Service Manager 2016 Console: Error When Launching the Console Using Run As
In this customer's situation, running interactively as administrator is prohibited for the usual security reasons. For Service Manager administrative functions, SCSM admins launch the console using Run As and specify administrator credentials. This worked perfectly fine with the SCSM 2012 R2 console, but when they launched the SCSM console using Run As, and then clicked on an incident, they received the results below:
- Launch the SCSM 2016 console using Run As and specify an administrator account
- Console launches
- Select an incident (All Open Incidents)
- Open the incident
- The incident window opens minimized
- Expand the window, which revewals the following error:
Microsoft.EnterpriseManagement.UI.WpfViews.InvalidConfigurationException:
Failed to load form based on data in Presentation/Form section of FormView configuration: AssemblyName =
Microsoft.EnterpriseManagement.ServiceManager.Applications.ProblemManagement.Forms, TypeName =
Microsoft.EnterpriseManagement.ServiceManager.Applications.ProblemManagement.Forms.ProblemForm.
at
Microsoft.EnterpriseManagement.UI.FormsInfra.FormViewController.CreateFormFromConfiguration (XPathNavigator configNav)
at
Microsoft.EnterpriseManagement.UI.FormsInfra.FormViewController.ParseConfiguration()
at
Microsoft.EnterpriseManagement.UI.FormsInfra.FormViewController.EndInit()
System.Reflection.TargetInvocationException:
Exception has been thrown by the target of an invocation. --->
System.Windows.Markup.XamlParseException:
The invocation of the constructor on type 'Microsoft.EnterpiseManagement.Service Manager.Applications.ProblemManagement.Forms.GeneralTabControl' that matches the specified binding constraints threw an exception. --->
System.UnauthorizedAccessException: Retrieving the COM class factory for component with CLSID {7AB36653-1796-484B-BDFA-E74F1DB7C1DC} failed due to the following error:
80070005 Access is denied.
(Exception from HRESULT: 0x80070005
(E_ACCESSDENIED)).
at
System.Windows.Documents.WinRTSpellerInterop..ctro()
at
System.Windows.Documents.SpellerInteropBase.CreateInstance()
....
As a test, we tried launching the SCSM 2016 console using Run As with a standard user account; we experienced the same error.
Note: The issue only occurred when opening incidents, change requests and objects that ship out of the box. The same issue did not occur on custom items that the customer had created (eg, virus items).
A registry search for the CLSID mentioned in the error message {7AB36653-1796-484B-BDFA-E74F1DB7C1DC} led to
HKLM\SOFTWARE\Classes\CLSID\{7AB36653-1796-484B-BDFA-E74F1DB7C1DC}
(Default) REG_SZ Microsoft Spell Checker Factory Class
and
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{7AB36653-1796-484B-BDFA-E74F1DB7C1DC}
RunAs REG_SZ Interactive User
We also used DCOMCNFG.exe to view the same COM object and confirm the settings.
So we could see that the Access Denied is being raised by the system spell checker, which on these machines is configured to run as Interactive User. This is a key finding, since Service Manager 2016 introduces spell check support for editable fields, at least in out of the box work item forms (/en-us/system-center/scsm/whats-new#spell-check-in-service-manager-console).
Per https://msdn.microsoft.com/en-us/library/windows/desktop/ms680046(v=vs.85).aspx, you can specify the following values for the "RunAs" setting:
"Interactive User"
"nt authority\localservice"
"nt authority\networkservice"
"nt authority\system"
Note that if you're using DCOMCNFG to manage the COM object, you can change this value to "The launching user", which deletes the RunAs setting in the registry.
As a test, we set the value in the registry to "nt authority\localservice". Using this value, we could launch the console using Run As and open incident forms.
As a second test, we set the value in DCOMCNFG to "The launching user", verified that the RunAs value disappeared from the registry, and verified that we could open incident forms after launching the console using Run As.
Given this information, the customer opted to change the RunAs setting to localservice for SCSM 2016 administrators.