Error: Access Denied using ArcObjects Java ADF on Windows XP Service Pack 2 or Windows 2003 Service Pack 1
Information provided applies to situations where ArcObjects Java applications are unable to connect to the ArcGIS Server object manager, but non-Java application are able to connect using the same credentials. This means that with the same user, ArcCatalog connects but the Java ADF Template application fails. When using the ArcObjects Java API to access an ArcGIS server object, an error message is displayed indicating that access is denied. Here are a few examples:
"AutomationException: 0x80070005 - General access denied error
AutomationException: 0x5 - access is denied, invalid domain, username, password
Run-time error '70': Permission denied"
The ArcObjects Java API uses JIntegra interoperability to manage communication with ArcGIS COM components. Both Windows XP Service Pack 2 and Windows 2003 Service Pack 1 include a number of enhancements and changes to DCOM. As these changes may affect JIntegra operations, it may be necessary to change DCOM configuration properties to enable access to ArcGIS Server components.
Solution or Workaround
- The %JINTEGRA_HOME%\bin directory and ntvauth.dll must be in the system PATH. For an ArcGIS installation, %JINTEGRA_HOME% is the same as the ArcGIS install directory, for example c:\Program Files\ArcGIS. This DLL contains the native code J-Integra uses to determine the local authentication credentials.
- If the computer belongs to a workgroup instead of a domain, make sure that it does not use simple file sharing. Start Windows Explorer, select Tools. Select Folder Options. Select the View tab and uncheck 'Use simple file sharing (Recommended)' in Advanced settings.
- Navigate to Start > Control Panel > Administrative Tools > Component Services.
- Expand Component Services > Computers. Right-click My Computer. Select Properties.
- Select the Default Properties tab.
- Select 'Enable Distributed COM on this computer'. Set the Authentication level to 'Connect' or 'None'. Set the Default Impersonation Level to 'Identify'; 'Impersonate' also works.
- Select the COM Security tab.
- Under Access Permissions, click Edit Limits. Add the agsusers and agsadmin groups with Local and Remote Access permissions.
- Under Launch Permissions, click Edit Limits. Add the agsusers and agsadmin groups with Local and Remote Launch permissions, as well as Local and Remote Activation permissions.
- Close the Properties dialog box.
- Navigate to and expand DCOM Config under My Computer.
- For both the ArcSOC and ArcSOM components, perform the following procedure: a) Right-click on the component and open the properties window. Select the Security tab.
b) Under Launch and Activation permissions, select the Customize radio button and click the Edit button.
c) In the Launch Permission dialog box, add SYSTEM, INTERACTIVE, and NETWORK, give them Local and Remote Launch permissions, as well as Local and Remote Activation permissions. Click OK.
d) Under Access permissions, select the Customize radio button and click the Edit button.
e) In the Access Permission dialog box, add SYSTEM, INTERACTIVE, and NETWORK, give them Local and Remote Access permissions. Click OK.
f) Select the General tab. Set the Authentication Level to Default.
g) Select the Location tab. Select Run application on this computer.
- If an 'access denied' or 'permission denied' error is still returned after configuring the DCOM settings, try rebooting the computer to allow the new settings to take effect. In addition, confirm that the changes were made to both the ArcSOC and ArcSOM components in the previous step.
Upon installing a service pack, DCOM settings will be reset to default values. As a result, the steps in this document must be repeated after a service pack is applied.
- JIntegra Support: Configuring DCOM for Remote Access
- Microsoft TechNet: Microsoft Windows XP SP2 DCOM enhancements