"HTTP Error 503. The service is unavailable" - Error message is showing while user tries to import Excel file in Ginesys web

SYMPTOMS

Requested by: Suvradip Roy  06 May 2019 

When user is trying to import excel file in Ginesys web, an error message is showing - "HTTP Error 503. The service is unavailable".

CAUSE

The probable cause for the above issue is server is temporarily unavailable. If the issue persists we might notice the following error in Event Viewer logs.

Event ID 10016
“The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user IIS APPPOOL\GINESYSAppPoolFx4 SID (S-1-5-82-1358216942-634677025-1763237028-1288803088-3211383273) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.”

RESOLUTION

Follow the given steps to resolve the issue:

You need to provide administrative privileges to the two registry keys - CLSID & APPID. Also need to configure the DCOM Configuration in Component Services to provide “Local Activation” permission to the users/groups of the registry keys.

This long process could be implemented quickly by running a script in Windows Powershell.

Please check the following links:
https://hinchley.net/articles/changing-dcom-security-permissions-with-powershell/

https://answers.microsoft.com/en-us/windows/forum/windows_8-performance/event-id-10016-the-application-specific-permission/9ff8796f-c352-4da2-9322-5fdf8a11c81e

Please go through the following steps to resolve the issue:

1. Open Notepad.exe.
2. Copy and paste the following script.
3. Save it in your disk as “Script.ps1” (Quotation marks must be included while saving in notepad).
4. Open Windows Powershell as administrator by right-clicking on the Windows Powershell icon in Windows.
5. Browse to the location in the disk where the .ps1 script file is saved and type ./Script.ps1 to run the command.
6. If you get an error while running the unsigned powershell script, run the following command in Windows PowerShell to run unsigned scripts on your system and then try to run the script again.
   “Set-ExecutionPolicy RemoteSigned ”

The script is as follows:

function enable-privilege { 

  param($Privilege)

  $Definition = @'

using System; 

using System.Runtime.InteropServices; 

public class AdjPriv { 

  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]

  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,

    ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);

  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]

  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);

  [DllImport("advapi32.dll", SetLastError = true)]

  internal static extern bool LookupPrivilegeValue(string host, string name,

    ref long pluid);

  [StructLayout(LayoutKind.Sequential, Pack = 1)]

  internal struct TokPriv1Luid {

    public int Count;

    public long Luid;

    public int Attr;

  }

  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;

  internal const int TOKEN_QUERY = 0x00000008;

  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

  public static bool EnablePrivilege(long processHandle, string privilege) {

    bool retVal;

    TokPriv1Luid tp;

    IntPtr hproc = new IntPtr(processHandle);

    IntPtr htok = IntPtr.Zero;

    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,

      ref htok);

    tp.Count = 1;

    tp.Luid = 0;

    tp.Attr = SE_PRIVILEGE_ENABLED;

    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);

    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero,

      IntPtr.Zero);

    return retVal;

  }

}

'@ 

  $ProcessHandle = (Get-Process -id $pid).Handle

  $type = Add-Type $definition -PassThru

  $type[0]::EnablePrivilege($processHandle, $Privilege)

}

function take-over($path) { 

  $owner = [Security.Principal.NTAccount]'Administrators'

  $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($path, 'ReadWriteSubTree', 'TakeOwnership')

  $acl = $key.GetAccessControl()

  $acl.SetOwner($owner)

  $key.SetAccessControl($acl)

  $acl = $key.getaccesscontrol()

  $rule = New-Object System.Security.AccessControl.RegistryAccessRule "Administrators", "FullControl", "ContainerInherit", "None", "Allow"

  $acl.SetAccessRule($rule)

  $key.SetAccessControl($acl)

}

function take-back($path) { 

  $owner = [Security.Principal.NTAccount]'NT SERVICE\TrustedInstaller'

  $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($path, 'ReadWriteSubTree', 'TakeOwnership')

  $acl = $key.GetAccessControl()

  $acl.SetOwner($owner)

  $key.SetAccessControl($acl)

}

do {} until (enable-privilege SeTakeOwnershipPrivilege)

# Setup HKCR.

New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR

take-over 'CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}' 

take-over 'CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}\LocalServer32' 

take-over 'AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}'

take-over 'AppID\RuntimeBroker.exe'

$dcom = gwmi -class win32_dcomapplicationsetting -filter 'description="RuntimeBroker"' -enableallprivileges

function get-ace($dcom, $type, $name) { 

  $trustee = ([wmiclass] 'win32_trustee').createinstance()

  $trustee.name = $name

  $ace = ([wmiclass] 'win32_ace').createinstance()

  $ace.accessmask = 11 # local launch / local activate

  $ace.aceflags = 0

  $ace.acetype = 0

  $ace.trustee = $trustee

  return $ace

}

function add-launchace($dcom, $name) {

  $ace = get-ace $name

  $sd = $dcom.getlaunchsecuritydescriptor().descriptor

  [system.management.managementbaseobject[]] $dacl = $sd.dacl + @($ace)

  $sd.dacl = $dacl

  $dcom.setlaunchsecuritydescriptor($sd) | out-null

}

function add-accessace($dcom, $name) {

  $ace = get-ace $name

  $sd = $dcom.getaccesssecuritydescriptor().descriptor

  [system.management.managementbaseobject[]] $dacl = $sd.dacl + @($ace)

  $sd.dacl = $dacl

  $dcom.setaccesssecuritydescriptor($sd) | out-null

}

add-launchace $dcom 'NT AUTHORITY\SYSTEM'

add-launchace $dcom 'NT AUTHORITY\SELF'

add-launchace $dcom 'NT AUTHORITY\ALL APPLICATION PACKAGES'

add-accessace $dcom 'NT AUTHORITY\SYSTEM'

add-accessace $dcom 'NT AUTHORITY\SELF'

add-accessace $dcom 'NT AUTHORITY\ALL APPLICATION PACKAGES'

add-accessace $dcom 'NT AUTHORITY\LOCAL SERVICE'

add-accessace $dcom 'NT AUTHORITY\NETWORK SERVICE'

take-back 'CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}' 

take-back 'CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}\LocalServer32' 

take-back 'AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}'

take-back 'AppID\RuntimeBroker.exe'

This should resolve your issue, in case you face it again please contact our Ginesys Care portal - https://care.ginesys.in/ 

RELATED ARTICLES

• Page:
  "Error: TNS" - Error message appears while trying to open Ginesys Web
• Page:
  Ginesys Report Scheduler is unable to read the working directory on the client side
• Page:
  Entire Item Master from Ginesys Web could not be exported into Excel
• Page:
  "License Service is either not installed or not running. Please use Database Locator utility from server to resolve your issue."-Error is displayed while trying to login in POS application
• Page:
  "Invalid URI : The URI is empty "- Error while opening Ginesys Report Home