Problem with IIS and MS07-045 update

Greetings;

We installed the latest round of patches last week, and on our dev web
server found that after install we were receiving an error when trying to
access the site. The error was "Server object error 'ASP 0115 : 8000ffff'"
on a specific line of the script running for the page requested.

The application in question is an Classic ASP application that calls a .Net
dll for backend processing. The line that causes the error is always a line
containing a Server.CreateObject call to our dll.

I'm asking here instead of in an ASP or .Net programming forum because I
don't believe the issue is related to the code that's running - identical
code runs successfully on our production server without the above referenced
update (all other updates in the patches from last week have been applied),
and when we rolled back the patches we installed last week one at a time to
troubleshoot this issue, the code stared to run successfully again
immediately after we uninstalled MS07-045, but did not run until that update
was uninstalled.

I know that some folks are having issues with this update and IE
connectivity, but this problem exhibits itself when connections are made from
both patched and unpatched client systems, and is shown in at least Firefox
and IE7 - the only difference seems to be the patch state of the web server.

Thanks in advance.

--
Thanks;
cori

RE: Problem with IIS and MS07-045 update

Hi Cori,

Does the ASP page include some special ActiveX?

MS07-045 is Cumulative Security Update for Internet Explorer. It only
contains 3 updates: one for CSS and the other are for ActiveX
vulnerabilities. So if there is indeed ActiveX involved, I suspect the root
cause of the problem is on some parameters gathered by client side ActiveX
that leads the Server.CreateObject call fails.

Regardless if the MS07-045 patch is installed on the IIS server. Please
test accessing the problematic web application from clients with and
without MS07-045. If IE without MS07-045 works, we can then narrow down the
problem is on client side.

Look forward to your result.

Have a nice day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

RE: Problem with IIS and MS07-045 update

We are not using any ActiveX components in the dll itself, but when we deploy
the dll to the webserver (and if there are new objects or interfaces exposed
by the dll) we register it on the server using regasm.exe, which allows the
classic ASP pages to use the dll as though it is a COM object. Perhaps that
might be the source of our problem. If so, what solutions are available for
us to patch the server without this problem?

We have already tested this from both patched and unpatched systems running
IE 7 and Firefox; when the server is patched the site is broken no matter
what the state of the client.

--
Thanks;
cori


""WenJun Zhang[msft]"" wrote:

> Hi Cori,
>
> Does the ASP page include some special ActiveX?
>
> MS07-045 is Cumulative Security Update for Internet Explorer. It only
> contains 3 updates: one for CSS and the other are for ActiveX
> vulnerabilities. So if there is indeed ActiveX involved, I suspect the root
> cause of the problem is on some parameters gathered by client side ActiveX
> that leads the Server.CreateObject call fails.
>
> Regardless if the MS07-045 patch is installed on the IIS server. Please
> test accessing the problematic web application from clients with and
> without MS07-045. If IE without MS07-045 works, we can then narrow down the
> problem is on client side.
>
> Look forward to your result.
>
> Have a nice day.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

RE: Problem with IIS and MS07-045 update

Hi Cori,

I need to perform some researching on this issue and discuss with our
internal IIS/ASP group folks to see if there was anybody else also
encountered the same problem with MS07-045.

If there is any findings or results, I will update here to let you know.

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

RE: Problem with IIS and MS07-045 update

Thanks WenJun. If you're looking for other wictims, the fellow above (thread
http://msdn.microsoft.com/newsgroups/managed/default.aspx?dg =microsoft.public.inetserver.iis&mid=c708e1b9-0d67-4778-bc01 -1274d6c3ccc2)
seems to be having the same issue.

I look forward to hearing from you.
--
Thanks;
cori


""WenJun Zhang[msft]"" wrote:

> Hi Cori,
>
> I need to perform some researching on this issue and discuss with our
> internal IIS/ASP group folks to see if there was anybody else also
> encountered the same problem with MS07-045.
>
> If there is any findings or results, I will update here to let you know.
>
> Thanks.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

More instance of the same problem

Cori

We are seeing exactly this problem with the software product we sell. It is occuring on in-house and customer servers with this patch, although some servers with the patch seem OK.

Our ASP pages can't CreateObject on a DLL/COM object rewritten in VB.Net unless the IIS session has logged on as administrator. It is just as you describe.

