IIS 6 CreateObject premissions issue

First off I apologize for the crucial piece of information I will
doubtlessly leave out (don't know what it is but I am sure there will be
something) or the completely obvious answer that I have missed.

We have a system that has been running on Windows 2000 Server composed of
SQL / COM+ / ASP layers. It currently runs as a single physical tier system
in our production environment, but it is tested as both a single and dual
tier system so I am confident that running on Windows 2000 what I am
attempting works.

What I am attempting is to add a Windows 2003 server box to function as the
IIS server and use COM+ proxies to hook back to the COM+ running on the
backend so we can stop running the single server so hard. As I said this
works in the QA environment on Windows 2000 server just fine.

If IIS is set to not allow anonymous access then I am able to log in and the
system runs fine. However if it is set for anonymous access using the IUSR
account then I receive the following error:
Server object error 'ASP 0178 : 80070005'
Server.CreateObject Access Error
/scripts/include/organization.asp, line 23
The call to Server.CreateObject failed while checking permissions. Access is
denied to this object.

I have of course seen a number of postings with this error and have tried a
number of their suggestions. I have tried:
- setting the anonymous account to domain account with admin privileges
(this interestingly attempts to force the user to login even though
anonymous is allowed).
- giving admin privileges to the IUSR and IWAM accounts
- setting the default COM access and launch permissions on front and back
end boxes to specifically allow the Domain account I attempted to use as
well as the IUSR and IWAM accounts
- adding the domain account to IIS_WPG group
- changing the Identity of the Default App Pool to all 3 predefined
identities as well as the domain account and the IWAM account
- disabling security on the COM+ Application packages.

and another of other things that are now escaping me. I am clear that I have
been trying all that I can think of but alas I am not a trained admin but
rather an applications programmer trying to figure it out.

What I am hoping for in my posting is that someone will be able to say
whether or not it is even possible configuration given the different OSs
involved and if there is some clear thing that I have missed given what I
have mentioned. I have not seen mention of anyone attempting this particular
configuration so any direction would be very much appreciated.

Thanks,

Matthew Nichols

RE: IIS 6 CreateObject premissions issue

This is just a wild guess, but does line 23 call/include aother object that
might not have the right permissions?? I've run into that on several
occasions.

"Matthew Nichols" wrote:

> First off I apologize for the crucial piece of information I will
> doubtlessly leave out (don't know what it is but I am sure there will be
> something) or the completely obvious answer that I have missed.
>
> We have a system that has been running on Windows 2000 Server composed of
> SQL / COM+ / ASP layers. It currently runs as a single physical tier system
> in our production environment, but it is tested as both a single and dual
> tier system so I am confident that running on Windows 2000 what I am
> attempting works.
>
> What I am attempting is to add a Windows 2003 server box to function as the
> IIS server and use COM+ proxies to hook back to the COM+ running on the
> backend so we can stop running the single server so hard. As I said this
> works in the QA environment on Windows 2000 server just fine.
>
> If IIS is set to not allow anonymous access then I am able to log in and the
> system runs fine. However if it is set for anonymous access using the IUSR
> account then I receive the following error:
> Server object error 'ASP 0178 : 80070005'
> Server.CreateObject Access Error
> /scripts/include/organization.asp, line 23
> The call to Server.CreateObject failed while checking permissions. Access is
> denied to this object.
>
> I have of course seen a number of postings with this error and have tried a
> number of their suggestions. I have tried:
> - setting the anonymous account to domain account with admin privileges
> (this interestingly attempts to force the user to login even though
> anonymous is allowed).
> - giving admin privileges to the IUSR and IWAM accounts
> - setting the default COM access and launch permissions on front and back
> end boxes to specifically allow the Domain account I attempted to use as
> well as the IUSR and IWAM accounts
> - adding the domain account to IIS_WPG group
> - changing the Identity of the Default App Pool to all 3 predefined
> identities as well as the domain account and the IWAM account
> - disabling security on the COM+ Application packages.
>
> and another of other things that are now escaping me. I am clear that I have
> been trying all that I can think of but alas I am not a trained admin but
> rather an applications programmer trying to figure it out.
>
> What I am hoping for in my posting is that someone will be able to say
> whether or not it is even possible configuration given the different OSs
> involved and if there is some clear thing that I have missed given what I
> have mentioned. I have not seen mention of anyone attempting this particular
> configuration so any direction would be very much appreciated.
>
> Thanks,
>
> Matthew Nichols
>
>
>

Re: IIS 6 CreateObject premissions issue

If I am getting your meaning correctly, I don't think so. If I run a vbs
script from the command line it that calls the object and requests data that
works fine.

