Saturday, October 12, 2013

Error 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1}

Problem

While performing a routine check of the logs of the machine hosting the SharePoint Server 2010 farm Central Administration, I saw the following error in the machine's System log:
Log Name:     System
Source:          Microsoft-Windows-DistributedCOM
Date:             [date]
Event ID:      10016
Task Category: None
Level:            Error
Keywords:     Classic
User:              [DOMAIN\accountname]
Computer:      [FQDN of SharePoint Server 2010 instance]
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
and APPID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user [DOMAIN\accountname] SID [SID for this accountname]... from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Discussion

Resolving this problem involves the following SharePoint Server 2010 and Windows Server 2008 R2 components:
  • SharePoint Server 2010 application service accounts:
    • [DOMAIN\accountname]
  • Local Services:
    • IIS Admin Service
  • Component Services:
    • IIS WAMREG admin  Service
  • Registry Keys:
    • HKEY_CLASSES_ROOT\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
    • HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
Resolution
  1. Identify which account you want to use in order to modify the permissions of machine level services, components and registry keys.  For this posting, the local administrator account was used. 
  2. Go: Start > Administrative Tools > Component Services.  The Component Services control panel appears.
  3. In the console tree, expand: Console Root > Component Services > Computer > My Computer > DCOM Config:
  4. Search for IIS WAMREG admin Service:
  5. Right-click on this component, and then select Properties. The IIS WAMREG admin Service Properties dialog appears, with the General tab selected by default.  On the General tab, you will see the Application ID as noted in the error message:
  6. If the Authentication Level dropdown displayed on this tab is disabled, continue to the next step.  Otherwise, skip to step 16, below.
  7. Close the Properties dialog and close the Component Services console.
  8. Launch RegEdit.
  9. Save a backup of the current hive.
  10. Look for and verify the existence of each of the following keys:
    1. HKCR\AppID\{61738644-F196-11D0-9953-00C04FD919C1}
    2. HKCR\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
    3. HKCR\Wow6432Node\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
    4. HKLM\SOFTWARE\Classes\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
    5. HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
    6. HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{61738644-F196-11D0-9953-00C04FD919C1}
  11. After working through the following procedure for a key, go back to Component Services and check whether you can now edit permissions; if not, go to the next key and repeat:
    1. Right-click on the key, and then choose Permissions.  The Permissions for {61738... dialog will appear:
    2. Verify that the desired access account or security group (as discussed in Step 1) is listed.  If it is not, add it.  For example, for this posting, the desired access security group is the local machine administrators group, spdev12\Administrators.
    3. Grant this account Full Control.
    4. If you are not able to change its permissions, click the Advanced button to open the Advanced Security Settings for {61738... dialog.  Select the Owner tab, and then take ownership of the registry key:
      Then repeat step 3.
  12. Exit RegEdit.
  13. Stop and restart IIS Admin Service.
  14. Open the Component Services console, and then expand the console tree to find the IIS WAMREG admin Service component.
  15. Right-click on this component, and then Properties.  The IIS WAMREG admin Service Properties dialog appears:.
  16. Select the Security tab,
    and then click the Edit button in the Launch and Activation Permissions group.  The Launch and Activation Permissions dialog appears:
  17. Add the account referred to by the error message, and grant it both Local launch and Local Activation permissions:
  18. Click OK.  The Launch and Activation Permissions dialog closes.
  19. Click OK again. The WAMREG admin Service Properties dialog closes.
  20. Close the Component Services console.
  21. Stop and restart IIS.
References
Notes
  • Step 1: It doesn't matter what type of account it is, only that it is important to use the same account for all modifications that you are about to make.
  • Step 8: HKCR - HKEY_CLASSES_ROOT, HKLM - HKEY_LOCAL_MACHINE.
  • Step 10: these are the paths to the keys, but you can also find them just as easily by searching for IIS WAMREG admin.
  • Step 10: I found that it seemed that I only needed to modify the permissions for the first three keys and the others were modified automatically.
  • Acknowledgements: Thanks to Wictor Wilen's  article  for originally guiding me down the solution path, and to his article commenters Blair and Angus, who alerted me to the possibility that there may be more than one registry key involved.  In fact, for my instance, I found more keys involved than were identified in the article or by the commenters, and I had to modify permissions for the first three of the keys listed above.

No comments: