Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Friday, December 12, 2008

DCOM error -event 10016

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
This security permission can be modified using the Component Services administrative tool.
I googled that GUID (BC866CF2-5486-41F7-B46B-9AA49CF3EBB1) and it seems to be an nVidia firewall.
Do you have that installed on your server?
Is there a link in the bottom of the DCOM error, and if you click it does it lead you to instructions to fix that? If so, you could follow those instructions. However, if the offending application really is nVidia firewall, I'd probably want to disable or remove that rather than configure DCOM security to let it work. AFAIK that's a "personal firewall" and isn't a server-level application.
If there's not a link in the error, you can go to HKEY_CLASSES_ROOT\CLSID.
Scroll down until you find BC866CF2-5486-41F7-B46B-9AA49CF3EBB1 and look through the entries to find what it is. You can go into DCOM and set the permissions indicated in the error message, but ONLY IF you want to give Network Service rights to the application represented by that GUID.
After you have removed or disabled the firewall or whatever other app that may be, or otherwise straightened out the DCOM error, you can move on to troubleshooting the other issues, assuming they're not cleared up by fixing the other issue.

With Microsoft on the phone, completely removed it and started over. I've since found, after reinstalling the nVidia drivers, that it is a permissions problem coming from Windows Server 2003 R2.
I got an nVidia error #1 after reinstall and trying to use Network Access Manager
The Forceware Web Interface service terminated with service-specific error 1 (0x1).
and thousands of DCOM errors that say some SID does not have permission to :
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
Something basic is disallowing the redirection of the frontend of nVidia which uses it's own Apache instance as an interface to configure the firewall settings.
It may not matter much, since on Monday we're stripping the servers of this version of Windows Server and installing a new one.
I believe Windows is disallowing execution of the basic cgi scripts, but can't find out how it's doing that. What paranoiaware! I can handle security and I really don't need all this extra junk which stops things by default. I wish they'd let administrator think for themselves, instead of giving into the general public's fears about stopping everything from executing.

GinEric: It's not nVidia, it's Windows, of that I'm sure because I have a production server Apache running side by side with it, but I have to define the ScriptsAlias and add other executeable directories to that Apache. It too has cgi-bin problems owing to Windows permissions paranoia, considering the Data Execution Prevention [DEP], a builit in Windows Firewall that is junk, an attempt at a built in Windows antivirus that is junk, a DNS that is non RFC compliant, a web browser that is non html compliant, and a lot more non compliant Windows software.
And we're Microsoft Developers and Partners!
We're constantly on the phone with them, at Microsoft Headquarters. It took us a month to get a version of Windows Server 2003 because the distributors and resellers couldn't find a copy! This from the pressing plant, which we believe must be in Puerto Rico [that's what the box says!], and a complete breakdown in the distribution chain.
It was hard enough acquiring XP Pro 64-bit, which also took over week. Next week we'll be full 64-bit, ready for Vista and perhaps a Vista Server, if they get that far this year. But it looks like there are going to be real fun problems when that comes out!
It will sell, no doubt, and there will be about a million experts telling people how to fix problems, but, like our block of IP questions, I think the answers will be just too simple for some to figure out.
I'm going to get some manuals and the debugger for this system and see if I can't pinpoint what is causing this permissions problem with Windows.

