XCOM fails with task scheduler.

Document ID : KB000094181
Last Modified Date : 04/05/2018
Show Technical Document Details
Issue:
When I run an xcom transfer submitted via a task scheduler (e.g. CA Technologies Workload Automation or the Windows Task Manager) it might fail showing these error messages (output from xcomtcp.exe):

OpenService Failed, WinError = 5
QueryServiceService Failed, WinError = 6
#XCOMN0469E The XCOMD CA XCOM Data Transport Scheduler Service is not running or not compatible.

The same xcomtcp command issued directly from a CMD-Window will succeed.
Why is that and how can I resolve this?

 
Environment:
This problem only might happen with XCOM for Windows
 
Cause:
When starting xcomtcp.exe, it will first query the status of the xcomdsrv service, by using the OpenService and QueryService Windows functions. These requests might fail because of insufficient rights.
The xcom service 'xcomdsrv', like other Windows Services, has been assigned particular rights, so that only specific users are allowed to issue only particular commands against the service. This is defined in the Security Descriptor of the XCOM service. To display these rights, issue the command:

sc sdshow xcomdsrv

This will show output similar (or equal) to this:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The Output starts with a couple of strings in parenthesis after D:. This is the Service Discretionary Access Control List (DACL) for the Service XCOMDSRV. The Section starting with S: is for auditing purposes and of no interest in this context (A detailed explanation of the contents of a DACL can be found here: https://support.microsoft.com/en-us/kb/914392).
The data in a parenthesis specifies the particular rights for different groups of users. These groups are specified with a two-character code before the right parenthesis .

So 'BA' represents Builtin-Administrators, 'SY' local system accounts, ‘IU’ Interactive Users and 'SU' is for Super Users.

In the middle are a couple of two-Character Codes like:
CC=SERVICE_QUERY_CONFIG
LC=SERVICE_QUERY_STATUS
SW=SERVICE_ENUMERATE_DEPENDENTS
LO=SERVICE_INTERROGATE
CR=SERVICE_USER_DEFINED_CONTROL
RC=READ_CONTROL


As the LC can be found in the above listed codes, All Admins, Local System Accounts, Super Users and Interactive Users are allowed to query the status of the XCOMDSRV Service, but why might xcomtcp.exe fail when being called by a Job Scheduler?

It will fail when the Job Scheduler runs the xcomtcp command for a non-admin user being specified. In this situation the user will not be interactively logged on, but will act as a Batch User. (That’s why the Job Scheduler will fail generally, when this user has not been assigned the right to ‘log on as batch job’ in the machine’s local security policies). Since this DACL does only allow interactive Users (IU) to query the status of the Server, this will cause the error messages when using a Scheduler.
 
Resolution:
The Resolution is to extend the user group being allowed to LC=SERVICE_QUERY_STATUS, to Authenticated Users (AU) in the DACL for the xcomdsrv Service. To do this, follow the below steps:
 
  • From the command prompt, issue command "sc sdshow xcomdsrv".
  • Copy the output of this command (SDDL) to notepad and remove all line breaks to get whole output to one line.
Output after removing line breaks will look like below:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  • Add "(A;;CCLCSWLOCRRC;;;AU)" to the output (SDDL) after IU
After adding, it will look like below:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  • Issue command "sc sdset xcomdsrv <SDDL>"
Command will look like below:
sc sdset xcomdsrv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
 
Once executed successfully, It will give below output:
          [SC] SetServiceObjectSecurity SUCCESS
  • Issue command "sc sdshow xcomdsrv" again to verify updated SDDL.  

 
Additional Information:
Best practices and guidance for writers of service discretionary access control lists: https://support.microsoft.com/en-us/kb/914392