Security Audit Failure 560 caused by Permission settings of MSDTC Service
Built a machine from sysprep and found it has permission issue after setup web application in IIS.
Symptom:
In Http error, it records following items in all times.
2009-04-22 23:04:15 192.16.7.113 63630 192.16.4.97 80 HTTP/1.1 POST /testtransactionscope/default.aspx - 1 Connection_Abandoned_By_AppPool XXXPool
In the System Event, we saw that the application pool was recycling with the following message:
Description: A process serving application pool 'XXXPool' suffered a fatal communication error with the World Wide Web Publishing Service. The process id was '1784'. The data field contains the error number.
And in the Application Event, we saw Error Event Id 4689
Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. CTransactionMarshal::MarshalInterface
Process Name: w3wp.exe
The serious nature of this error has caused the process to terminate.
Error Code = 0x80030009 : Invalid pointer error.
COM+ Services Internals Information:
File: d:\nt\com\complus\src\comsvcs\txprop\txmar.cpp, Line: 198
Comsvcs.dll file version: ENU 2001.12.4720.3959 shp
It seems some permissions problem where the user does not have enough rights to complete the DTC transaction.
Troubleshooting:
We enabled security audit to log audit event in the security log and it turned out that issue may be due to permissions on the Service Control Manager or MSTDC
Event Type: Failure Audit Event Source: Security Event Category: (3) Event ID: 560 Date: 5/1/2009 Time: 11:12:35 PM User: S-1-5-21-3806370356-xxxxxxx-27313109-1898 Computer: XXXX02 Description: Object Open: Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive Handle ID: - Operation ID: {0,5738775} Process ID: 404 Image File Name: C:\WINDOWS\system32\services.exe Primary User Name: xxxxxx$ Primary Domain: xxxxx Primary Logon ID: (0x0,0x3E7) Client User Name: mmmm Client Domain: xxxxx Client Logon ID: (0x0,0x577D5E) Accesses: Connect to service controller Query service database lock state
Privileges: - Restricted Sid Count: 0 Access Mask: 0x11
|
Root Cause
Hence, we examined the current permissions granted to the SCM and MSDTC by running below two commands on the machines in the Command Prompt. The command would display the current permissions granted to the SCM and MSDTC.
sc sdshow scmanager
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) |
sc sdshowmsdtc
D:(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) |
Check the query permission for MSDTC object, found that the Authenticated Users group doesn't have query permission on the MSDTC service object: (A;;CR;;;AU), see access rights (i.e. CR) and account sid(i.e. AU) meaning in ACE Strings and SID Strings.
Solution:
To fix the issue, set the proper permission for MSDTC
sc sdset msdtc D:(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPRC;;;WD)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) |
More Information
Lack of MSDTC permission will cause various problems, you may refer to another sample fixed by the similar way:
Cannot expand the COM+ list in the Component Services UI due to MSDTC service permission issue
Regards,
Anik Shen