none
Set DCOM security permissions for user worker role account

    Question

  • Hi,

    I've got a worker role that I'm using to launch WaTiN process (which itself attempt to launch an IE browser which will periodically check some data on a webpage). This code works on a developer machine, because Visual Studio is run in elevated mode.

    However, in Azure, we get the following error:

    Message: Retrieving the COM class factory for component with CLSID {0002DF01-0000-0000-C000-000000000046} failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
     Stack Trace:    at WatiN.Core.IE.CreateNewIEAndGoToUri(Uri uri, IDialogHandler logonDialogHandler, Boolean createInNewProcess)
       at WatiN.Core.IE..ctor()

    It seems this can be fixed by amending the DCom Config settings to get the user appropriate permissions to the IE application. Where-as we can do this manually (via the Component Services/DCOM Config)- we'd like to script this to ensure that deploying to Azure can be done automatically.

    There is a workaround at the moment - where we can run the whole worker role in an elevated state by using the <Runtime executionContext="elevated"></Runtime> value in the ServiceDefinition file. However, it's not really appropriate to elevate the whole worker process because of a single permissions issue.

    So, a couple of questions:

    1. How can one determine what the user account is that a worker role is running under?  We need this as it'll be this account that is given permissions to launch the Internet Explorer browser?
    2. Is there a way of scripting DCOM Configuration changes - so that we can given the permissions required to this account (i.e. without doing it manually via the Component Services dialog in Windows).  VBscript, command prompt or PowerShell seem like obvious options - but having searched a little bit around the net - I can't find any useful examples.  Perhaps someone has already done this?

    One thing I've also noticed having RDP'd to a worker role is that the user account that runs the WaWorkHost process appears to be a Guid rather than a normal user account. I think it is different for every instance.  This make's it even tricker to determine which account will need to have DCOM Config changed in order to get the process running correctly.

    thanks

    Tuesday, November 08, 2011 11:14 PM

All replies

  • Hi,

    I don’t know much about DCOM. But can you run that WaTiN as a separate process during startup, without launching it at runtime from the worker role? You can configure a single process to run with elevated permission using startup tasks.

    As for how to use script to configure DCOM, you can ask the question on http://social.msdn.microsoft.com/Forums/en-US/category/windowsdesktopdev.

     

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    Wednesday, November 09, 2011 8:13 AM
    Moderator
  • Thanks for your response Ming Xu,

    The request to launch the WaTin process happen more than once - hence why i thought of wrapping this in a worker role.  I'm actually thinking now of creating a service (which will be installed at startup) - and which runs as local system. That may get round the problems that are being experienced.

    thanks again.

    Wednesday, November 09, 2011 9:51 AM
  • Actually, before converting this code to a service (reading around, there are evidently many management/monitoring benefits that Azure gives over and above simply using a service) - I'm still investigating if there's any workarounds for my problem.  It would be better for our testing/monitoring application if we maintained the application in as 'Azure standard' a way as possible (i.e. not to use Windows services). 

    I've logged on to the machine running the worker role and can see that the WaWorkerHost is running under the SYSTEM account now since I've elevated it in the ServiceConfiguration.

    We're now getting slightly different exceptions with WaTiN:

    Message: Watin Error: Timeout while Internet Explorer busy -    at WatiN.Core.UtilityClasses.TryFuncUntilTimeOut.ThrowTimeOutException(Exception lastException, String message)
       at WatiN.Core.UtilityClasses.TryFuncUntilTimeOut.HandleTimeOut()
       at WatiN.Core.UtilityClasses.TryFuncUntilTimeOut.Try[T](DoFunc`1 func)
       at WatiN.Core.WaitForCompleteBase.WaitUntil(DoFunc`1 waitWhile, BuildTimeOutExceptionMessage exceptionMessage)
       at WatiN.Core.Native.InternetExplorer.IEWaitForComplete.WaitUntilNotNull(DoFunc`1 func, BuildTimeOutExceptionMessage exceptionMessage)
       at WatiN.Core.Native.InternetExplorer.IEWaitForComplete.WaitWhileIEBusy(IWebBrowser2 ie)
       at WatiN.Core.Native.InternetExplorer.IEWaitForComplete.WaitForCompleteOrTimeout()
       at WatiN.Core.WaitForCompleteBase.DoWait()
       at WatiN.Core.DomContainer.WaitForComplete(IWait waitForComplete)
       at WatiN.Core.IE.WaitForComplete(Int32 waitForCompleteTimeOut)
       at WatiN.Core.DomContainer.WaitForComplete()
       at WatiN.Core.Browser.GoTo(Uri url)
       at WatiN.Core.IE.FinishInitialization(Uri uri)
       at WatiN.Core.IE.CreateNewIEAndGoToUri(Uri uri, IDialogHandler logonDialogHandler, Boolean createInNewProcess)
    

    Are these likely to be occuring because the process doesn't have permissions to interact with the desktop  or because the WaWorkerHost does haven access to the IE executable?   Is there any mitigation for this?  I thought of trying to set the Allow Service to Interact with Desktop permission - but can't see where/if this is available for the WaWorkerHost process (as it is itself managed by the Fabric).

    thanks

    Wednesday, November 09, 2011 11:18 AM
  • Hi,

    What exactly do you want to do? From my experience, WaTiN is usually used for automated testing. Do you want to do automated testing in the cloud? I would think such tasks are better to be performed locally.

    Windows Azure services run in a job object that does not have access to external window handles. So if you need to interact with IE, some problems may be encountered.

     

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    Thursday, November 10, 2011 7:13 AM
    Moderator