Matthew

"[SteelValor]" wrote in message
news:217408E6-1D41-4414-8FE4-7A6674AA3F1B@microsoft.com...
> This is just a wild guess, but does line 23 call/include aother object
> that
> might not have the right permissions?? I've run into that on several
> occasions.
>
> "Matthew Nichols" wrote:
>
>> First off I apologize for the crucial piece of information I will
>> doubtlessly leave out (don't know what it is but I am sure there will be
>> something) or the completely obvious answer that I have missed.
>>
>> We have a system that has been running on Windows 2000 Server composed of
>> SQL / COM+ / ASP layers. It currently runs as a single physical tier
>> system
>> in our production environment, but it is tested as both a single and dual
>> tier system so I am confident that running on Windows 2000 what I am
>> attempting works.
>>
>> What I am attempting is to add a Windows 2003 server box to function as
>> the
>> IIS server and use COM+ proxies to hook back to the COM+ running on the
>> backend so we can stop running the single server so hard. As I said this
>> works in the QA environment on Windows 2000 server just fine.
>>
>> If IIS is set to not allow anonymous access then I am able to log in and
>> the
>> system runs fine. However if it is set for anonymous access using the
>> IUSR
>> account then I receive the following error:
>> Server object error 'ASP 0178 : 80070005'
>> Server.CreateObject Access Error
>> /scripts/include/organization.asp, line 23
>> The call to Server.CreateObject failed while checking permissions. Access
>> is
>> denied to this object.
>>
>> I have of course seen a number of postings with this error and have tried
>> a
>> number of their suggestions. I have tried:
>> - setting the anonymous account to domain account with admin privileges
>> (this interestingly attempts to force the user to login even though
>> anonymous is allowed).
>> - giving admin privileges to the IUSR and IWAM accounts
>> - setting the default COM access and launch permissions on front and back
>> end boxes to specifically allow the Domain account I attempted to use as
>> well as the IUSR and IWAM accounts
>> - adding the domain account to IIS_WPG group
>> - changing the Identity of the Default App Pool to all 3 predefined
>> identities as well as the domain account and the IWAM account
>> - disabling security on the COM+ Application packages.
>>
>> and another of other things that are now escaping me. I am clear that I
>> have
>> been trying all that I can think of but alas I am not a trained admin but
>> rather an applications programmer trying to figure it out.
>>
>> What I am hoping for in my posting is that someone will be able to say
>> whether or not it is even possible configuration given the different OSs
>> involved and if there is some clear thing that I have missed given what I
>> have mentioned. I have not seen mention of anyone attempting this
>> particular
>> configuration so any direction would be very much appreciated.
>>
>> Thanks,
>>
>> Matthew Nichols
>>
>>
>>

Re: IIS 6 CreateObject premissions issue

Hi,

Was this issue resolved? If so, could you post how it was fixed as I
am having the same issue.

IIS 6 gives me an error on Server.CreateObject("<>") but in
IIS 5 with the same permissions set up on the folder structure, it
works fine.

Thanks,
-Derek.

