Application Pool Discovery Over Distributed Engines

You can perform discovery over distributed engines. However, application pool scanning cannot use the discovery source's identity for impersonation.

The distributed engine service must be run as an account with sufficient privileges to scan the application pools on its own.

For discovery to work on application pool service accounts on IIS 7+, the "IIS Management Scripts and Tools" feature must be installed on the DE or Web server running the code:

image-20220617112934970

Check that the following privileges are set:

  • Enable the account to log on as a service.
  • Grant the account read, write, and execute privileges to the entire distributed engine installation directory and sub-folders.
  • Add the account to the administrators group on each computer that will be scanned.

80070005 Error

An 80070005 error similar to the one below indicates that the distributed engine service account does not have sufficient privileges on the machine being scanned.

Exception: Retrieving the COM class factory for remote component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from machine <MACHINE> failed due to the following error: 80070005

To resolve the error, add the account to the administrators group on that machine. When changing the user of the distributed engine service, Secret Server will interpret the service as a new engine. You will need to delete the old engine and activate the new engine in Secret Sever, if applicable.

The typical workflow for changing the account logon for the distributed engine service is as follows:

  1. Go to Admin > Distributed Engine > Manage Sites and deactivate distributed engine in Site.
  2. Delete the engine by selecting the trash can icon next to the engine.
  3. Go to the distributed engine server and stop the distributed engine service, or end the process from the Task Manager.
  4. Change the Log On option — this must be the same account used for your discovery.
  5. Start the distributed engine service.
  6. In the Secret Server application, go to Admin > Distributed Engine > Manage Sites and select your site (or /SiteView.aspx?SiteId=X page) then refresh the page.
  7. Activate distributed engine by clicking the check mark icon next to it (or from the /ManageEngines.aspx page).
  8. Wait 3-5 minutes and click Validate Connection. You should see a successful connection.