BlueCielo Meridian Enterprise 2012 System Requirements | BlueCielo ECM Solutions

Enabling DCOM

DCOM might be cleared on the Meridian application server or client computers manually by IT personnel for security reasons by a script (or group policy) or other software that is installed on the server or client computer.

To enable DCOM on client computers:

  1. Open Registry Editor on the client computer and locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
 
  1. Change the EnableDCOM value to Y.
  2. Reboot the client computer.

To enable DCOM on Meridian server computers:

  1. Open Registry Editor on the server computer and locate the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
 
  1. Change the EnableRemoteConnect value to Y.
  2. Reboot the server computer.

Note    Another cause of failed DCOM communications can be a software firewall on the server, including the integrated Windows firewall. Test this possibility by temporarily disabling the firewall and testing for the client error. If access succeeds, configure the firewall to allow DCOM communication as described in Allowing Web Access through a firewall.

DCOM access can also fail when attempting to open a vault that is hosted on a Windows 2008 R2 (or higher) server from a Windows XP client computer. The error message is Failed to get list of vaults on computer 'ServerName'. A security package specific error occurred. This error does not occur from a Window 7 (or higher) client computer.

This error occurs because the user is not properly authenticated by the server as described in Error 80070721 Occurs When Instantiating a COM Component on a Remote Windows 2008 Server in MSDN.

To resolve this issue, we recommend that you implement one of the following solutions:

Solution 1

Configure a Service Principal Name (SPN) for the user as described in the previous linked article and in the setspn command description in the Windows Server 2008 Command-line Reference.

Run the following command on the Windows 2008 R2 server:

setspn -A http/<DomainName> <AccountName>
Solution 2

Allow the computer to be trusted for delegation as described in Allow a computer to be trusted for delegation in Microsoft TechNet. This solution may not be permitted by your organization's security policy. Consult a system administrator before implementing this solution.

Solution 3

clear the default Server Message Block (SMB) 2.0 protocol used by Windows Server 2008 R2. BlueCielo software is compatible with SMB 1.0 and if you disable SMB 2.0, the software will not be affected.

To disable SMB 2.0:

  1. Open the Registry Editor on the Windows Server 2008 computer.
  2. Expand the registry tree to the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
  1. Add a new DWORD value with the name Smb2.
  2. Set the value of Smb2 to 0 to disable SMB 2.0 or set it to 1 to renable SMB 2.0.
  3. Reboot the server.

Related concepts

About support for Microsoft Active Directory

Understanding Active Directory security problems

Understanding DCOM problems

Using with nested groups

Using with multiple domains

Related tasks

Granting domain privileges with a service account

Granting domain privileges to the server

Configuring DCOM permissions

Granting membership query access

Configuring NetBIOS name resolution

Running BlueCielo License Server on a different computer

Synchronizing user groups with Active Directory

Copyright © 2000-2012 BlueCielo ECM Solutions

www.bluecieloecm.com