Happy New Year!

I installed HIS 2013 server on Windows 2012 R2 and HIS client on Windows 8.1.  

• Configured "single APPC" SNA system on HIS server.
• LOGON for all the SNA services is setup as "Local System" on HIS Server and HIS client.
• Added domain user (domain\user1) to the HIS server->SNA Service->Configured Users and assigned a local LU (USER1LU).
• Configured Sponsor connection on the client.
• Added user to the "HIS Runtime Users" on the client and server local groups.

When I login into the windows 8.1 (client) machine with the "domain\user1" and open a command prompt to run my application, it fails. I found following error on the client machine event viewer.

"CPI-C failed to allocate memory, system call return code: 0005"

• Where as If I start the command prompt with "Run as Administrator", my application works.
• Similarly if I login into the HIS server system (Window 2012) itself, the same issue is observed if command prompt is not opened as an Administrator.
• Logged into the HIS server (Windows 2012) and opened the command prompt and run my application. Works.

Definitely, there is a problem with the privileges.  I am unable to figure out. Can anybody help me out?

Thanks,

Machhindra

A couple of things:

- We don't recommend nor test with running HIS Services under the Local System account. It can and does work, but for security purposes we don't recommend. Since we don't test this scenario, it is possible that they could be some issues especially since you are running on the latest operating systems with the additional security that gets added with each release.

- You should create a domain account (regular user) to use for the HIS Service account and then re-run the HIS Configuration tool to change the service account to the new domain account. Do this on both the HIS Server and HIS Client.

- We also recommend using Domain groups for the two HIS security groups. Although you can use local groups.

- The only accounts that need to be in the HIS Runtime Users group is the HIS Service Account. User accounts that "run" the SNA applications that are in use don't need to be in the HIS Runtime Users group.

I would try these changes and then see if you see the same behavior or not.

Thanks...

Let me try using domain credentials as suggested.

How to start TPSTART.EXE? Who should start it?

My application (Windows service) invokes TPSTART.exe before making any CPIC-C call.

If you application invokes TPStart.exe, then that should be fine. In cases where APPC/CPI-C applications are configured as auto-started applications, tpstart.exe needs to be running so that the SnaBase process can call it to have the program launched. In some cases (like yours) the application is designed to call tpstart.exe as part of its normal process. In others, you just have to manually start it.

Back to the original issue because I have run into this before and have again the last couple of days while working on something else.

The error that you are seeing is happening because of security changes to both Windows and HIS. Starting with Windows Vista, we started having to deal with UAC (User Account Control) issues. What you are seeing is all part of that.

If you need to run your application on a HIS system where SnaBase is running as a service, the application will need to run under the same user context and that user account will need to have the "Create Global Objects" user right. SnaBase always runs as a service on HIS Server systems. It also runs as a service on HIS Client systems by default. It can be changed to run as an application on HIS Clients by running the Configuration Tool, going to Common Settings and clicking the Advanced button. On HIS 2013 Clients the option to change is "Run SNABASE as an application". On HIS 2009/2010 Clients, the option under Advanced is "Run resource location component as an application".

To add the "Create Global Objects" right to the user account, you need to do the following:

1. Go to Administrative Tools under Control Panel.

2. Run Local Security Policy.

3. Expand Local Policies.

4. Click User Rights Assignment.

5. Double-click Create global objects. 

6. Click Add User or Group... and enter the user name that you want to add this right to.

I have tested this using a sample CPI-C application on HIS 2009, HIS 2010, and HIS 2013 and it has worked on each one to resolve the access denied error that occurs when the HIS CPI-C library is trying to create named objects. Of course, it also works if I run the application as "Administrator".

As I indicated, the issue is related to the tightening of security on objects that started with Windows Vista and has continued to the current Windows versions. Accordingly, our Server applications (like HIS) have also tightened security.

Hope this helps.