Error Message
Either of the following errors is displayed when trying to connect to ArcGIS Server from ArcCatalog, a .NET application, or a Java application:
"Access Denied" or "The connection could not be made"
Cause
Distributed COM (DCOM) is disabled or the account used to connect does not have the appropriate DCOM permissions to access ArcGIS Server.
The ArcGIS Server post-installation creates two special groups, the agsusers and agsadmin groups, which are given permissions to access ArcGIS Server. Users that need to access ArcGIS Server should be added to the agsusers group. Users that need to administer ArcGIS Server (creating SOCs for instance) should be added to the agsadmin group.
Solution or Workaround
Apply the following procedure on every computer that has the ArcGIS Server Object Manager (SOM) installed and on every computer that has the ArcGIS Server Object Container (SOC) installed.
- Verify that the user trying to connect is added to the agsusers group.
A. Navigate to Control Panel > Administrative Tools > Computer Management.
B. Expand the "Local Users and Groups" option in the left panel and clicking on Groups.
C. Right-click on agsusers to view the properties to see if the account being used has been added to the agsusers group.
D. Right-click on agsadmin to view the properties to see if the account has been added to the agsadmin group if this account needs to perform an administrative function.
E. Click the Add button if the account is missing.
F. Instruct the user to relog into Windows for the permissions to take effect.
- Verify DCOM is enabled and the Launch and Activation Permissions Limits under My Computer allow full access for the agsadmin, agsusers, ArcGISSOM, and ArcGISSOC accounts.
A. Navigate to Start > Run, type 'dcomcnfg' and click OK. This will open the DCOM Configuration window.
B. Expand Component Services > Computers in the left panel.
C. Right click on My Computer and choose Properties to open the My Computer Properties dialog box.
D. Select the Default Properties tab.
E. Verify the Enable Distributed COM on this computer is checked, the Default Authentication Level is set to Connect, and the Default Impersonation Level is set to Identify.
F. Select the COM Security tab.
G. Click the Edit Limits... button in the Launch and Activation Permissions section.
H. Verify the agsadmin group is added and all 4 Allow boxes are checked when selected.
I. Repeat step H for agsusers, ArcGISSOM and ArcGISSOC.
- Verify that the agsusers and agsadmin group are set to have at least Access permissions for the ArcSOM and ArcSOC applications in the Distributed COM security settings.
A. Navigate to Start > Run, type 'dcomcnfg.exe' and click OK. This will open the DCOM Configuration window.
B. On Windows Server 2003, expand Component Services > Computers > DCOM Config in the left panel.
C. Find ArcSOC and ArcSOM under the list of DCOM applications.
D. Right click on ArcSOC and choose Properties to open the ArcSOC Properties dialog box.
D. Select the Security tab.
E. Click Edit to edit the Access Permissions.
F. Verify the agsadmin and agsusers group are added and the Access Permission box Allow is checked on.
G. Repeat the steps above to set the ArcSOM Properties for the DCOM security.