Friday, June 17, 2011

IIS 7.5 and SAS DCOM: ACCESS DENIED, ACCESS DENIED, ACCESS DENIED

And the joy of being a pathfinder continues ;-]

IIS 7.5 has now changed the game. No longer do we play with NETWORK SERVICES to get SAS operational. Now it is a new user IIS APPPOOL\DefaultAppPool. Security has now been taken from NETWORK SERVICES, which covered the website, to specific security by the AppPools. I am not a security expert but that is my understanding.

So I took my happy little web services project (WCF) that worked fine in Visual Studio 2010 (Cassini), built a Web Setup for it, and deployed it to localhost. Then spent the next 7 hours staring at the same error: ACCESS DENIED. This was occurring on CreateObjectByServer. ACCESS DENIED, ACCESS DENIED, ACCESS DENIED, over and over again. I spent so much time in DCOMCNFG even going so far as to enable the Administrator account as the launching account, open up everything I could, and still ACCESS DENIED.

This morning I spoke to Bubba in SAS Tech Support. Great guy. He didn’t know this area but diligently was tossing out terms on tech notes he saw. He finally tossed out “enable 32-bit apps” and I keyed in on that one immediately. Well, I did a bit of investigation and have now made it far enough along for a blog post:

In IIS 7.5, get your application in place under a Virtual Directory:



Set up whatever app pool you are using. In this case, it is DefaultAppPool. Click on the Application Pools under the directory. Now here is where you have a choice. You can use the DefaultAppPool for everything but that also means giving it access to every library location, file, whatever. I opted to instead set up a new account called ‘WebService”.




Now it needs to be associated with the access rights for each directory and file. This is standard Windows stuff. Click on a directory and add the new username:




In IIS, change the App Pool to use the new identity:




Here are the settings and the ones to be concerned with:




Enable 32-bit applications and set the identity as needed. By default, it will be the name of your app pool. We will use our newly created name of WebService.

Now, time to go into DCOMCNFG (Start --> Run --> DCOMCNFG and fix the DCOM entry for the SAS Workspace:




Finally, change your code to the following:


ObjectFactory factory = new ObjectFactory();
ServerDef server = new ServerDef();
SasWorkSpace = (Workspace)factory.CreateObjectByServer("ws", true, server, "WebService", "MyPassword");
var id = SasWorkSpace.UniqueIdentifier;
SasLanguageService = SasWorkSpace.LanguageService;
keeper = new ObjectKeeper();
keeper.AddObject(1, "SASServer", SasWorkSpace);

No more ACCESS DENIED.

Thanks Bubba. I think we p*wned it.

…not really but it works good enough for me for now ;-)

No comments:

Cisco Information Server (CIS) and MS OLAP

Ok, so my recent issue was integrating CIS with Microsoft OLAP cubes. The normal way to do this is to set up MS OLAP (SSAS) with a website a...