Date: October 15, 2012
The [Enterprise] Random Password Manager password retrieval website has been functioning properly for some time. Now, when opening the web site, an error is presented stating "Could not fill list of authenticators from the database, check database connectivity for the web application".
There are multiple potential causes for this error. In order of likelihood:
- COM+ identity password has changed
- The COM+ application wrapper cannot start due to insufficient permissions
- The identity running the COM+ application does not have sufficient permissions to the program database
- The COM+ application is locked in an indeterminate state due to Windows prematurely unloading the COM+ user profile while the application is still running
- The database is actually offline
Resolution 1: COM+ identity password has changed
On the web server, go to Administrative Tools | Component Services and expand the Component Services tree. Under Component Services | Computers | My Computer | COM+ Applications will be a COM+ Application Wrapper called PWCWebComApp if using Enterprise Random Password Manager or RPMWebComApp if using Random Password Manager.
Right-click on the application and choose Properties. On the identity tab, input the proper password for the COM+ identity. If the identity listed is no longer a valid credential, simply input the proper credentials here.
Attempt to connect to the website again.
Resolution 2: The COM+ application wrapper cannot start due to insufficient permissions
The installation guide outlines a number of permissions that must be granted to the COM+ identity in order for it to be able to run as a COM+ application. Ensure these requirements are met:
- Administrator of the local system
- Logon as a batch job
If these rights are granted at the local system level, a policy defined at the Domain or Site or OU level in Active Directory may over-write these settings. This can be tested quickly and easily by applying the policy, closing the group policy console, running gpupdate /force and re-checking the policy. The policies are defined at Computer Configuration | Windows Settings | Security Settings | User Rights Assignments.
Resolution 3: The identity running the COM+ application does not have sufficient permissions to the program database
The installation guide outlines rights which must be granted to the COM+ identity over the program's database in order to read and write from the database as well as execute stored procedures. If the account running the COM+ application is not an sysadmin of the database server or is not granted the Control Server server level permission, or the account is not granted DB Owner role over the database then the following permissions must be granted for the identity to the database:
- Server: connect/login
- Database (as a SQL command): Grant Execute to COM+IdentityLoginUserName
- Database: DB_Reader
- Database: DB_Writer
- Database: DDL_Admin
- CREATE TRIGGER
- CREATE SEQUENCE
- CREATE TABLE
- CREATE VIEW
Resolution 4: The COM+ application is locked in an indeterminate state due to Windows prematurely unloading the COM+ user profile while the application is still running
The identity COM+ identity's user profile is loaded when the application launched. The issue happens when the COM+ application reaches its max idle time and attempts to unload. This forces the identity to log off and Windows to unload the user profile. Windows will unload the profile before the COM+ identity is done using the profile. As a result, the COM+ application can no longer read registry keys in the profile of the identity user. This functionality is part of the User Profile Service built into Windows 2008 and newer.This is a situation where the functionality of forcing the unload of the user profile may break an application if registry handles are not closed in the process.
Further event errors may show up in the application event log for event source DCOM and event ID 10006. The COM+ application may also fail to be stopped or started by hand. If the COM+ application cannot be started or stopped by hand, open task manager and kill the process for DLLHOST.EXE*32 that is being run by the COM+ identity.
To resolve the problem permanently, make the following change to the computer's security policy:
Computer Configuration | Administrative Templates | System | UserProfiles: Do not forcefully unload the user registry at user logoff = Enabled
Run gppupdate /force to ensure the policy is applied and not overwritten by another domain policy. This change by itself does NOT require a reboot.
Resolution 5: The database is actually offline
If the database is actually offline, this will present itself in other ways such as the inability to launch the management console or connect with SQL Management Studio or Oracle SQLPlus. Check your database services and work with your database administrator.
Enterprise Random Password Manager (ERPM)
Random Password Manager (RPM)