MessageQueue permission error

MessageQueue permission error

  
i just installed agile platform server 7 and detected the following error message in the windows log:

Queue '.\Private$\OutSystemsExtensionLog' created, but was unable to grant permissions. System.InvalidOperationException: Could not resolve name ASPNET (error = 1332 ). at OutSystems.HubEdition.ServerCommon.MsmqHelper.ConfigureQueue(MessageQueue mQueue, Int32 maxQueueSize, IEnumerable`1 extraOwnerUsers)

which i get for pretty much all queues (OutsystemsCustomLog, OutSystemsExtensionLog, OutsystemsWebServiceLog etc)


anyone had this issue before?
which user needs permission?

thank you!
Hi enigma,

The user that need permissions is the user that runs the IIS worker process.
In Windows 7 it grants the permissions to the "BUILTIN\IIS_IUSRS" group.
(The error message is a bit missleading, because it shows error for the last user we try to give permissions)


What version of the platform are you using?
Check if the IIS_IUSRS group exists? (Computer Management -> Local Users and Groups -> Groups)
What permissions do the queues have currently? (Computer Management -> Services and Applications -> Message Queuing -> Private Queues -> (any outsystems* queue) -> Properties -> Security)

Regards,
João Rosado
hi joao, thanks for the reply

the queues have an ANONYMOUS user, with the privilege to send messages to the queue.
i tried adding this user to the IIS_IUSRS group (+iisreset) but the errors still come up.

the other user that already was in the IIS_IUSRS group, is not found in the message queue privileges.

additionally the admin has further privileges, plus the guest user (although the user itsself is disabled)

even granting full access to the IIS_IUSRS group wont stop the errors ^^

PS: its version 7 on win2k8r2
no idea what it could be?
might a complete reinstall help?
Hey enigma,

Do any logs show up in service center? That is an error trying to grant the permissions, but doen't mean they are not correcly setted already (and everything working correctly).

Thats why I asked you to list the permissions you had in the queue.

It should be something like:

Everyone user-> with little permissions
Administrators -> Full Control
IIS_IUSRS ->  At least "Send Message", "Get Properties" and "Get Permissions"
And then either you user or "System" with full control (The creator of the queue)


Regards,
João Rosado

hi joao

regarding permissions, i only found 9 invalid login attempts,
other then than - nothing

yep, as said, i have:
Everyone -> send message, get properties, get privileges
Administrator -> full controll
Administrators -> full controll
Anonymous -> send message

IIS_IUSR isnt listed by default (but the group itsself exists)
i tried granting it full controll, on one queue to test, but the error still came up

the creator of the queue is administrator

the only member of the IIS_IUSR group is NT-AUTHORITY\NETWORKSERVICE
which i havent found in any message queue privileges
i tried adding the iis_iusrs group to one of the queues
and set its privileges, plus the privileges of anonymous to
send message, get properties, get privileges

performed a iisreset, cleared the log and checked again
and the message queue still brings up the error =/
i even went through the installation logs etc meanwhile.
but couldnt find anything suspicious, that could explain the errors.

i found some infos about the "error = 1332" on google
that state, the error comes up if there are issues mapping user name and sid

should there be a user called ASPNET?
i couldnt find one on our system
Hi,

You not supposed to have ASPNET on your machine.
We try to give permissions to multiple users and the error message only displays the name of the last one tried.

The correct user in win2k8r2 is IIS_IUSRS.

What is the language of your windows?
And what is the users running your IIS Application Pool and OutSystems Services?


Try one thing:
Delete one of the queues (for example the
outsystemswebservicelog) and restart both OutSystems Deployment Controller Service and
OutSystems Log Service.
It should recreate the queue with correct permissions in a few seconds.


If that doesn't solve your problem I suggest contacting the OutSystems Support.

Regards,
João Rosado
the system language is german (unfortunately)
the iis default and outsystems app pool, have application pool identity set
which should correspond to the defaultapppool user
the iis worker process has the outsystemsapplications user set

i tried deleting a queue and restarting the services
it is recreated, but the error still comes up =)

i also tried granting full access to iis_iusrs to a queue
but also without success

ill give support a go, thank you =)
In case others also have this problem - heres the workaround:

Add IIS_IUSRS group to all OS private message queues, with the following permissions:
- Get Properties
- Get Permissions
- Send Message

Additionally, if you dont already have the ASPNET user:
Create the local user “ASPNET”, no need to set anything special, nor groups.
Then disable the user =) sounds strange, but it does the trick

This issue should be solved in future versions (current v.7.0.0.7)