"Matthew Nichols" wrote in message news:<#4svUwRtEHA.3872@TK2MSFTNGP15.phx.gbl>...
> If I am getting your meaning correctly, I don't think so. If I run a vbs
> script from the command line it that calls the object and requests data that
> works fine.
>
> Matthew
>
> "[SteelValor]" wrote in message
> news:217408E6-1D41-4414-8FE4-7A6674AA3F1B@microsoft.com...
> > This is just a wild guess, but does line 23 call/include aother object
> > that
> > might not have the right permissions?? I've run into that on several
> > occasions.
> >
> > "Matthew Nichols" wrote:
> >
> >> First off I apologize for the crucial piece of information I will
> >> doubtlessly leave out (don't know what it is but I am sure there will be
> >> something) or the completely obvious answer that I have missed.
> >>
> >> We have a system that has been running on Windows 2000 Server composed of
> >> SQL / COM+ / ASP layers. It currently runs as a single physical tier
> >> system
> >> in our production environment, but it is tested as both a single and dual
> >> tier system so I am confident that running on Windows 2000 what I am
> >> attempting works.
> >>
> >> What I am attempting is to add a Windows 2003 server box to function as
> >> the
> >> IIS server and use COM+ proxies to hook back to the COM+ running on the
> >> backend so we can stop running the single server so hard. As I said this
> >> works in the QA environment on Windows 2000 server just fine.
> >>
> >> If IIS is set to not allow anonymous access then I am able to log in and
> >> the
> >> system runs fine. However if it is set for anonymous access using the
> >> IUSR
> >> account then I receive the following error:
> >> Server object error 'ASP 0178 : 80070005'
> >> Server.CreateObject Access Error
> >> /scripts/include/organization.asp, line 23
> >> The call to Server.CreateObject failed while checking permissions. Access
> >> is
> >> denied to this object.
> >>
> >> I have of course seen a number of postings with this error and have tried
> >> a
> >> number of their suggestions. I have tried:
> >> - setting the anonymous account to domain account with admin privileges
> >> (this interestingly attempts to force the user to login even though
> >> anonymous is allowed).
> >> - giving admin privileges to the IUSR and IWAM accounts
> >> - setting the default COM access and launch permissions on front and back
> >> end boxes to specifically allow the Domain account I attempted to use as
> >> well as the IUSR and IWAM accounts
> >> - adding the domain account to IIS_WPG group
> >> - changing the Identity of the Default App Pool to all 3 predefined
> >> identities as well as the domain account and the IWAM account
> >> - disabling security on the COM+ Application packages.
> >>
> >> and another of other things that are now escaping me. I am clear that I
> >> have
> >> been trying all that I can think of but alas I am not a trained admin but
> >> rather an applications programmer trying to figure it out.
> >>
> >> What I am hoping for in my posting is that someone will be able to say
> >> whether or not it is even possible configuration given the different OSs
> >> involved and if there is some clear thing that I have missed given what I
> >> have mentioned. I have not seen mention of anyone attempting this
> >> particular
> >> configuration so any direction would be very much appreciated.
> >>
> >> Thanks,
> >>
> >> Matthew Nichols
> >>
> >>
> >>

Re: IIS 6 CreateObject premissions issue

Hello All,
It looks like you are running into this issue because of a change in
Windows 2003 to enhance security. Here are the details on the issue (this
info will be published in a KB article pretty soon- Q885656)

**Symptoms**
You have a web application running on Windows 2003. This web application
calls a COM+ Application proxy to activate an object on a remote server. If
you have anonymous access enabled within IIS and the anonymous account is
set to run under the IUSR_SERVERNAME then you will may get one of the
following two errors when trying to access the page.

Microsoft VBScript runtime error 800a0046
Permission denied: 'CreateObject'
/virtualdirectory/asppage.asp, line 2

------ OR -----------

ASP Error 0178 (80007005)
Server.CreateObject failed while checking permissions

This exact same design works on a Windows 2000 server environment.

**Analysis**

This problem occurs because of the new default value for LogonMethod
(MD_LOGON_METHOD) metabase propety in Windows 2003. For IIS5 and Windows
2000, the default value for LogonMethod was MD_LOGON_INTERACTIVE (see
references below). For IIS6 and Windows 2003, the default value for
LogonMethod is MD_LOGON_NETWORK_CLEARTEXT (see references below). The
LogonMethod metabase property tells IIS how the anonymous user account
(IUSR_MachineName) will be passed off of the web server to another remote
server.

For IIS5/Win2000 when you have a web site that allows Anonymous Access and
the Anonymous account is configured to run under the IUSR_SERVERNAME
account, when an asp page makes a request to a COM+ application proxy, and
this proxy goes off to a remote server, the identity used is NT
AUTHORITY\ANONYMOUS. The remote server accepts this NT AUTHORITY\ANONYMOUS
account and maps the request to a local guest account giving that account
access to activate the COM+ Server object.

For IIS6/Win2003 when you have a web site that allows Anonymous Access and
the Anonymous account is configured to run under the IUSR_SERVERNAME
account, when an asp page makes a request to a COM+ application proxy, and
this proxy goes off to a remote server, the outbound credentials are left
as the configured anonymous account, meaning
WEBSERVERNAME\IUSR_WEBSERVERNAME. This account of course will not be
authenticated by the remote server and thus throws the permission denied
(800a0046) error.

**Solution**
You have three options to resolve this problem. The first one is the most
secure and is recommended over the other 2.

Option #1:
--------------------
Configure the IIS Anonymous account to be a domain account (or a local
admin account that have the same name and password on both machines)
instead of IUSR_SERVERNAME

- Open up IIS
- Right-click on your web site and come down to properties
- Click on the "Directory Security" tab and then click the "Edit…"
button in the
"Authentication and access control" section
- Put a check in the "Enable anonymous access" checkbox
- Click the "Browse.." button and then enter in a domain user
account and their password.
Note: this domain user account will need to have access to the
Application Server in order
for it to not run into any further Permissions problems.

