Installed Word on the server but cannot find it to set permissions in Component Services

Question

I was looking at this problem on SO; System.UnauthorizedAccessException: Retrieving the COM class factory for Word Interop fails with error 80070005.

We had word installed in the test server in order to get the Word Interop to work on it. That lead to this new bug, and I cannot apply the fix recommended by I cannot find Microsoft Word on the Componenet Services DCOM Config. So how can I fix this?

Are you sure word is not installed in 64-bit? – Simon Mourier Mar 12 '13 at 13:09 — Simon Mourier, Mar 12 '13 at 13:09

Jeremy Thompson · Answer 1 · 2013-05-26T06:55:02.657

Using the ERR tool we see the error: 80070005 is an Access Denied, so you either do not have permissions or its by-design.

 for hex 0x80070005 / decimal -2147024891 :
  COR_E_UNAUTHORIZEDACCESS                                      corerror.h     
 MessageText: 
 Access is denied.
  DIERR_OTHERAPPHASPRIO                                         dinput.h       
  DIERR_READONLY                                                dinput.h       
  DIERR_HANDLEEXISTS                                            dinput.h       
  DSERR_ACCESSDENIED                                            dsound.h       
  ecAccessDenied                                                ec.h           
  ecPropSecurityViolation                                       ec.h           
  MAPI_E_NO_ACCESS                                              mapicode.h     
  STIERR_READONLY                                               stierr.h       
  STIERR_NOTINITIALIZED                                         stierr.h       
  E_ACCESSDENIED                                                winerror.h     
 General access denied error
 11 matches found for "0x80070005"

I mention by-design because of all the problems documented in this KB article: Considerations for server-side Automation of Office.

Installing Office on Server OS's leads to all sorts of problems. For VSTO development I install TFS on Win7 for automated builds to avoid server-side interop problems.

Dont use a Server OS for Office automation, as per the KB article its not supported, use Win7!

Microsoft strongly recommends a number of alternatives that do not require Office to be installed server-side, and that can perform most common tasks more efficiently and more quickly than Automation. Before you involve Office as a server-side component in your project, consider alternatives.

OpenXML is NOT the answer as I want to print a Word document, and only Interop can do this as far as I can tell. — arame3333, Apr 24 '13 at 08:39
I use `LINQ to XML` for my server-side office automation. Do check all your clients/users have Office 2003 or later. — Jeremy Thompson, May 10 '13 at 22:59

score 2 · Answer 2 · edited Jun 20 '20 at 09:12

2

Without knowing what you tried from your linked stackoverflow post: when the COM objects do not appear you usually need to run

mmc -32

And manually add the Component Services snap ins. This worked for me in both Windows Server 2008 R2 and Windows Server 2012.

You also need to make Desktop directories at the following locations:

C:\Windows\SysWOW64\config\systemprofile

C:\Windows\System32\config\systemprofile

edited Jun 20 '20 at 09:12

Community

1
1

answered Mar 12 '13 at 11:39

Kaiser12

631
4
4

1

Forgive my ignorance, this is the first time I have tried this. How do I "manually add the Component Services snap in"? – arame3333 Mar 12 '13 at 15:17
1

Once you've opened the MMC with the command above; Select File from the menu list; and then Add or Remove Snap-ins. Select Compoenent Services from the left list and click the add button; then click ok. From there you can then select the component services objects; typically Component Services -> Computers -> My computer -> DCOM Config. Turn off Norton scans if you have it on; it throws errors at times. – Kaiser12 Mar 12 '13 at 18:01

Alex · Answer 3 · 2013-03-18T10:50:31.423

2

You should seek not for exact 000209FF-0000-0000-C000-000000000046 code, in you case it could have different name. I have 00021401-0000-0000-C000-000000000046, try to seek according to last for pairs of digits. And don't forget to add service components tab in mmc Console.

UPDATED

enter image description here

edited Mar 18 '13 at 10:50

answered Mar 18 '13 at 07:52

Alex

8,827
3
42
58

Apart from the last sentence I do not understand this answer. Component Services exists but Word within Component Services does not. – arame3333 Mar 18 '13 at 10:42
@arame3333 You should seek for you word app not by it's name, but by it's COM class ID, which is registered in your registry. It would be like I described - 5 pairs of numbers. I added the screen of COM Word component (in my case it is 000209FF-0000-0000-C000-000000000046), on which I set the premissions, described in your post. – Alex Mar 18 '13 at 10:49
I can't get this to work. I have the same Word app as yours. Who did you give permission to? – arame3333 Apr 24 '13 at 08:40
@arame3333 you should right click on it => Properties => Security => Launch and Activation Permissions => Customize. There you should give the permission to your ASP-service account – Alex Apr 24 '13 at 09:12

score 1 · Answer 4 · answered Mar 19 '13 at 02:38

This is much easier done than typed in a SO answer, because there are various palaces that need to be checked and aligned.

But the overall goal is to 1) track down the security account that attempted the access and launch/activation of the COM component, and 2) which COM component was at fault.

NOTE: Procedures described increase your security exposure, so be sure to create great logs of all changes you do, so that you know what exactly fix your problem, but also, so you can roll back everything that was irrelevant.
NOTE 2 One change at a time, regardless whether server reboot was needed or not.\ - so you know what fixed it.

Start with your Windows logs - they usually log the exact security principal involved and the DCOM component that it tried to access/activate. Usually both: security context and component are pretty obvious - in such case you can skip to the dcomcnfg paragraph below.
One way to temporirely test if you've located the component/account is to allow admin privileges to the security account or "EVERYONE" access to the component and see if you eliminate the error
NOTE: These are temporary measures, only to test. Don't forget to roll everything back.
Your permanent configuration changes will be done in the Component Services MMC snippet. You can either go by manually adding it to an elevated MMC window, or, easier, by running under administrator's privileges the following command:

/>dcomcnfg

Try locating the component of interest under Component Services/Computers/My Computer/DCOM Config/, right-click and do Properties:
Go to the Security tab and adjust Activate and Access permissions to the minimum that is going to fix your issue, but stay as close as the locked-down state, as possible.
NOTE: I have never done this with the MS Office interops. Please be sure to consider all security implications of doing this:

That's pretty much how you start. I have done this on all flavors of Windows and it always feels different. Often I have to rely on other methods of tracking this condition: SysInternals "spying" tools, Windows Security auditing, COM+ Applications properties, and on a few occasions direct modification of file system or registry key ACLs. Most of the times it's lab/dev machines, so hacks, like editing registry keys' security, was okay.

And again - keep track and roll back all changes you did not need!

Hi, When follow this steps i get that locked screen you show, how i can enable changes on that screens ? — Willy Cornejo, Feb 24 '21 at 17:23
That was a long time ago, but I think you need to modify key's ACLs (most likely the ownership). Sorry that I can't be of more help at that point. — G. Stoynev, Feb 24 '21 at 22:01

Installed Word on the server but cannot find it to set permissions in Component Services

4 Answers4