Recently I worked with a customer who was trying to install OCS 2007 R2 Group Chat on a member server running Windows Server 2008. Each time the customer launched ServerSetup.EXE to install Group Chat, he encountered error 0x80070005 (Access is Denied) while binding to the IIS metabase path IIS://localhost/W3SVC/1, as shown in the following screenshot:
The user account used to install Group Chat should meet the following criteria:
Additionally, the computer should meet the following prerequisites before installing Group Chat:
Microsoft .NET Framework 3.0 Manages the execution of the program. During the installation of Group Chat, if this version or a later version of the software is not already installed on the computer, Group Chat installs it. Internet Information Services (IIS) Hosts the Web Service for the purpose of posting files to chat rooms. Windows Server 2008 users must enable the IIS 6.0 Compatibility feature. ASP.NET 2.0 Used to build dynamic Web sites, Web applications, and XML Web services. ASP.NET 2.0 is a Web application. Message Queuing Used by the Group Chat Compliance service, if deployed. Microsoft Web Services Enhancements (WSE) 3.0 Implements additional Web service specifications in areas including security, reliable messaging, and sending attachments. WSE is required on the Group Chat Server only, not the Compliance service. WSE is an add-on to the .NET Framework.
Microsoft .NET Framework 3.0
Manages the execution of the program. During the installation of Group Chat, if this version or a later version of the software is not already installed on the computer, Group Chat installs it.
Internet Information Services (IIS)
Hosts the Web Service for the purpose of posting files to chat rooms. Windows Server 2008 users must enable the IIS 6.0 Compatibility feature.
ASP.NET 2.0
Used to build dynamic Web sites, Web applications, and XML Web services. ASP.NET 2.0 is a Web application.
Message Queuing
Used by the Group Chat Compliance service, if deployed.
Microsoft Web Services Enhancements (WSE) 3.0
Implements additional Web service specifications in areas including security, reliable messaging, and sending attachments. WSE is required on the Group Chat Server only, not the Compliance service. WSE is an add-on to the .NET Framework.
Even after meeting these requirements, you may still encounter this error during Group Chat setup. During installation, a new virtual directory called MGCWebService is created under the Default Web Site in IIS. For this task to succeed, the SeImpersonatePrivilege is required. On a Windows 2008 computer, this privilege is automatically granted in the security token of the Domain\Administrator account (Built-in account for administering the computer/domain), but not for other members of Domain Admins. To prove this we can use the Whoami utility.
Whoami.exe /all (logged in as a member of Domain Admins)
Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled
Whoami.exe /all (logged in as Domain\Administrator)
Privilege Name Description State =============================== ========================================= ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Disabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Disabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
Here you can see that the SeImpersonatePrivilege right is clearly missing in the security token of the Domain Admin account. Without this privilege, Group Chat setup will fail. To work around this problem, launch ServerSetup.EXE with elevated privileges (Run as Administrator) or log on using the Domain\Administrator account and launch Group Chat setup.
-- Dave