Thursday, February 08, 2007

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

You may see this error - more than once - when working with your Microsoft Office SharePoint Server (MOSS) 2007 deployment. This animal / error generally shows itself after you have applied an upgrade to an existing deployment. For example, when upgrading from B2 MOSS to B2TR MOSS - or when applying a special service pack from MSFT - you may begin to see a lot of these errors pop up in the SYSTEM event log.

The error CLSID is followed by a class ID for the DCOM+ application that the service account trying to activate that application - does NOT have permission to activate.

For example, let's say I installed MOSS on a server, and used the account mossService as the service account (a least privileged, user account you created to run the MOSS service(s))., when I get this error, I could very well see an error like the following:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
to the user \mossService SID (S-1-5-21-). This security permission can be modified using the Component Services administrative tool.

  • Copy the GUID following the CLSID above, and Start-->Run-->regedit
  • With the registry editor open, ensure that your cursor is on the computer at the beginning of the tree (make sure you are not in the middle of some previous edit session in the registry editor).
  • Edit-->Find and paste in the GUID. It'll stop at the application entry - and you will want to note the application name on the right side pane. In this example, it was the IIS WAMREG admin service that popped up.
  • Now, open Component Services (typically, from the server - Start-->Administrative Tools-->Component Services), expand Component Services, Computers, My Computer, DCOM Config. Scroll down and find the application (IIS WAMREG in this case).
  • Right-Click-->Properties and select the Security tab. You'll have some options here - the first block Launch and Activation Permissions - ensure that the Customize radio button is selected, and click Edit. Now, add your service account - giving it launch and activate - and in some requirements - remote launch / activate permission.
  • Restart IIS and continue on.