52

I have developed a website that allows users to upload office documents then uses the office object model to convert the document to an HTML file that it then displays in an iFrame.

I have, of course, included references to Office.interop.word, and the site works fine on my development machine. When I uploaded it to my production server the site functions fine until I try to upload a document. I initially got a similar error that said "COM object not registered". I realized that Word wasn't installed on my production server. So I installed word and now when the server tries to access the word object model I receive the following error:

Retrieving the COM class factory for component with CLSID {000209FF-0000-0000-C000-000000000046} failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

I searched the registry for the corresponding CLSID and found a corresponding folder. I added full control to the IUSR_ account and due to the persistence of the error I eventually added full control to "everyone" and ensured these permissions inherited down to the rest of the folder. I then added full control to IUSR_ and again eventually added full control to "everyone" to my microsoft office folder.

I don't know what other permissions to grant and where in order to make this "Access is denied" error go away. I must be granting them in the wrong place, because as far as I know I can't be any more permissive than "Everyone" "Full Control".

Can anyone shed any light?

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Camenwolf
  • 798
  • 1
  • 9
  • 21
  • This use of Word is not supported by Microsoft. Also, the scalability is horrible. There are alternatives available from other vendors that support this scenario... – Per-Frode Pedersen Aug 13 '10 at 13:15
  • This is the particular line of code that is throwing this exception: Dim wordApplication As New Microsoft.Office.Interop.Word.Application() Can you elaborate on the "The use of Word is not supported by Microsoft?" That seems like a blanket statement. Do you mean that accessing the word object model through asp.net is not supported? Even so, I'd like to figure out why this exception is being thrown. Even if it's not supported, the object model does what I need it to, if I can just get around this error. Can you point me to some of the alternatives you mention? – Camenwolf Aug 14 '10 at 02:58
  • 3
    Don't ever use Office Interop from an ASP.NET application. See [Considerations for server-side Automation of Office](http://support.microsoft.com/kb/257757) – John Saunders Oct 06 '11 at 02:51

6 Answers6

64

Ok, I resolved this problem with this steps:

  1. In the command line put DCOMCNFG
  2. Expand Console Root > Component Service > Computers, right-click on My Computer, And Select Properties
  3. In the Tab COM Security > Launch and Activation Permissions Click in Edit Default
  4. Add the User (Ex. IIS_IUSRS) or service
  5. Check Allow Local Launch and Local Activation

Then Excel, Word and other applications can work, good luck.

TimeTrap
  • 1,142
  • 1
  • 14
  • 18
sur97c
  • 737
  • 1
  • 5
  • 4
  • I have followed this. Above error is removed. var objWord = new Microsoft.Office.Interop.Word.Application(); objWord.Documents.Open(FileName: htmlTemplateFile + @"\" + strFilename); objWord.Visible = false; if (objWord.Documents.Count > 0) { } } But now i am not getting objWord.Documents.Count >0 even if the docuemtn is there. Same thing works fine with Visual studio developer server – Kamran Shahid Jul 18 '13 at 10:30
  • Wow! This has saved me twice in one year now. Thank you :) – Ali Baig Oct 16 '15 at 13:29
  • Isn't this a security 'no no'? Is this allowing execution of any DCOM component to IIS? Genuinely interested, because this has been the only way I've overcome a similar issue - just allowing launch on the specific DCOM component doesn't work, I have to do if for My Computer. – GilesDMiddleton Feb 15 '17 at 14:02
  • SECURITY -- I suggest narrowing the activation permissions for the specific package/application in question if possible (see gyosifov's answer https://stackoverflow.com/a/26295661/3063884), and only reverting to this "give permissions to everything" as a last resort. – CJBS Jan 02 '18 at 23:38
52

This worked for me:

