OCS 2007 R2 Group Chat on Windows Server 2008

  • Article

Recently I worked with a customer who was trying to install OCS 2007 R2 Group Chat on a member server running Windows Server 2008.  Each time the customer launched ServerSetup.EXE to install Group Chat, he encountered error 0x80070005 (Access is Denied) while binding to the IIS metabase path IIS://localhost/W3SVC/1, as shown in the following screenshot:

 

image

 

The user account used to install Group Chat should meet the following criteria:

  • Member of the Domain Admins Group
  • Member of local Administrators Group
  • Member of RTCUniversalServerAdmins Group

Additionally, the computer should meet the following prerequisites before installing Group Chat:

Microsoft .NET Framework 3.0

Manages the execution of the program. During the installation of Group Chat, if this version or a later version of the software is not already installed on the computer, Group Chat installs it.

Internet Information Services (IIS)

Hosts the Web Service for the purpose of posting files to chat rooms. Windows Server 2008 users must enable the IIS 6.0 Compatibility feature.

ASP.NET 2.0

Used to build dynamic Web sites, Web applications, and XML Web services. ASP.NET 2.0 is a Web application.

Message Queuing

Used by the Group Chat Compliance service, if deployed.

Microsoft Web Services Enhancements (WSE) 3.0

Implements additional Web service specifications in areas including security, reliable messaging, and sending attachments. WSE is required on the Group Chat Server only, not the Compliance service. WSE is an add-on to the .NET Framework.

Even after meeting these requirements, you may still encounter this error during Group Chat setup.  During installation, a new virtual directory called MGCWebService is created under the Default Web Site in IIS.  For this task to succeed, the SeImpersonatePrivilege is required.  On a Windows 2008 computer, this privilege is automatically granted in the security token of the Domain\Administrator account (Built-in account for administering the computer/domain), but not for other members of Domain Admins.  To prove this we can use the Whoami utility.

 

Whoami.exe /all (logged in as a member of Domain Admins)

Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled

 

Whoami.exe /all (logged in as Domain\Administrator)

Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled

Here you can see that the SeImpersonatePrivilege right is clearly missing in the security token of the Domain Admin account.  Without this privilege, Group Chat setup will fail.  To work around this problem, launch ServerSetup.EXE with elevated privileges (Run as Administrator) or log on using the Domain\Administrator account and launch Group Chat setup.

 

-- Dave