What I'm down to: Installing the role of Domain Controller subtracts the automatic "localhost" pseudo domainname privileges therefrom.
nVidia chipset manufacturers install their configuration utilities using Apache2. Because Windows Server 2003 (R2) has more than strict default security settings the nVidia chipset drivers which rely on Apache2 for viewing and configuration of their onboard [as well as Asus' onboard nVidia chipset] Ethernet.
While this Network Access Manager will run on kiddie computers [and other non Fully Qualified Doman Name systems named "localhost"], it will not run on real servers under Windows Server 2003 (R2) because that Operating System is POSIX compliant with respect to Apache not running as localhost.
That means that while nVidia made a wise choice in using the httpd server for the http [the World Wide Web, of which Internet Explorer is a client and Internet Information Server is an emulating server] because this is where all forms of word processing and information exchange are headed, they did not know how to install their frontend properly. They did not take the time to run their daemon in a chrooted jail, which means they did not take the time to run the service as a user, rather than the local system account. The local system account is localhost and no service should be run as such, which is to say as "localhost."
So now we come across how to fix it. The service must be started with a command of this type:
Group\Apache2\bin\apache.exe" -n "NetworkAccessManager.exe" -k runservice
if the service name is NetworkAccessManager.exe and has been installed with that name, or, by changing the name Apache.exe to NetworkAccessManager.exe to distinguish it from any other Apache or web server service.
Done per on this particular machine.
Because nVidia made no provisions to do the proper install for Windows, per the above, which should have been:
apache -k uninstall -n "NetworkAccessManager.exe"
one has to do a "workaround" to get it to work. This involves creating a user for the service, and giving it the proper permissions to Grant Local Activation and to then fix this error:
"The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
to the user Enterprise\username SID (S-1-5-21-837930903-1476599053-4099141860-1125). This security permission can be modified using the Component Services administrative tool."
which leads to this Microsoft Advistory:
A simple "Access Denied" for the service to start. Finding this permission, however, is more of a task. Per the article :
2.e. is changed to selecting a username, instead of the IUSR_ServerName [apparently this still doesn't work with a real PDC hostname, so you can use the chrooted user instead]. Thereafter following the advisroy and setting the Launch Activation Allow checkbox for that user.
When a service is run as a user with the ability to restrict permissions, this is called a Chrooted Jail. CH is from chmod, the permission command in Linux ported to Windows by C and Linux programmers, root is the root user meaning that root or the built in Administrator or System Authority account is overseeing this process, and Jail means that that service [daemon] is within the jail set by the permissions and the administrative account, that is, it cannot access objects outside of its confines.
This error began showing up with nearly all new chipsets, since about 2004, regarding Via and nVidia, particularly on their drivers for the onboard chipset, when using a layer controlled under the Data Execution Prevention [DEP] strategic hardware design of the 64-bit systems architecture. This architecture is a necessary prerequisite for DEP because it includes a Special Operator in the Microprocessor to control the lowest level of access, which should always be "supervised" by the Operating System. Set the Special Ops bit, and call an Operating System routine to handle any program as a subtask, such as controlling the fan speeds, checking temperatures, and all functions within the Control Mode Set [Supervisory and Privileged Mode of Intel, AMD, and Citrix microprocessors, as well as Motorola microprocessors (which had this feature 25 years ago)].
Take a good look here:
Under "No Execute Bit" ; that is "Our Design!" from over 30 years ago, just now being implemented in microprocessors. Without "Our Bit," you don't have Data Execution Prevention, however, this is at a cost in that you must now allow for application and user permissions to launch and execute outside of the system areas, and, this must be done under System Authority.
So, I knew this problem was a DEP problem as soon as it failed to launch or execute, and/or load a web page that needed to launch and execute, as do the cgi and other executeable scripts found on many web pages, including .asp and .cgi
I simply did not know where Microsoft had implemented it in their billions of bytes of Operating System software. I still do not know all of the locations of its implementation in the DEP architecture as assigned by the mostly Redmund programmers, and others around the world, the developers and partners, like us.
Mostly, the problem is borne out of lowe level training that is completely unaware of how this architecture has been implemented. Since Unisys, it's owners, stockholders, and employees, retired or not, own the copyrights and patents to these innovations, Microsoft, AMD, Intel, perhaps Citrix and others who use the 64-bit design, must have a standing agreement with these copyright and patent owners through Unisys [whose foundation is aboriginally Univac and Burroughs, the two J. Presper Eckert and John Mauchly companies] in order to use these copyrighted and patented creations and discoveries, hence, the announcements of the partnering of all of these with Unisys.
Many trainees and even degreed IT and computer professionals are completely unaware of this architecture and these legal requirements, and the 64-bit systems are, at best, vagueries to them. Not realising that there are actual designers of these systems sitting right here discussing problems with the 64-bit emulated copies of these mainframe architectures [AMD, Intel, Citrix, et ux en toto], a lack of understanding may exist at some levels.
But since this is a relevant problem that encompasses nearly all aspects of the new Windows 64-bit Operating Systems, this platform, this Experts Exchange, has been lucky enough to have such experts here fully detailing the operation for those who need to know them in order to understand how their network and system architecture actually works, and thereby to quickly spot and resolve problems.
The question was to see if anyone had had this problem before. If they had lost the ability to execute programs at some point under Windows Server 2003 (R2).
I did not expect anyone to explain it as I have. I'll award the points to anyone who participates and formulates the points I've made above if they agree and it solves any of their execution permissions problems. After all, I can't award them to myself, and the fact is that DEP is going to play an extremely important role in Vista, when it arrives. Those who don't understand this basic design concept will have a hard time in troubleshooting and fixing problems related to execute and access permissions on Windows Server 2003 (R2) 64-bit and the upcoming Vista Server versions.
I often find the depth of information I provide is very comprehensive, simply because I'm involved in the design and don't want to trivialize or skip over what I consider to be critically important, as this area involving the Execute Bit is, but this is written mostly as my "draft" copy of what will appear on my site; if Experts Exchange wishes to use it, I grant the right to re-publish, but require that the author be fully credited.
Which is fairly generous, since it's the most accurate information there is, from one of the designers himself. I could have just put it all in a book, which would have cost dearly, but I felt that sharing the information was a kind gesture and the right thing to do for those who have an exceptional interest in Systems Architecture and Operating Systems Design.

What I did to make nVidia Firewall work:
01.) copy D:\nVidia\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe to same directory, Windows named it "copy of Apache.exe"
02.) Renamed D:\nVidia\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe to ..\NetworkAccessManager.exe
03.) Created user nobody [the normal Apache chrooted jail]
04.) Granted "Launch Applications" to nobody
05.) borrowed the startup command "D:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe"
06.) used it this way
"D:\nVidia\NETWOR~1\Apache Group\Apache2\bin\NetworkAccessManager.exe"
and that from a command prompt. It runs now and I can once again configure my firewall using the nVidia tray icon.
nVidia is just so much more configurable than Microsoft Firewall and it was worth all of the effort. It's also a lot easier to find than the Windows Security popup and the Windows Firewall administration popup. In searching the internet for the error and solution, to :
"The Forceware Web Interface service terminated with service-specific error 1 (0x1)."
I found no definitive answers since the nVidia creation, about 2004. Googling will show this non-result. The answer, as I suspected it would be, was to solve it myself, hopefully with expert help. Even if someone would only listen, that is enough to solve a problem very often. Up to this point Jay_Jay70, no other expert did listen. For that I thank you. You will make one of the best experts there is here, because you listen.
As for others who often criticized the aboriginal question, which was deleted here, this answer stands as a monument that will come to haunt many henceforth.
"The customer is always right." J.C. Penny
to paraphrase:
"The questioner is always right." GinEric
Don't you just love it when your'e right? This question and answer is classic. And my bet is that it will be the #1 solution for this problem, from experts exchange and from
The last word.

No comments: