Forum Discussion
FLAVIO BORUP
Nov 29, 2023Copper Contributor
Unable to change DCOM permissions. Any changes are being reverted. Enrollment of Certificates errors
After 10 years, our Root/Enterprise CA stopped enrolling certificates with a generic access denied message. After several weeks and a lot of hours spent trying to solve for ourselves we decided to open a paid support case at MS
So, with the help of Microsoft Premier Support we started a new brand-new/fresh PKI, with two Win2022 servers, Root/Std and SubEnterprise... but the errors are exaclty the same
But no avail, it was frustrating because the MSPS was not capable of achieving anything in theirs almost 27 hours of time spent, besides doing the same of check all over again and again, collecting logs to see that it was a access denied error and only using public KB articles and the same set of basic stuff that has been done before
Now, I discovered that the issue is related to computer permissions for DCOM (dcomcnfg.exe) on which we give the proper permissions and after some hours, the DCOM permissoes are forcibly back to their original state. So, when e add some entities with rights on DCOM, the enrollment of certficates works very well, but after some time, stops again.
So, now I can accelerate the procces and doing a simple "gpupdate", EVEN WITH NO GPOs applied, AT ALL, the DCOM permission changes are reverted back to its orignal ones and the enrollment stops again
Tracing with procmon:
RegOpenKey
HKLM\SOFTWARE\Microsoft\OLE
Desired Access: Query Value, Set Value
So, the moment of the permissions getting back to its original permissions, are here, and the proccess is : C:\Windows\system32\svchost.exe -k DcomLaunch -p, so, the DCOM itself, it appears to me
So: How to avoid this?
The closest thing I was able to find, someone with the same problem, there is an article for a DCOM app called Matrikon (RPC tunneled app) saying that if we add a "dummy" user to the permissions, it should solve, but in my case. it doens´t work
So.. any adice? Anything I should try?
No useful info on EventViewer system/App logs
Similar problem, another App
https://honeywellprocess.my.site.com/opcsupport/s/article/CHECKWhy-wont-my-DCOM-changes-stick-REF-KB-408
"...
If you are changing the Security settings from Default to Customize and it is not necessary to add any new users, when you leave DCOM configuration it will change the settings back to default.
..."
No RepliesBe the first to reply