Application Pool Discovery Over Distributed Engines

Application pools cannot directly perform discovery over distributed engines, but a work around can be made by using impersonation of a discovery source's identity.

The distributed engine service must be run as an account with sufficient privileges to scan the application pools on its own.

For discovery to work on application pool service accounts on IIS 7+, the IIS Management Scripts and Tools feature must be installed on both the DE and the web server running the scan and the target machine hosting the application pool.

Check that the following privileges are set:

  1. Enable the account to log in as a service.
  2. Grant the account read, write, and execute privileges to the entire distributed engine installation directory and sub-folders.
  3. Add the account to the administrators group on each computer that will be scanned.

80070005 Error

An 80070005 error indicates that the distributed engine service account does not have sufficient privileges on the machine being scanned:

Exception: Retrieving the COM class factory for remote component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from machine <MACHINE> failed due to the following error: 80070005

To resolve the error, add the account to the administrators group on that machine. When changing the user of the distributed engine service, Secret Server interprets the service as a new engine. Delete the old engine and activate the new engine in secret-server.

The typical workflow for changing the account login for the distributed engine service is as follows:

  1. Hover over Settings and under Distributed Engine select Sites and engines. The Distributed Engine page appears.
  2. From the list of sites with active engines displayed by default, select the site whose engine you want to deactivate and click the arrow to expand the selection:
  3. To deactivate the DE, hover over the far right of the screen on the line of the engine under the download button, a vertical 3-dot option will appear. Click the option to open a drop-down list and select the first option:
  4. When prompted, confirm the deactivation by clicking Ok.
  5. Delete the engine by reselecting the 3-dot menu and choosing Remove from Site.
  6. When prompted to confirm this action click OK. This will place the engine under the Pending engines dropdown at the top of the page. In order to see it in that section a refresh of the page is necessary.
  7. Once the deactivated engine can be seen in the list, hover over the line again until you see the 3-dot option menu, and click on it. The Delete option is second on the list, choose it and confirm the action. The page will refresh automatically and the engine will vanish from the Pending engines list.

  8. Go to the distributed engine server and stop the distributed engine service or end the process from the Task Manager.

  9. Change the Log On option — this must be the same account used for your discovery.
  10. Start the distributed engine service.
  11. In the Secret Server application, go to Settings > Distributed Engine > Sites and engines and check if the engine is under Pending engines.
  12. If so, activate the DE by clicking the 3-dot menu and selecting Activate and assigning it to a site when prompted. You should see a successful connection. Activation Status should also have the green checkmark.