SYMPTOMS
MailEnable web mail and/or web admin may not function immediately after installing on a Windows Server or having recently applied a hotfix or “lockdown utility”.
CAUSE
MailEnable’s web mail and web administration integrate with the security framework of the Windows platform.
Examples of such services are Internet Information Server (IIS), Component Services (COM+) and the Windows Security Model.
This integration can make MailEnable services are susceptible to changes made to the Windows environment. If the Windows platform has been modified by “lockdown utilities” or changes have been made to the default security settings, MailEnable may not function correctly.
RESOLUTION
The MEInstaller application can be used to reset permissions to the default settings. If significant customization or changes have been made to the Windows environment, then it may be necessary to manually review accordingly.
The following workaround exists to manually check environment security settings.
WORKAROUND
MailEnable’s web mail and web administration features are the most susceptible to any of the following Windows environment changes:
1. Registry Permission Changes (changes to the permissions on reliant or commonly used registry keys)
2. File System Permission changes (reliant DLLs are denied access by the System, IME_ADMIN and/or IME_USER accounts)
3. Missing or corrupted system libraries (e.g. ADO libraries are corrupt or non-existent)
4. DCOM (COM+) security permission changes (changes made to DCOM security settings can cause MailEnable COM components to fail)
5. Configuration changes made to COM+ or IIS (e.g. changing the process isolation to low priority within IIS)
6. Policy Changes (changes in the privilege or rights associated with the System, IME_ADMIN and/or IME_USER account)
1. Registry Permissions
MailEnable’s IME_USER and IME_ADMIN need read access to certain branches of the registry.
These accounts are members of the Users group, and are therefore given access to the necessary branches of the registry.
It is possible that the Users group is either disabled or is restricted access to the registry.
If this is the case, then the IME_ADMIN and IME_USER accounts need to be given explicit access to some registry keys (so that MailEnable can effectively access the registry).
The IME_ADMIN account needs access to:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable
Note: You may want to ensure that IME_ADMIN has access to the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.Dictionary
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.Encoder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.Signer
Some “lockdown utilities” restrict access to limit the use of the Scripting File System object
The IME_USER account needs access to:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
2. File System Permission Changes
MailEnable relies on many system libraries and therefore requires read access to these libraries.
MailEnable’s IME_USER and IME_ADMIN need read access to the following shared system folders and files:
IME_ADMIN requires read access to the following files:
WindowsSystemDirectory\scrrun.dll
WindowsSystemDirectory\msvbvm60.dll
WindowsSystemDirectory\msxml3.dll
ProgramFilesDir\Common Files\System\ado
ProgramFilesDir\Common Files\System\msadc
ProgramFilesDir\Common Files\System\ole db
ProgramFilesDir\Common Files\System\ado\msader15.dll
ProgramFilesDir\Common Files\System\ado\msado15.dll
ProgramFilesDir\Common Files\System\ado\msadrh15.dll
ProgramFilesDir\Common Files\System\ado\msader15.dll
ProgramFilesDir\Common Files\System\MSADC\msadce.dll
ProgramFilesDir\Common Files\System\MSADC\msadcer.dll
ProgramFilesDir\Common Files\System\OLE DB\msdasql.dll
ProgramFilesDir\Common Files\System\OLE DB\msdasqlr.dll
ProgramFilesDir\Common Files\System\OLE DB\oledb32.dll
ProgramFilesDir\Common Files\System\OLE DB\oledb32r.dll
IME_USER requires read access to the following files:
ProgramFilesDir\Common Files\System\ado\msader15.dll
ProgramFilesDir\Common Files\System\ado\msado15.dll
ProgramFilesDir\Common Files\System\ado\msadrh15.dll
ProgramFilesDir\Common Files\System\ado\msader15.dll
ProgramFilesDir\Common Files\System\MSADC\msadce.dll
ProgramFilesDir\Common Files\System\MSADC\msadcer.dll
ProgramFilesDir\Common Files\System\OLE DB\msdasql.dll
ProgramFilesDir\Common Files\System\OLE DB\msdasqlr.dll
ProgramFilesDir\Common Files\System\OLE DB\oledb32.dll
ProgramFilesDir\Common Files\System\OLE DB\oledb32r.dll
IME_ADMIN requires full access to the following folders and subfolders:
MailEnable\Config
MailEnable\Postoffices
MailEnable\Queues
IME_USER requires read access to the following folders and subfolders:
MailEnable\BIN\WebMail
MailEnable\BIN\WebAdmin
IME_ADMIN requires read access to the following folders and subfolders:
MailEnable\Bin
3. Missing or Corrupted System Libraries
Missing or corrupt system libraries can cause MailEnable to fail. Ensure that MSXML, ADO and the Scripting Runtime are functioning on the system.
MailEnable’s Diagnostic Report should briefly test these resources to ensure that they are functioning correctly, however there are also Knowledge Base articles that advise as to diagnosing and correcting these issues.
4. DCOM (COM+) Security Permission Changes
MailEnable’s web mail and web admin rely heavily on COM+ and there are many configuration settings in relation to COM+ security that specifically control access to components.
If the DCOM launch permissions are modified from the default, MailEnable’s web mail component may not be able to function.
Specifically, IME_ADMIN and IME_USER both need Launch and Execute rights under DCOM.
A knowledge base relating to Windows 2003 Service Pack 1, that outlines some considerations with respect to COM+:
See: http://www.mailenable.com/kb/content/article.asp?ID=ME020364
5. Configuration changes made to COM+ or IIS
MailEnable’s web mail and web admin rely heavily on COM+. There are many configuration settings in relation to COM+, although it is exceptionally unusual that any generic changes made to the system could directly affect MailEnable.
As a general rule, the MEInstaller application can be used to correct these issues.
See: http://www.mailenable.com/kb/content/article.asp?ID=ME020314
The MEInstaller Utility can also reset the IIS Application Isolation Levels. Ensure that the isolation level used is ‘High’ to be sure that MailEnable functions. It is possible to use a ‘Medium’ Isolation Level, however this is not recommended.
6. Policy Changes
MailEnable’s web mail and web admin use two Windows accounts (IME_USER and IME_ADMIN) to integrate with IIS and COM+ respectively. Each of these accounts needs specific operating system privileges (or rights assignments) in order to operate correctly.
User Rights Assignments are configured via the Local Security Policy editor under Administrative Tools Program Group
IME_ADMIN:
– Create a token object
– Adjust memory quotas for a process
– Act as part of the operating system
– Access this computer from the network
– Log on as a batch job
– Log on as a service
– Log on locally
– Replace a process level token
IME_USER:
– Access this computer from the network
– Log on as a batch job
– Log on locally
Source : https://www.mailenable.com/kb/content/article.asp?ID=ME020399