Oddly, some copies of the DLL with different name/CLSID of the DLL work will, but then again some seem to develop the same problem after a while, as though some knowledge of the DLL is being saved somewhere.

Since we have about 150 server running this software it is going to cause us a lot of fun! Uninstalling fixes the problem, but its not exactly idea.

Microsoft, please tell us what is happening here? I am hoping iit can be solved by a few config tweaks, but it looks a awefully like you have screwed-up big time.
MJT

EggHeadCafe - .NET Developer Portal of Choice
http://www.eggheadcafe.com

A server-side problem

I'll back this up again.
It is a server-side problem with IIS / ASP / COM. The issue is when the patch in installed on the server, and uninstalling the patch in the server fixes it.

I can get the same problem with different browsers.

The patch might say it is only fixing three unrelated things, but there seems to be some nasty side-effect in there.

This strongly believe MS need to pick this up in-house ASAP. It is a real and serious problem, and not one for third-party forums.

EggHeadCafe - .NET Developer Portal of Choice
http://www.eggheadcafe.com

RE: More instance of the same problem

Definitely sounds similar, mark. Our component in written in C#, but that's
probably not important for the purposes of this issue.

Do I understand you properly, that you're not seeing the problem when IIS is
running as a machine administrator? The Application pool running our web app
uses a machine admin identity, and we still saw the problem.

--
Thanks;
cori


"Mark Treveil" wrote:

> Cori
>
> We are seeing exactly this problem with the software product we sell. It is occuring on in-house and customer servers with this patch, although some servers with the patch seem OK.
>
> Our ASP pages can't CreateObject on a DLL/COM object rewritten in VB.Net unless the IIS session has logged on as administrator. It is just as you describe.
>
> Oddly, some copies of the DLL with different name/CLSID of the DLL work will, but then again some seem to develop the same problem after a while, as though some knowledge of the DLL is being saved somewhere.
>
> Since we have about 150 server running this software it is going to cause us a lot of fun! Uninstalling fixes the problem, but its not exactly idea.
>
> Microsoft, please tell us what is happening here? I am hoping iit can be solved by a few config tweaks, but it looks a awefully like you have screwed-up big time.
> MJT
>
> EggHeadCafe - .NET Developer Portal of Choice
> http://www.eggheadcafe.com
>

RE: More instance of the same problem

Cori,
Our experience is consistent with yours. Our application pool always runs
under an account with local admin rights. However, our default user account
for the web site uses a low-privilege account.
If I change this to an admin account, or logon to the IIS session (using
basic authentication) with an admin account then the problem goes away. This
is because the IIS session is (correctly) using the credentials of the
default user / logged on user when doing the createobject, not using the pool
account directly (which you can do with a RevertToSelf).

"cori" wrote:

> Definitely sounds similar, mark. Our component in written in C#, but that's
> probably not important for the purposes of this issue.
>
> Do I understand you properly, that you're not seeing the problem when IIS is
> running as a machine administrator? The Application pool running our web app
> uses a machine admin identity, and we still saw the problem.
>
> --
> Thanks;
> cori
>
>
> "Mark Treveil" wrote:
>
> > Cori
> >
> > We are seeing exactly this problem with the software product we sell. It is occuring on in-house and customer servers with this patch, although some servers with the patch seem OK.
> >
> > Our ASP pages can't CreateObject on a DLL/COM object rewritten in VB.Net unless the IIS session has logged on as administrator. It is just as you describe.
> >
> > Oddly, some copies of the DLL with different name/CLSID of the DLL work will, but then again some seem to develop the same problem after a while, as though some knowledge of the DLL is being saved somewhere.
> >
> > Since we have about 150 server running this software it is going to cause us a lot of fun! Uninstalling fixes the problem, but its not exactly idea.
> >
> > Microsoft, please tell us what is happening here? I am hoping iit can be solved by a few config tweaks, but it looks a awefully like you have screwed-up big time.
> > MJT
> >
> > EggHeadCafe - .NET Developer Portal of Choice
> > http://www.eggheadcafe.com
> >

RE: More instance of the same problem

"cori" wrote:

