In an effort to create a more unified support experience, we have moved support of our Knowledgebase to Rockwell Automation Tech Support.

If you would like to speak with one of our engineers, please Submit a Question or give us a call at the phone number here. In North America, To route your phone support request directly to a technical support engineer, call toll free 1-888-382-1583 or 1-440-646-3434, select Option 3 (Technical Support), then select Option 5 (More Options). When prompted, enter the ThinManager Direct Dial Code 201.

Difference between revisions of "DCOM Permissions"

From ThinManager Knowledge Base
Jump to: navigation, search
m (Environment)
Line 15: Line 15:
 
The ThinManager User Interface uses DCOM to connect to ThinManager Servers.  
 
The ThinManager User Interface uses DCOM to connect to ThinManager Servers.  
  
1. If DCOM is not setup to use <i>Anonymous Login</i>, then ThinManager cannot communicate its status with the other ThinManager servers.
+
Non-domain Systems
 +
1. If DCOM on the ThinManager machine is not setup to allow <i>Anonymous Logon</i>, then the ThinServer service cannot communicate its status with to ThinManager.
 +
2. If the Windows users running ThinManager is not allowed to access DCOM on the ThinManager server, then the user interface will not be able to communicate with the ThinServer service.
 +
 
 +
Domain Systems
 +
1. If DCOM on the ThinManager machine is not setup to allow connections from the account ThinServer is running under, then the ThinServer service cannot communicate its status with to ThinManager.
 
2. If the Windows users running ThinManager is not allowed to access DCOM on the ThinManager server, then the user interface will not be able to communicate with the ThinServer service.
 
2. If the Windows users running ThinManager is not allowed to access DCOM on the ThinManager server, then the user interface will not be able to communicate with the ThinServer service.
  
 
==Resolution 1==
 
==Resolution 1==
To enable Anonymous Login on the machine where the ThinManager user interface is installed:
+
To enable Anonymous Login / ThinServer account on the machine where the ThinManager user interface is installed:
 
*Start > Run > dcomcnfg > OK
 
*Start > Run > dcomcnfg > OK
 
*Expand: Component Services > Computers
 
*Expand: Component Services > Computers
 
*Right Click: My Computer > Properties
 
*Right Click: My Computer > Properties
 
*Select "COM Security" Tab:
 
*Select "COM Security" Tab:
**Under Access Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.
+
**Under Access Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
**Launch and [[Activation]] Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.
+
**Launch and [[Activation]] Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
 
===via GPO===
 
===via GPO===
 
If "Edit Limits" is grayed out, then the setting is configured at the Domain Level via Group Policy.<br><br><b>Locally:</b>
 
If "Edit Limits" is grayed out, then the setting is configured at the Domain Level via Group Policy.<br><br><b>Locally:</b>
 
*Start > Run > gpedit.msc > OK
 
*Start > Run > gpedit.msc > OK
 
*Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
 
*Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
*Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.
+
*Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
*Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.<br>
+
*Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.<br>
  
 
<b>Per Domain Policy:</b>
 
<b>Per Domain Policy:</b>
Line 37: Line 42:
 
*Start > Run > gpmc.msc OK
 
*Start > Run > gpmc.msc OK
 
*Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
 
*Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
*Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.
+
*Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
*Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" user is allowed both Local and Remote Access.
+
*Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
  
 
==Resolution 2==
 
==Resolution 2==

Revision as of 13:20, 7 March 2019

Environment

Windows Server 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2

Description

  • Unable to connect to ThinManager Server from a Workstation and/or Server.
  • ThinManager asking for password where none is required.
  • Smart Session cannot get server information.
  • Terminal Servers are showing a red bar.

Cause

The ThinManager User Interface uses DCOM to connect to ThinManager Servers.

Non-domain Systems 1. If DCOM on the ThinManager machine is not setup to allow Anonymous Logon, then the ThinServer service cannot communicate its status with to ThinManager. 2. If the Windows users running ThinManager is not allowed to access DCOM on the ThinManager server, then the user interface will not be able to communicate with the ThinServer service.

Domain Systems 1. If DCOM on the ThinManager machine is not setup to allow connections from the account ThinServer is running under, then the ThinServer service cannot communicate its status with to ThinManager. 2. If the Windows users running ThinManager is not allowed to access DCOM on the ThinManager server, then the user interface will not be able to communicate with the ThinServer service.

Resolution 1

To enable Anonymous Login / ThinServer account on the machine where the ThinManager user interface is installed:

  • Start > Run > dcomcnfg > OK
  • Expand: Component Services > Computers
  • Right Click: My Computer > Properties
  • Select "COM Security" Tab:
    • Under Access Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
    • Launch and Activation Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.

via GPO

If "Edit Limits" is grayed out, then the setting is configured at the Domain Level via Group Policy.

Locally:

  • Start > Run > gpedit.msc > OK
  • Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
  • Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.

Per Domain Policy:

This must be done on the DOMAIN CONTROLLER and typically should be done by the customer's Domain Administrator!!!
  • Start > Run > gpmc.msc OK
  • Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
  • Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.

Resolution 2

To enable ThinManager user to access DCOM on the machine running ThinServer:

  • Start > Run > dcomcnfg > OK
  • Expand Component Services > Computers
  • Right click: My Computer > Properties
  • Select "COM Security" tab
    • Under Access Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access
    • Launch and Activation Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access