  1. In the command line put DCOMCNFG
  2. Component Services -> Computers -> My Computer -> DCOM Config
  3. Find "Microsoft Word 97 - 2003 Document" (If it is missing check if your Word is also 64 bit (if your Windows is) if it is not run mmc comexp.msc /32 instead of DCOMCNFG on step 1 as suggested by Darkseal here)
  4. Right click -> Properties
  5. Go To Tab Security and Edit the "Customize" radio buttons so that IIS_IUSRS could have rights for launch and access
  6. Go to Tab Identity and choose "The interactive user"
  7. Apply changes and try again
  8. If all this fails, go also to tab "General" and in "Authentication Level" drop down choose "None".
gyosifov
  • 3,193
  • 4
  • 25
  • 41
  • Good. Worked for me too !! :) But I couldnt find IIS_IUSRS i given permission to everyone. Why iis_Iusrs not available any idea ? – Prashant Sarvaiya Oct 21 '14 at 08:38
  • @PrashantSarvaiya Try COMPUTER_NAME\IIS_IUSRS, where COMPUTER_NAME is the name of your machine – gyosifov Dec 02 '14 at 07:56
  • one shot answer +1!! Nice – HaveNoDisplayName Apr 01 '15 at 14:41
  • 1
    What do you do if your installation is 64 bit? – mdw7326 Feb 12 '16 at 14:42
  • @mdw7326 If both your windows and word are 64 bit then you should be fine in most cases, but I have experienced problems with word missing from the DCOM Config list. Reinstall of the Word program sometimes works.. – gyosifov Feb 12 '16 at 14:46
  • 3
    For a 32-bit COM package running on a 64-bit machine, run DCOMCNFG using `mmc comexp.msc /32`, per Darkseal's answer (https://stackoverflow.com/a/43736859/3063884). @gyosifov -- pls consider including this info for step #1. – CJBS Jan 02 '18 at 23:43
  • @gyosifov I did the 7 steps in a Virtual Machine, and everything worked. Then, I've replicated those steps in a Windows Server, and they didn't work, and I've needed to do the 8th step. Why could this happen? Are there any cons on doing that 8th step? – Villat Jan 04 '19 at 13:03
  • 1
    @Villat I am not exactly sure, to be honest I found it by accident. It has to do with packet security between the two applications (word and the iis process). I suspect that the server version of windows has different policies of handling things by abstracting and separating the processes. I couldn't find much information but here are two links: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd145596%28v%3dws.11%29 https://learn.microsoft.com/en-us/windows/desktop/com/authentication-level – gyosifov Jan 04 '19 at 13:22
  • 2
    This is probably the best answer in SO. You just saved my life. – Koby Douek Mar 11 '19 at 07:11
  • My project also uses Microsoft word previewer – Mohammad RN May 28 '19 at 06:14
  • Would this setting need to be changed for all users that attempt to convert doc to pdf? – gman Aug 24 '20 at 16:11
  • 1
    @gman In the case of a .net web application only IIS_IUSRS would suffice. If you have a desktop application - then the user running the application – gyosifov Aug 25 '20 at 11:30
  • Any ideas on why this works on my server 2012 only when i or somebody is connected to the server via RDP, if no one is connected then i got this error : Failed to create COM object `word.application': The server process could not be started because the configured identity is incorrect. Check the username and password – Strife86 Sep 09 '21 at 16:42
13

Look in the Event Viewer, under Windows Logs, System, on the server machine where Word is installed. Do you see an event logged that reads something similar to:

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {148BEE7F-6123-41EE-8CCA-E390902BD0D8} to the user SomeMachine\SomeUser SID (S-1-5-21-483881670-2168941642-1987552629-1003) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

If so, run DCOMCNFG.EXE, and go to Component Services, Computers, My Computer (or whatever name), DCOM Config (and you can just answer "No" if it asks if you want to fix anything) and if the event log message is for an application, then find it by the name in the event log message, here by item name, and if the event log message is for a CLSID (like the example above) then find it by the CLSID "{148B...}" (that's just a random CLSID I pasted in -- probably it will match your 000209FF... above), and select More actions... Properties, to the Security tab.

Here, you can select [x] Customize and then Edit, to add permission for the appropriate user account to activate and access the required DCOM application or class.

It's just a guess, but give that a try, or something along these lines (i.e. granting access to the CLSID via DCOMCNFG).

Jim Flood
  • 8,144
  • 3
  • 36
  • 48
6

I had my hard times figuring this out using the accepted answer, because the Microsoft Word 97 - 2003 Document record wasn't listed among DCOM Config items. I found the solution in this Technet blog post, where they correctly explained the issue:

It’s important to note that if you install 32-bit Microsoft Office on a 64-bit machine, you may need to use the 32-bit DCOM config manager to view the programs, depending on your operating system.

On x64 operating systems from Windows XP to Windows Server 2008, the 64-bit version of DCOMCNFG.EXE does not correctly configure 32-bit DCOM applications for remote activation. This behavior causes components that are meant to be activated remotely instead being activated locally. This behavior does not occur in Windows 7 and Windows Server 2008 R2 and higher versions.

Ref.: http://msdn.microsoft.com/en-us/library/windows/desktop/ms678426(v=vs.85).aspx

And also suggested to use the following command-line command (instead of DCOMCNFG) as an effective fix:

mmc comexp.msc /32

Which forces loading the 32-bit DCOM config manager instead of the 64-bit one and allows to perform the steps described within the accepted answer. If this still doesn't work, the article also explains a number of other possible workarounds.

For further info regarding this topic, you can also read this post on my blog.

Darkseal
  • 9,205
  • 8
  • 78
  • 111
2

If you cannot find Microsoft Word Application in DCOM

On 64 bit system with 32 bit Office try this:

  1. List item
  2. Start
  3. Run
  4. mmc-32
  5. File
  6. Add Remove Snap-in
  7. Component Services
  8. Add
  9. OK
  10. Console Root
  11. Component Services
  12. Computers
  13. My Computer
  14. DCOM Config

after that

  1. Find "Microsoft Word 97 - 2003 Document" (If it is missing check if your Word is also 64 bit (if your Windows is))
  2. Right click -> Properties
  3. Go To Tab Security and Edit the "Customize" radio buttons so that IIS_IUSRS could have rights for launch and access
  4. Go to Tab Identity and choose "The interactive user" Apply changes and try again
  5. If all this fails, go also to tab "General" and in "Authentication Level" drop down choose "None".
Benjamin W.
  • 46,058
  • 19
  • 106
  • 116
çağrı Gündüz
  • 143
  • 1
  • 1
  • 7
1

In addition to the above, I encountered an issue that I thought I'd share in case other people run into it as well.

The application pool user of my .net app that was using interop was added to Admin but did not take effect due to iis caching environment. After performing the above in addition to an iisreset to reflect proper admin status of the app pool user, everything worked fine.

Jonathan Niu
  • 311
  • 1
  • 8