locked
Help with E_ACCESSDENIED exception RRS feed

  • Question

  • We are currently trying to troubleshoot an E_ACCESSDENIED exception that gets thrown while executing a Windows Workflow workflow in IIS.

    See the following post for a full description of our setup:

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=895855&SiteID=1

    As you will read in the post above, the research that we did in diagnosing this exception led us to the following post:

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=640816&SiteID=1

    which describes our setup and problem almost verbatim.  They were able to resolve their problem by changing their security descriptor, apparently something/somebody had messed up the security access for Authenticated Access.

    I was hoping that someone on your team might be able to provide a similar diagnosis for us.  I have listed our Security Descriptor, Exception message, and DTC configuration below.

    Security Descriptor

    D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRP
    WPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    Exception

    SqlWorkflowPersistenceService(00000000-0000-0000-0000-000000000000): Exception thrown while persisting instance: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    Runtime Error: 0 : stacktrace :    at System.Transactions.Oletx.IDtcProxyShimFactory.ConnectToProxy(String nodeName, Guid resourceManagerIdentifier, IntPtr managedIdentifier, Boolean& nodeNameMatches, UInt32& whereaboutsSize, CoTaskMemHandle& whereaboutsBuffer, IResourceManagerShim& resourceManagerShim)
       at System.Transactions.Oletx.DtcTransactionManager.Initialize()
       at System.Transactions.Oletx.DtcTransactionManager.get_ProxyShimFactory()
       at System.Transactions.TransactionInterop.GetOletxTransactionFromTransmitterPropigationToken(Byte[] propagationToken)
       at System.Transactions.TransactionStatePSPEOperation.PSPEPromote(InternalTransaction tx)
       at System.Transactions.TransactionStateDelegatedBase.EnterState(InternalTransaction tx)
       at System.Transactions.EnlistableStates.Promote(InternalTransaction tx)
       at System.Transactions.Transaction.Promote()
       at System.Transactions.TransactionInterop.ConvertToOletxTransaction(Transaction transaction)
       at System.Transactions.TransactionInterop.GetExportCookie(Transaction transaction, Byte[] whereabouts)
       at System.Data.SqlClient.SqlInternalConnection.EnlistNonNull(Transaction tx)
       at System.Data.SqlClient.SqlInternalConnection.Enlist(Transaction tx)
       at System.Data.SqlClient.SqlInternalConnection.EnlistTransaction(Transaction transaction)
       at System.Data.SqlClient.SqlConnection.EnlistTransaction(Transaction transaction)
       at System.Workflow.Runtime.Hosting.DbResourceAllocator.GetEnlistedConnection(WorkflowCommitWorkBatchService txSvc, Transaction transaction, Boolean& isNewConnection)
       at System.Workflow.Runtime.Hosting.PersistenceDBAccessor..ctor(DbResourceAllocator dbResourceAllocator, Transaction transaction, WorkflowCommitWorkBatchService transactionService)
       at System.Workflow.Runtime.Hosting.SqlWorkflowPersistenceService.System.Workflow.Runtime.IPendingWork.Commit(Transaction transaction, ICollection items)

    Security Settings

    The following options are enabled on both servers:

    Network DTC Access 

    Client and Administration:  Allow Remote Administration

    Transaction Manager Communication:  Allow Inbound, Allow Outbound, Mutual Authentication Required

    Enable XS Transactions

    DTC Logon account runs as NT Authority\Network Service

    Any help you can provide would be very much appreciated!

    Thanks a bunch!

    Friday, November 17, 2006 10:27 PM

Answers

  • I don't know why there are two copies of the same post (http://forums.microsoft.com/MSDN/showpost.aspx?postid=972237&siteid=1); so I guess I'll repeat myself...

     

    It is likely that this is the issue.  The ACL you have is very strange as it restricts access to System, Admins and Power Users.  It appears that someone has altered the installed ACL; in general, it should appear closer to the one described in the post you refer to.  In any event, the ACL is not what should be assigned to MSDTC.  To fix the ACL problem, run the following command: 

    %windir%\system32\sc.exe sdset MSDTC D:(A;;CCLCSWRPRC;;;WD)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    I cannot guarantee that this fixes the issue you are experiencing, but the ACL needs to be fixed in any case.  I'm sorry that you have been waiting this long.  This issue got assigned to me just as I was going on vacation. 

    Hope this helps. 

    -Richard

    Friday, December 1, 2006 8:23 PM