Some days ago, we received an issue report related to an “Access is Denied” error that came up trying to run a Thinfinity VirtualUI web-enabled application.
We replicated the user environment and made absolutely sure that the configuration was identical, but we could not reproduce the error.
In the user environment, the program insisted on running perfectly from the desktop, but it didn’t run through the web using VirtualUI.
We double checked all security settings, unsuccessfully looking for a clue as to why this could be happening.
There’s nothing more annoying than a non-reproducible error!
Digging for an “Access is denied”
Persistence pays off. The clue to solving the Access Denied error was related to the way VirtualUI runs a program. When you run a program from the desktop (by double-clicking on the executable file, etc.) you are using your user account. But when accessing the program through VirtualUI, it is run under a secondary logon, which is exactly what happens when the “Run as…” command is used.
That is why we asked the user to run their desktop application in their environment using the “Run as” command. This test produced the same error and enabled us to isolate it out of VirtualUI.
This put us on the right track. We did some research and we found that the problem occurred in upgraded Windows installations only. In this scenario, when trying to use the “Run as…” command, an “Error 5: Access is Denied” occurs.
In its support site, Microsoft says:
“This issue occurs because the discretionary access control list (DACL) for the Secondary Logon service is not set correctly when you upgrade from Windows Server 2003 or from Windows Server 2008. This problem prevents a standard user from starting this service and from running an application as a different user.”
We found that the first of the two possible workarounds provided by Microsoft fixed the issue.
To solve the problem, please execute the following command from a cmd prompt window:
net stop seclogon sc sdset seclogon "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPDTLOCRRC;;;IU)(A;;CCLCSWDTLOCRRC;;;SU)(A;;CCLCSWRPDTLOCRRC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Make sure to copy this command correctly, without the double quotes it fails with this error:
[SC] ConvertStringSecurityDescriptorToSecurityDescriptor FAILED 87: The parameter is incorrect.
By running this command that fixes the secondary login error, we can make sure that it doesn’t produce an “Access Denied” error and the application can work as expected.