Security Audit Failure 560 caused by Permission settings of MSDTC Service


 

Built a machine from sysprep and found it has permission issue after setup web application in IIS.

Symptom:

In Http error, it records following items in all times.

2009-04-22 23:04:15 192.16.7.113 63630 192.16.4.97 80 HTTP/1.1 POST /testtransactionscope/default.aspx - 1 Connection_Abandoned_By_AppPool XXXPool

 

In the System Event, we saw that the application pool was recycling with the following message:

Description: A process serving application pool 'XXXPool' suffered a fatal communication error with the World Wide Web Publishing Service. The process id was '1784'. The data field contains the error number.

 

And in the Application Event, we saw Error Event Id 4689

Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. CTransactionMarshal::MarshalInterface

 

Process Name: w3wp.exe

The serious nature of this error has caused the process to terminate.

Error Code = 0x80030009 : Invalid pointer error.

COM+ Services Internals Information:

File: d:\nt\com\complus\src\comsvcs\txprop\txmar.cpp, Line: 198

Comsvcs.dll file version: ENU 2001.12.4720.3959 shp

 

It seems some permissions problem where the user does not have enough rights to complete the DTC transaction.

 

Troubleshooting:

 

We enabled security audit to log audit event in the security log and it turned out that issue may be due to permissions on the Service Control Manager or MSTDC

 

Event Type:      Failure Audit

Event Source:  Security

Event Category:       (3)

Event ID: 560

Date:                 5/1/2009

Time:                 11:12:35 PM

User:                  S-1-5-21-3806370356-xxxxxxx-27313109-1898

Computer:        XXXX02

Description:

Object Open:

         Object Server: SC Manager

         Object Type:    SC_MANAGER OBJECT

         Object Name:  ServicesActive

         Handle ID:        -

         Operation ID:  {0,5738775}

         Process ID:       404

         Image File Name:    C:\WINDOWS\system32\services.exe

         Primary User Name:        xxxxxx$

         Primary Domain:      xxxxx

         Primary Logon ID:    (0x0,0x3E7)

         Client User Name:   mmmm

         Client Domain:         xxxxx

         Client Logon ID:       (0x0,0x577D5E)

         Accesses:         Connect to service controller

                            Query service database lock state

                           

         Privileges:         -

         Restricted Sid Count:       0

         Access Mask:  0x11

 

 

Root Cause

 

Hence, we examined the current permissions granted to the SCM and MSDTC by running below two commands on the machines in the Command Prompt. The command would display the current permissions granted to the SCM and MSDTC. 

 

sc sdshow scmanager

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

 

 

sc sdshowmsdtc

D:(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

 

Check the query permission for MSDTC object, found that the Authenticated Users group doesn't have query permission on the MSDTC service object: (A;;CR;;;AU), see access rights (i.e. CR) and account sid(i.e. AU) meaning in ACE Strings and SID Strings.

 

Solution:

 

To fix the issue, set the proper permission for MSDTC

 

sc sdset msdtc D:(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPRC;;;WD)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

 

More Information

 

Lack of MSDTC  permission will cause various problems, you may refer to another sample fixed by the similar way:

 

Cannot expand the COM+ list in the Component Services UI due to MSDTC service permission issue

http://blogs.msdn.com/asiatech/archive/2009/04/13/cannot-expand-the-com-list-in-the-component-services-ui-error-0x8004e00f-or-0x8004d01b.aspx

 

Regards,

 

Anik Shen

 

Skip to main content