> Definitely sounds similar, mark. Our component in written in C#, but that's
> probably not important for the purposes of this issue.
>
> Do I understand you properly, that you're not seeing the problem when IIS is
> running as a machine administrator? The Application pool running our web app
> uses a machine admin identity, and we still saw the problem.
>
> --
> Thanks;
> cori
>
>
> "Mark Treveil" wrote:
>
> > Cori
> >
> > We are seeing exactly this problem with the software product we sell. It is occuring on in-house and customer servers with this patch, although some servers with the patch seem OK.
> >
> > Our ASP pages can't CreateObject on a DLL/COM object rewritten in VB.Net unless the IIS session has logged on as administrator. It is just as you describe.
> >
> > Oddly, some copies of the DLL with different name/CLSID of the DLL work will, but then again some seem to develop the same problem after a while, as though some knowledge of the DLL is being saved somewhere.
> >
> > Since we have about 150 server running this software it is going to cause us a lot of fun! Uninstalling fixes the problem, but its not exactly idea.
> >
> > Microsoft, please tell us what is happening here? I am hoping iit can be solved by a few config tweaks, but it looks a awefully like you have screwed-up big time.
> > MJT
> >
> > EggHeadCafe - .NET Developer Portal of Choice
> > http://www.eggheadcafe.com
> >

RE: More instance of the same problem

Dear Cori and Mark,

I'm still watiing for the response of our IIS group. Hopefully there will
be a known reference case which has worked out a solution of the problem.
If not, we may need to open a support incident to address the issue since
it's not like a specific and odd one.

Please wait for the message of mine.

Have a nice weekend.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

RE: More instance of the same problem

WenJun
Thanks. I have a test server with this problem, so can gather further info
if anyone needs any. I can install and uninstall the windows update to
create and remove the problem at will.
Mark

""WenJun Zhang[msft]"" wrote:

> Dear Cori and Mark,
>
> I'm still watiing for the response of our IIS group. Hopefully there will
> be a known reference case which has worked out a solution of the problem.
> If not, we may need to open a support incident to address the issue since
> it's not like a specific and odd one.
>
> Please wait for the message of mine.
>
> Have a nice weekend.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

RE: More instance of the same problem

Mark & WenJun;
We don't have a server exhibiting the beahvior at the moment, but have a dev
server upon which we can create the issue as well, if multiple test cases are
valuable.
--
Thanks;
cori


"MJT" wrote:

> WenJun
> Thanks. I have a test server with this problem, so can gather further info
> if anyone needs any. I can install and uninstall the windows update to
> create and remove the problem at will.
> Mark
>
> ""WenJun Zhang[msft]"" wrote:
>
> > Dear Cori and Mark,
> >
> > I'm still watiing for the response of our IIS group. Hopefully there will
> > be a known reference case which has worked out a solution of the problem.
> > If not, we may need to open a support incident to address the issue since
> > it's not like a specific and odd one.
> >
> > Please wait for the message of mine.
> >
> > Have a nice weekend.
> >
> > Sincerely,
> >
> > WenJun Zhang
> >
> > Microsoft Online Community Support
> >
> > ==================================================
> >
> > Get notification to my posts through email? Please refer to:
> > http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> > ications.
> >
> > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> > where an initial response from the community or a Microsoft Support
> > Engineer within 1 business day is acceptable. Please note that each follow
> > up response may take approximately 2 business days as the support
> > professional working with you may need further investigation to reach the
> > most efficient resolution. The offering is not appropriate for situations
> > that require urgent, real-time or phone-based interactions or complex
> > project analysis and dump analysis issues. Issues of this nature are best
> > handled working with a dedicated Microsoft Support Engineer by contacting
> > Microsoft Customer Support Services (CSS) at:
> >
> > http://msdn.microsoft.com/subscriptions/support/default.aspx .
> >
> > ==================================================
> >
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >

RE: Problem with IIS and MS07-045 update

Hello, we are seeing the same server side problem after installation
MS07-045. Uninstalling MS07-045 results in the problem going away. This has
been confirmed on multiple IIS servers regardless of web browser or client
workstation operating system. (Windows or Mac OS X)

"cori" wrote:

