IIS WAMREG Admin Service – A Classic

What is the IIS WAMREG Admin Service?  It often rears it’s ugly head in multi-server SharePoint farm installations.  If you don’t encounter it in configuring kerberos, then you encounter it  anyhow as your Event Log fills up with errors similar to this:
Log Name:            System
Level:                    Error
Event Source:        System
Event Category:     None
Event ID:               10016
OpCode:               Info
Logged:                07/01/2010 23:17:19
User:                    {Sharepoint Farm Account or Web Application AppPool Account}
Computer:            {One of Your Computers Name}
Description:          The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user {Sharepoint Farm Account or Web Application AppPool Account} SID {some SID} from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
So what is IIS WAMREG Admin Service?
This MSDN article briefly describes what it is as does this blog entry, and in brief it provides communication between processes that are hosted by IIS such as w3p.exe and non IIS hosted processes such as dllhost.exe.  Why do we need it in SharePoint? Well SharePoint uses all kinds of components including IIS processes for the Web Applications and Windows Services as well as other custom processes that we developers may construct.
Fixing the Issue
So basically the above error is complaining that it is trying to let a certain account kick start the WAMREG Admin Service but that the account, which is normally one of the accounts that runs an Application Pool, is not permitted to start up the process.  To allow this you need to grant Local Activation rights to the relevant accounts  for the IIS WAMREG Admin Service.
What I do in this situation is as recommended, go to the Windows Start Menu.  Then do the following:
Administrative Tools -> Component Services:
Then navigate down the tree view in the MMC Component Services -> Computers -> My Computer -> DCOM Config -> IIS WAMREG Admin Service

Once you’re there right-click and select Properties, then select the Security Tab and then click the Edit … button in the launch and Activation Permissions section.

Now you can add the individual account which should be the accounts which run your application pools as I’ve seen elsewhere.  I however prefer to add the local groups WSS_ADMIN_WPG and WSS_WPG in instead,  as these will automatically deal with any change of account or new accounts which get added later.  Then don’t forget to tick the Local Activation for both the new account groups as shown:

Click OK and then OK again and you’re done.  Clear out your Event Log entries if you wish, but you shoudln’t see any more occurances of that error in the event log. 

Kerberos Configuration

If you’re configuring Kerberos for your SharePoint farm then this configuration is also required to ensure proper passing of credentials via Kerberos.


Dave Mc




About davemcmahon81
Software Developer & Architect, User Group Leader, Speaker, Writer, Blogger, Occasional Guitarist, Man-made Global Warming Sceptic, Climate Change Believer, General Optimist but most of all proud Husband and Dad ...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: