Attempting to visit a Web Interface site fails with the error: Retrieving the COM class Factory for component with CLSID{080D0D78-F421-A36E-00C04FB950DC} failed (4336720)

Attempting to visit a Web Interface site fails with the error: Retrieving the COM class Factory for component with CLSID{080D0D78-F421-A36E-00C04FB950DC} failed

Attempting to visit a specific Active Roles Web Interface site fails with one of the following error messages:

Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800703fa Illegal Operation attempted on a registry Key that has been marked for deletion. (Exception from HResult: 0x800703FA) 

OR

Creating an instance of the COM component with CLSID {080D0D78-F421-11D0-A36E-00C04FB950DC} from the IClassFactory failed due to the following error: 800401e4 Invalid syntax (Exception from HRESULT: 0x800401E4 (MK_E_SYNTAX))

Other Web Interface sites on the same host can be visited without error.

The same Active Roles Web Interface configuration functions as expected when applied to a site with a different name.

CAUSE 1
If the Active Roles Web Interface is hosted on a remote server (is separate from the Active Roles Administration Service) and Federated Authentication is being used, then the service account used to run the ARWebAppPool IIS Application Pool is missing a required permission.


CAUSE 2
There is a malformed site reference in an IIS configuration file.

RESOLUTION 1

When the Federated Authentication endpoint sends an authorization request with a user name via SAML, IIS on the Active Roles Web Interface host can generate a Windows token by impersonation. However, this token can only be used to access remote resources only if the account running the ARWebAppPool IIS Application Pool has the privilege to Act as part of the operating system (SeTcbPrivilege)

If only one remote Active Roles Web Interface host is needed, the ARWebAppPool can be run as the LocalSystem account, which has SeTcbPrivilege by default. If more than one remote Active Roles Web Interface host is needed, then Kerberos SPN requirements mean that the ARWebAppPool must be run as an Active Directory service account that has the SeTcbPrivilege explicitly granted.

1. Select Control Panel | Administrative Tools | Local Security Settings
2. In the left panel, select Security Settings | Local Policies | User Rights Assignment
3. Open Act as part of operating system
4. In the Act as part of the operating system properties dialog box, click Add User or Group
5. In the Add User or Group dialog box, enter the desired Active Directory service account and click OK.
6. Click OK to close the properties dialog box

NOTE: If the Add button is greyed out, then there is a Group Policy which is preventing local changes. Instead, add the desired Active Directory service account into the Group Policy for this privilege on the Active Roles Web Interface host(s).

RESOLUTION 2

1. As an Active Roles Admin, delete the problem site in the Active Roles Configuration Center
2. With Local Administration privileges, navigate to %WinDir%\System32\Inetsrv\Config on the Active Roles Web Interface host
3. Create a copy of the applicationHost.config file in a safe location
4. Edit this file and remove any references to the problem site

NOTE: Be sure to remove the entire section that contains the reference. For example, if the reference is in a <location> tag, remove the open location tag, the closing location tag, and everything in between.

For example, if the file looks like this and the "BadSite" reference should be removed:

After modification, this section of the file should look like this:

5. Save the applicationHost.config file
6. In an elevated command prompt, run IISRESET
7. As an Active Roles Admin, recreate the site in the Active Roles Configuration Center and apply the desired Active Roles Web Interface configuration