV server, the webapp will initilalize successfully despite the files being blocked.
iis log showing premission denied message and dtrace log showing impersonated user = hr [000080405] event viewer throwing 8390 error.
any thought for this issue.
Solved! Go to Solution.
07-17-2013 06:38 AM
Can you check "Users" to see if Authenticated Users is listed?
It should have
YOURDOMAIN\Domain Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\Interactive
07-15-2013 10:01 AM
Quick question ... do you have UAC enabled on the Enterprise Vault server? I would also take a look at the authentication settings on the IIS.
07-15-2013 10:14 AM
uac not enabled on ev server, authentication is set to basic and integrated windows authentication.
07-15-2013 11:32 AM
Sounds like your C:\Program Files (x86)\Enterprise Vault\ install directory has been locked down
add Authenticated Users and have it propogate down to subdirectories and files and you should be OK
It's not enough to add Authenticated Users just to \webapp\ though, as it uses impersonation and will launch DirectoryService.exe and others under the context of the calling user
07-15-2013 07:46 PM
i checked by adding authenticating users read,write execute permission on enterprise vault installation folder. still the result same.
07-15-2013 07:59 PM
07-16-2013 07:21 AM
OK So i found the issue.
It was due to the fact that Authenticated Users was not a member of the Local Users group which it is by default, so even though they added Authenticated Users, the issue still remained
07-16-2013 08:05 AM
07-16-2013 10:21 AM
through DCOM once assigned EV service account necessary permissions after restarting the ev services, configurations get changed that means newly added account permissions are getting removed.
07-16-2013 11:19 AM
yeah the Admin Service will always automatically set the DCOM permissions
It could be an old password etc, and you can just change the password in the VAC and it will update all the DCOM packages, all the Services etc
You could also make sure that ASP.NET Impersonation is enabled in IIS
Check that the Authenticated Users is part of the Local Users group and has proper read/write/execute permissions on the EV Install folder, all the way down.
Also try the IIS 7 failed tracing options along with procmon to see where the deny is coming from
Tracing replaced AuthDiag that IIS6 used to use
also maybe look at Fiddler2 tracing to see if you can see what response you're getting from the IIS server
07-17-2013 06:25 AM
hi,
once i add authenticated users to the local admin group of EV Server, its working fine and clients are getting authenticated properly.i know its not a good practise what should be alternative.
07-17-2013 06:38 AM
Can you check "Users" to see if Authenticated Users is listed?
It should have
YOURDOMAIN\Domain Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\Interactive
07-17-2013 08:13 AM
in the local users group both domain users and authenticated users are listed but not interactive.