MOSS, Kerberos and the Security Log
You may recall we discussed Kerberos authentication here.
And we linkd to two great posts, one, here, from Martin.
And as we worked through the process, it started to make some sense. We quit when we got to configuring component services, I guess out of sheer laziness.
Well, now, I'm digging through the Windows Security log and I'm seeing these 10016 errors that say:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-12345ABCDEC1}
to the user MyDomainmossapppool_01 SID (S-1-5-21-1234567899-1510927935-777304043-47828). This security permission can be modified using the Component Services administrative tool.
To me, this is obviously a "two-hop" issue. So I go back and look at the component issues from Martin's post.
Now, this is the first time I've ventured into Component Services which is a Server 2003 Administrative Tool mmc. Martin says to drill into the properties of My Computer and change the Default Impersonation Level on the Default Properties tab to Impersonate. This makes sense if I'm telling My Computer to assume that it's impersonating someone else when it runs a component that needs to "Hop" to connect to another computer.
The the only other issue is in the DCOM Config folder under My Computer where we have to look at the IIS WAMREG admin Service. Here we select the Security tab and edit the Launch and Activation Permissions adding our app pool identities and giving them Local Activation permissions. Then, I presume I'll need to do the same to my SSP server that's also a WFE server.
And the hope is that this will eliminate the 10016 Errors from the security log. We'll see.
-robot
Tags: