We came across an issue recently where we were configuring Enterprise Portal and Role Centers to use Kerberos authentication. One of the steps in the whitepaper (and also as given here http://technet.microsoft.com/en-us/library/ee355057.aspx) is to configure DCOM settings to grant the business connector proxy user account Launch and Activation permissions for the IIS WAMREG admin service package. We were able to do this successfully on a Windows Server 2003 R2/2008 system, however on a Windows Server 2008 R2 system the options are all greyed out/disabled in Component Services.
This is by design. Due to new security considerations, some core system components only grant the local internal account, TrustedInstaller, Full Control permission instead of the local Administrators group.
To be able to modify the settings of IIS WAMREG admin service” on a Windows Server 2008 R2 system, you need to grant the local Administrators group permissions to its registry key as follows:
Registry information: Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
|a.||Expand Component Services, expand Computers, expand My Computer, and expand DCOM Config.|
|b.||Right-click IIS WAMREG admin Service, and then click Properties.|
|c.||Click the Security tab.|
|d.||Under Launch and Activation Permissions, click Edit.|
|e.||Under Group or user names section, add the Business Connector Proxy User account, and select the user account|
|f.||Under Permissions for the Business Connector Proxy User account, select the Local Launch and Local Activation checkboxes|
|g.||Click OK and OK and close the Component Services management console.|
The TrustedInstaller account was introduced with Windows Server 2008/Vista – see http://technet.microsoft.com/en-us/library/cc731677(WS.10).aspx for more details.