In an effort to create a more unified support experience, we have moved support of our Knowledgebase to Rockwell Automation Tech Support.

If you would like to speak with one of our engineers, please Submit a Question or give us a call at the phone number here. In North America, To route your phone support request directly to a technical support engineer, call toll free 1-888-382-1583 or 1-440-646-3434, select Option 3 (Technical Support), then select Option 5 (More Options). When prompted, enter the ThinManager Direct Dial Code 201.

Difference between revisions of "DCOM Permissions"

From ThinManager Knowledge Base
Jump to: navigation, search
 
Line 53: Line 53:
 
** Under Access Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access
 
** Under Access Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access
 
** Launch and [[Activation]] Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access
 
** Launch and [[Activation]] Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access
 +
 +
==Resolution 3==
 +
Make sure the ThinManager user is allowed to connect to ThinServer.
 +
* Enter the ThinMaager Server Configuration wizard.
 +
* Go to the "ThinManager Security Groups" page.
 +
* Add a Windows security group that the ThinManager user is a member of.
 +
* Assign permissions to the security group. At a minimum you must add "Connect"

Latest revision as of 13:23, 7 March 2019

Environment

Windows Server 2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2

Description

  • Unable to connect to ThinManager Server from a Workstation and/or Server.
  • ThinManager asking for password where none is required.
  • Smart Session cannot get server information.
  • Terminal Servers are showing a red bar.

Cause

The ThinManager User Interface uses DCOM to connect to ThinManager Servers.

Non-domain Systems 1. If DCOM on the ThinManager machine is not setup to allow Anonymous Logon, then the ThinServer service cannot communicate its status with to ThinManager. 2. If the Windows users running ThinManager is not allowed to access DCOM on the ThinManager server, then the user interface will not be able to communicate with the ThinServer service.

Domain Systems 1. If DCOM on the ThinManager machine is not setup to allow connections from the account ThinServer is running under, then the ThinServer service cannot communicate its status with to ThinManager. 2. If the Windows users running ThinManager is not allowed to access DCOM on the ThinManager server, then the user interface will not be able to communicate with the ThinServer service.

Resolution 1

To enable Anonymous Login / ThinServer account on the machine where the ThinManager user interface is installed:

  • Start > Run > dcomcnfg > OK
  • Expand: Component Services > Computers
  • Right Click: My Computer > Properties
  • Select "COM Security" Tab:
    • Under Access Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
    • Launch and Activation Permissions: Edit Limits > Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.

via GPO

If "Edit Limits" is grayed out, then the setting is configured at the Domain Level via Group Policy.

Locally:

  • Start > Run > gpedit.msc > OK
  • Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
  • Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.

Per Domain Policy:

This must be done on the DOMAIN CONTROLLER and typically should be done by the customer's Domain Administrator!!!
  • Start > Run > gpmc.msc OK
  • Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • Open: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.
  • Open: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" and Make sure the "ANONYMOUS LOGON" / ThinServer account user is allowed both Local and Remote Access.

Resolution 2

To enable ThinManager user to access DCOM on the machine running ThinServer:

  • Start > Run > dcomcnfg > OK
  • Expand Component Services > Computers
  • Right click: My Computer > Properties
  • Select "COM Security" tab
    • Under Access Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access
    • Launch and Activation Permissions: Edit Limits > Add a Windows security group to which the user running ThinManager belongs, and allow Local and Remote access

Resolution 3

Make sure the ThinManager user is allowed to connect to ThinServer.

  • Enter the ThinMaager Server Configuration wizard.
  • Go to the "ThinManager Security Groups" page.
  • Add a Windows security group that the ThinManager user is a member of.
  • Assign permissions to the security group. At a minimum you must add "Connect"