DCOM Permissions

From ThinManager Knowledge Base
Jump to: navigation, search

Contents

Environment

Windows Server 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2

Description

  • Unable to connect to ThinManager Server from a Workstation and/or Server.
  • ThinManager asking for password where none is required.
  • Smart Session cannot get server information.
  • Terminal Servers are showing a red bar.

Cause

The ThinManager User Interface uses DCOM to connect to ThinManager Servers.

1. If DCOM is not setup to use Anonymous Login, then ThinManager cannot communicate its status with the other ThinManager servers. 2. If the Windows users running ThinManager is not allowed to access DCOM on the ThinManager server, then the user interface will not be able to communicate with the ThinServer service.

Resolution 1

To enable Anonymous Login on the machine where the ThinManager user interface is installed:

  • Start > Run > dcomcnfg > OK
  • Expand: Component Services > Computers
  • Right Click: My Computer > Properties
  • Select "COM Security" Tab:
    • Under Access Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.
    • Launch and Activation Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.

via GPO

If "Edit Limits" is grayed out, then the setting is configured at the Domain Level via Group Policy.

Locally:

  • Start > Run > gpedit.msc > OK
  • Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.
  • Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.

Per Domain Policy:

This must be done on the DOMAIN CONTROLLER and typically should be done by the customer's Domain Administrator!!!
  • Start > Run > gpmc.msc OK
  • Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.
  • Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.

Resolution 2

To enable ThinManager user to access DCOM on the machine running ThinServer:

  • Start > Run > dcomcnfg > OK
  • Expand Component Services > Computers
  • Right click: My Computer > Properties
  • Select "COM Security" tab
    • Under Access Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access
    • Launch and Activation Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access
Personal tools
Namespaces

Variants
Actions
Navigation
Events
Toolbox