Option #2:
------------------
Use the LogonMethod = MD_LOGON_NETWORK IIS metabase setting. You would
change this setting to be a value of 2 (MD_LOGON_NETWORK) at the
application level so that IIS6 will emulate the LogonMethod behavior of
Windows 2000. This will change the outbound credentials of the request to
be NT AUTHORITY\ANONYMOUS instead of SERVERNAME\IUSR_SERVERNAME

To set the LogonMethod for the entire web server run this command from
the C:\Inetpub\AdminScripts directory

cscript.exe adsutil.vbs set w3svc/logonmethod 2

To set the LogongMethod for a specific web site running on the server then
you will need to identify the ID of that web site through the metabase. You
can easily find this on the Windows 2003 server by opening up the
C:\Windows\system32\Inetsrv\metabase.xml file. Then run the following
command replacing 709041108 with the id number for your web application:

cscript.exe adsutil.vbs set w3svc/709041108/logonmethod 2


Option #3:
-----------------
Enable Sub-Authentication, so that you emulate the functionality of Windows
2000. This is the least secure option and not recommended. You can do this
by referencing the following link:

Anonymous Authentication :
http://www.microsoft.com/resources/documentation/WindowsServ /2003/standard/p
roddocs/en-us/Default.asp?url=/resources/documentation/Windo wsServ/2003/stan
dard/proddocs/en-us/sec_auth_anonauth.asp


**References**

Chapter 5 Managing a Secure IIS 6.0 Solution: (Attached to this SOX as well)
http://download.microsoft.com/download/7/4/f/74fe970d-4a7d-4 034-9f5d-0257256
7e7f7/18_CHAPTER_5_Managing_a_Secure_IIS_6.0_Solution.doc

IIS6 LogonMethod Values:
http://msdn.microsoft.com/library/default.asp?url=/library/e n-us/iissdk/iis/
ref_mb_logonmethod.asp

IIS5 LogonMethod Values:
http://www.microsoft.com/windows2000/en/server/iis/default.a sp?url=/windows2
000/en/server/iis/htm/asp/apro1zms.htm

207671 HOW TO: Access Network Files from IIS Applications
http://support.microsoft.com/?id=207671


Good luck,
Yogita Manghnani
Microsoft Developer Support
Internet Information Server

************************************************************ *********
>>Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.<<

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.

© 2003 Microsoft Corporation. All rights reserved.
************************************************************ *********

Re: IIS 6 CreateObject premissions issue

Hi Yogita,
After upgraded my web server machine to windows 2003, I tried the option #1
and #2 but my application didn't work. In my web server machine, the
application works but if I try to access it by other machine the error: ASP
Error 0178 (80007005) occurs. My application was created as virtual directory
and uses a dcom component that was installed on the same machine of the web
server. On DCOM config, I tried all options in identity tab and security tab
but the error remains. In IIS, I configured the application to use a domain
user in authentication and access control section but the error also remains.
I run the command cscript.exe adsutil.vbs set w3svc/logonmethod 2 and
configured an iusr_machinename in authentication and access control section
but the problem was not resolved. Can you help me?

Regards,
Cícero Galdino.


"Yogita Manghnani [MSFT]" wrote:

