For some time now, IT professionals have been modifying DCOM activation rights in order to keep their System event logs clean. In SharePoint 2010, that fix became slightly trickier, as permissions to modify the DCOM permissions had to be granted through the registry for the IIS WAM REG admin service and oSearch14 DCOM applications. Having made these fixes, I’ve noticed a new breed of DCOM 10016 error.
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{000C101C-0000-0000-C000-000000000046}
and APPID
{000C101C-0000-0000-C000-000000000046}
to the user <FARM ACCOUNT> SID (S-1-5-21-xxxxxxx….) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
The CLSID for this COM Server Application is MSIServer, used to activate the Windows Installer Service. You can find this by navigating to HKCR\AppId and examining the details there:
Given that there were 105 instances of this DCOM 10016 error in an eleven second period, I decided to see what was happening at the same time (00:52:09-00:52:19) in the Application event logs. It turned out that there were 210 Information and Warning events during the same time-frame. An example pair of these event is included here:
1035 Information
Windows Installer reconfigured the product. Product Name: Microsoft Excel Mobile Viewer Components. Product Version: 14.0.4763.1000. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.1015 Warning
Failed to connect to server. Error: 0×80070005
You might notice this first informational event is for the Microsoft Excel Mobile Viewer. As you trawl through the events it will become clear that these events occur for Language Packs, Service Applications, Foundation elements, Web Apps – all sorts. At this point it was pretty clear to me that the SharePoint Farm account (probably a Timer Job) was trying to run the Windows Installer Service for these products, but I had no idea why, so I cracked open ULS Viewer and went to town.
A Timer Job called job-admin-product-version kicked off at 00:52:08.92. Filtering by that CorrelationID I could see that this job appeared to build a hierarchy of upgradable elements (Foundation stuff, Service Applications, etc), then checked to see if these elements can be upgraded. But I don’t really feel comfortable trying to figure out what a Timer Job does by stepping through ULS logs, so before going any further I had a look at the TechNet Timer Job Reference and found that Product Version Job runs nightly at 00:45 by default.
Now that we know that this job “checks the install state of the machine and puts that data into the database“, I’m going to take a leap of faith and assume that the farm account is trying to use the Windows Installer Service to do this. Hopping back in to the ULS logs, the next-to-last event correlates to the deluge of Application logs entries.
Note that one of the first items in this mess of updates is Microsoft Excel Mobile Viewer Components again.
UpdateProductInfoInDatabase, regProductsQuery = exec proc_RegisterProductVersion N’20c667df-1bc3-486b-869c-a3ba40f83af5′, N’Microsoft SharePoint Server 2010′, N’14.0.4763.1000′, N’{90140000-1138-0000-1000-0000000FF1CE}’, N’Microsoft Excel Mobile Viewer Components’, N”…
It seems pretty clear that Product Version Job checks the installed versions of SharePoint Products and Technologies, then updates that info in the database (presumably Central Admin config). However, it’s not really clear when that information gets used, so changes to the default Daily job schedule may have unintended consequences. As I see it, this leaves three options:
- Live with the warnings/errors until a better option becomes available.
- Disable the Product Version Job timer job, noting that this could potentially have a negative impact on updates to the system (not recommended until these implications are better understood).
- Potentially combine this strategy with a plan to make the farm account a local admin temporarily and run the job manually at routine intervals (again, this warrants testing and a better understanding of the Timer Job itself).
- Grant the WSS_ADMIN_WPG local group or Farm account permissions to Launch and Activate the Windows Installer Service (which I don’t recommend).
I’m presently contending with these errors in a development environment, so I’m going to live with them for now. I’m pretty reluctant to recommend the last option. It seems to me that if the Farm account has rights to elevate to Local System via the Windows Installer Service, that puts a pretty big dent in the least-privileged model. I’ll keep looking in to this, but I thought I’d identify my findings so far and I would welcome any comments or ideas that I haven’t considered – particularly if anyone has more information about when this database information is used.
Update: 20/2/2011
I’ve done some more work on this now.
Thursday, August 19th, 2010, 5:08 pm | 
Security, SharePoint, Windows | 
RSS feed
| 
Respond | 
Trackback
20/08/2010 at 12:23 am
Lol, I like how you linked to my post as an example of what not to do.
20/08/2010 at 7:18 am
More an example of how to do it if you decide it’s an acceptable risk. I can remove it if you like? Might not be until Tuesday though, as I’m away from computers until then.
01/11/2010 at 4:01 pm
Hey Tristan
Thank you for throwing light on this error, pretty awesome work!
-Avinash
03/11/2010 at 1:53 am
Thanks Avinash! Glad it’s helpful.
20/11/2010 at 12:01 pm
Thank you very much, Tristan! The most useful article in the Net about this problem.
21/11/2010 at 10:06 pm
Cheers!
15/12/2010 at 11:35 pm
Just found your article after working out that the Product Version Timer job was the culprit. Have you discovered any further information yet regarding a solution?
Cheers
David
24/12/2010 at 3:14 am
No luck yet David. I keep seeing traffic coming in from various TechNet threads – most of which wind up referencing my article in the end. I haven’t had any suggestions about other things to try and in all of the other threads it just seems to get people scratching their heads. I’m reluctantly considering that this job might have been poorly designed from a security perspective. Unfortunately I’m not sure when I’ll find the time to do any testing and in retrospect, I don’t think the tests would be exhaustive enough for me to firmly recommend any actions without knowing more from Microsoft. I may see if I can explore other angles in the community next year. I’m on paternity leave until mid-January, so it will be a few weeks before I can pick this back up properly. If you find anything yourself, I’d love to know what you come up with.
08/02/2011 at 2:06 pm
We tried to give the farm account Local Activation permissions on the MSIServer ({000C101C-0000-0000-C000-000000000046}).
The DCOM error messages in the system log disappeared, but the warnings in the application logs still appears.
Maybe some folder access has to be given?
10/02/2011 at 6:34 pm
Hey Martin,
I’ll have an updated post on this topic in the next few days. I’ve been looking at it pretty closely. By they way, I wouldn’t recommend keeping those rights in place.
Cheers,
Tristan
20/02/2011 at 7:05 pm
Hi Martin,
I’ve done some more work on this now, which you may find useful:
http://tristanwatkins.com/index.php/inside-manage-patch-status/
http://tristanwatkins.com/index.php/testing-manage-patch-status/
I’m afraid I never got to the bottom of why the warnings appear, regardless of the DCOM permissions. The one thing I did notice is that they didn’t appear when the Product Configuration Wizard runs one of the same methods (detailed above). I assume this must be because something requires admin rights and the Setup account has those rights. In short: not sure what to make of this, and it seems to happen within the calls to the Windows Installer Service, which I’m definitely not an expert in.
Cheers,
Tristan
Trackbacks
24/11/2010 at 9:26 am
22/12/2010 at 10:14 am
15/02/2011 at 6:08 pm
16/08/2011 at 5:48 am