emeadaxsupport: Unable to edit the DCOM settings for IIS WAMREG admin service on a Windows Server 2008 R2 when trying to configure Kerberos Authentication for Role Centers

[Blog bot]

Источник: http://blogs.msdn.com/emeadaxsupport...e-centers.aspx
==============

We came across an issue recently where we were configuring Enterprise Portal and Role Centers to use Kerberos authentication. One of the steps in the whitepaper (and also as given here http://technet.microsoft.com/en-us/l.../ee355057.aspx) is to configure DCOM settings to grant the business connector proxy user account Launch and Activation permissions for the IIS WAMREG admin service package. We were able to do this successfully on a Windows Server 2003 R2/2008 system, however on a Windows Server 2008 R2 system the options are all greyed out/disabled in Component Services.

This is by design. Due to new security considerations, some core system components only grant the local internal account, TrustedInstaller, Full Control permission instead of the local Administrators group.

To be able to modify the settings of IIS WAMREG admin service" on a Windows Server 2008 R2 system, you need to grant the local Administrators group permissions to its registry key as follows:

Registry information: Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.




1. Run Regedit.exe and browse to "HKEY_CLASSES_ROOT\AppID\{61738644-F196-11D0-9953-00C04FD919C1}" key.

2. Secondary-mouse click on the {61738644-F196-11D0-9953-00C04FD919C1} key and select Permissions... menu option.

3. Click the Advanced button in the Permissions window and select the Owner tab. Under Change owner to select the local Administrators group and click on Apply/OK.

4. Then under Permissions window, select the local Administrators group and under Permissions for Administrators select Full Control.

NOTE: DO NOT modify/change any permissions for the TrustedInstaller account.

5. Click on Apply or OK to make the changes effective.

6. Re-run the Computer Services management console (dcomcnfg.exe) and you should now be able to modify the settings for IIS WAMREG admin service package.

7. After making the necessary changes, reset the permissions for the package in the registry settings back to its defaults:

- first make the account "NT SERVICE\TrustedInstaller" from the local computer the Owner of the key and

- then remove Full Control access for the Administrators group, and leave it with only Read access.




REFERENCES:

The TrustedInstaller account was introduced with Windows Server 2008/Vista - see http://technet.microsoft.com/en-us/l...77(WS.10).aspx for more details.



Источник: http://blogs.msdn.com/emeadaxsupport...e-centers.aspx