> Hello All,
> It looks like you are running into this issue because of a change in
> Windows 2003 to enhance security. Here are the details on the issue (this
> info will be published in a KB article pretty soon- Q885656)
>
> **Symptoms**
> You have a web application running on Windows 2003. This web application
> calls a COM+ Application proxy to activate an object on a remote server. If
> you have anonymous access enabled within IIS and the anonymous account is
> set to run under the IUSR_SERVERNAME then you will may get one of the
> following two errors when trying to access the page.
>
> Microsoft VBScript runtime error 800a0046
> Permission denied: 'CreateObject'
> /virtualdirectory/asppage.asp, line 2
>
> ------ OR -----------
>
> ASP Error 0178 (80007005)
> Server.CreateObject failed while checking permissions
>
> This exact same design works on a Windows 2000 server environment.
>
> **Analysis**
>
> This problem occurs because of the new default value for LogonMethod
> (MD_LOGON_METHOD) metabase propety in Windows 2003. For IIS5 and Windows
> 2000, the default value for LogonMethod was MD_LOGON_INTERACTIVE (see
> references below). For IIS6 and Windows 2003, the default value for
> LogonMethod is MD_LOGON_NETWORK_CLEARTEXT (see references below). The
> LogonMethod metabase property tells IIS how the anonymous user account
> (IUSR_MachineName) will be passed off of the web server to another remote
> server.
>
> For IIS5/Win2000 when you have a web site that allows Anonymous Access and
> the Anonymous account is configured to run under the IUSR_SERVERNAME
> account, when an asp page makes a request to a COM+ application proxy, and
> this proxy goes off to a remote server, the identity used is NT
> AUTHORITY\ANONYMOUS. The remote server accepts this NT AUTHORITY\ANONYMOUS
> account and maps the request to a local guest account giving that account
> access to activate the COM+ Server object.
>
> For IIS6/Win2003 when you have a web site that allows Anonymous Access and
> the Anonymous account is configured to run under the IUSR_SERVERNAME
> account, when an asp page makes a request to a COM+ application proxy, and
> this proxy goes off to a remote server, the outbound credentials are left
> as the configured anonymous account, meaning
> WEBSERVERNAME\IUSR_WEBSERVERNAME. This account of course will not be
> authenticated by the remote server and thus throws the permission denied
> (800a0046) error.
>
> **Solution**
> You have three options to resolve this problem. The first one is the most
> secure and is recommended over the other 2.
>
> Option #1:
> --------------------
> Configure the IIS Anonymous account to be a domain account (or a local
> admin account that have the same name and password on both machines)
> instead of IUSR_SERVERNAME
>
> - Open up IIS
> - Right-click on your web site and come down to properties
> - Click on the "Directory Security" tab and then click the "Edit…"
> button in the
> "Authentication and access control" section
> - Put a check in the "Enable anonymous access" checkbox
> - Click the "Browse.." button and then enter in a domain user
> account and their password.
> Note: this domain user account will need to have access to the
> Application Server in order
> for it to not run into any further Permissions problems.
>
> Option #2:
> ------------------
> Use the LogonMethod = MD_LOGON_NETWORK IIS metabase setting. You would
> change this setting to be a value of 2 (MD_LOGON_NETWORK) at the
> application level so that IIS6 will emulate the LogonMethod behavior of
> Windows 2000. This will change the outbound credentials of the request to
> be NT AUTHORITY\ANONYMOUS instead of SERVERNAME\IUSR_SERVERNAME
>
> To set the LogonMethod for the entire web server run this command from
> the C:\Inetpub\AdminScripts directory
>
> cscript.exe adsutil.vbs set w3svc/logonmethod 2
>
> To set the LogongMethod for a specific web site running on the server then
> you will need to identify the ID of that web site through the metabase. You
> can easily find this on the Windows 2003 server by opening up the
> C:\Windows\system32\Inetsrv\metabase.xml file. Then run the following
> command replacing 709041108 with the id number for your web application:
>
> cscript.exe adsutil.vbs set w3svc/709041108/logonmethod 2
>
>
> Option #3:
> -----------------
> Enable Sub-Authentication, so that you emulate the functionality of Windows
> 2000. This is the least secure option and not recommended. You can do this
> by referencing the following link:
>
> Anonymous Authentication :
> http://www.microsoft.com/resources/documentation/WindowsServ /2003/standard/p
> roddocs/en-us/Default.asp?url=/resources/documentation/Windo wsServ/2003/stan
> dard/proddocs/en-us/sec_auth_anonauth.asp
>
>
> **References**
>
> Chapter 5 Managing a Secure IIS 6.0 Solution: (Attached to this SOX as well)
> http://download.microsoft.com/download/7/4/f/74fe970d-4a7d-4 034-9f5d-0257256
> 7e7f7/18_CHAPTER_5_Managing_a_Secure_IIS_6.0_Solution.doc
>
> IIS6 LogonMethod Values:
> http://msdn.microsoft.com/library/default.asp?url=/library/e n-us/iissdk/iis/
> ref_mb_logonmethod.asp
>
> IIS5 LogonMethod Values:
> http://www.microsoft.com/windows2000/en/server/iis/default.a sp?url=/windows2
> 000/en/server/iis/htm/asp/apro1zms.htm
>
> 207671 HOW TO: Access Network Files from IIS Applications
> http://support.microsoft.com/?id=207671
>
>
> Good luck,
> Yogita Manghnani
> Microsoft Developer Support
> Internet Information Server
>
> ************************************************************ *********
> >>Please do not send email directly to this alias. This is an online
> account name for newsgroup participation only.<<
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> You assume all risk for your use.
>
> © 2003 Microsoft Corporation. All rights reserved.
> ************************************************************ *********
>
>