> Greetings;
>
> We installed the latest round of patches last week, and on our dev web
> server found that after install we were receiving an error when trying to
> access the site. The error was "Server object error 'ASP 0115 : 8000ffff'"
> on a specific line of the script running for the page requested.
>
> The application in question is an Classic ASP application that calls a .Net
> dll for backend processing. The line that causes the error is always a line
> containing a Server.CreateObject call to our dll.
>
> I'm asking here instead of in an ASP or .Net programming forum because I
> don't believe the issue is related to the code that's running - identical
> code runs successfully on our production server without the above referenced
> update (all other updates in the patches from last week have been applied),
> and when we rolled back the patches we installed last week one at a time to
> troubleshoot this issue, the code stared to run successfully again
> immediately after we uninstalled MS07-045, but did not run until that update
> was uninstalled.
>
> I know that some folks are having issues with this update and IE
> connectivity, but this problem exhibits itself when connections are made from
> both patched and unpatched client systems, and is shown in at least Firefox
> and IE7 - the only difference seems to be the patch state of the web server.
>
> Thanks in advance.
>
> --
> Thanks;
> cori

RE: More instance of the same problem

Hi Cori and Mark,

Due to t he problem is calling .net managed Dll from ASP code, one of our
..net gurus stated a possible cause is with the version of the CLR that is
loaded into memory when the managed DLL is referenced. If the managed DLL
was written for 1.1, and the 2.0 CLR is loaded, it could adversely affect
its operation. There are some former cases where a seemingly unrelated
patch was installed and it affected the CLR version that loaded first.

A suggestion is that you may firsts determine the correct version of the
runtime that is should be loaded for the managed module. It might be as
simple as requesting a fake .aspx page on the machine where it's working
fine. If you request a non-existent .aspx page, ASP.NET will throw an
error and will show the version of the loaded CLR at the bottom of that
error. Compare the versions running on the working and non-working
machines to ensure they are the same. If they are not, then I think that's
your problem.

There are two possible fixes for this problem:

1) Write a w3wp.exe.config file that will load an
explicitly-determined version of the CLR (see KB 928607). Be aware that
this will force *all* applications running in IIS to load the same version
of the runtime, probably not a good thing.

2) Write some ASP code in the application_onstart method that loads an
ASP.net page on the same server, running in the same application pool, that
is running under the version of the CLR that you require. Since one
w3wp.exe can only load one version CLR runtime, this will work around the
problem. For example:

Add the following code to the global.asa file (not global.asax but
global.asa) in the parent classic asp application to force the loading of
the 1.1 CLR into the w3wp.exe before any classic asp page and/or com object
could have a chance to trigger the loading of the 2.0 CLR. Also place the
nested asp.net web application into the same application pool as the parent
asp application.




I look forward to your update.

Have a nice week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

RE: More instance of the same problem

I can confirm that when we see the problem with MS07-045 installed, IIS is
indeed loading .Net Framework 2.0.50727.

WenJun, your solutions seems a little byzantine for my liking, so I added
the following into web.config, before :








This seems to have resolved the issue for now on our dev server. We'll give
it a few days' development time and if it still seems stable we'll push the
change to Prod.

Thanks for your help.
--
Thanks;
cori


""WenJun Zhang[msft]"" wrote:

> Hi Cori and Mark,
>
> Due to t he problem is calling .net managed Dll from ASP code, one of our
> .net gurus stated a possible cause is with the version of the CLR that is
> loaded into memory when the managed DLL is referenced. If the managed DLL
> was written for 1.1, and the 2.0 CLR is loaded, it could adversely affect
> its operation. There are some former cases where a seemingly unrelated
> patch was installed and it affected the CLR version that loaded first.
>
> A suggestion is that you may firsts determine the correct version of the
> runtime that is should be loaded for the managed module. It might be as
> simple as requesting a fake .aspx page on the machine where it's working
> fine. If you request a non-existent .aspx page, ASP.NET will throw an
> error and will show the version of the loaded CLR at the bottom of that
> error. Compare the versions running on the working and non-working
> machines to ensure they are the same. If they are not, then I think that's
> your problem.
>
> There are two possible fixes for this problem:
>
> 1) Write a w3wp.exe.config file that will load an
> explicitly-determined version of the CLR (see KB 928607). Be aware that
> this will force *all* applications running in IIS to load the same version
> of the runtime, probably not a good thing.
>
> 2) Write some ASP code in the application_onstart method that loads an
> ASP.net page on the same server, running in the same application pool, that
> is running under the version of the CLR that you require. Since one
> w3wp.exe can only load one version CLR runtime, this will work around the
> problem. For example:
>
> Add the following code to the global.asa file (not global.asax but
> global.asa) in the parent classic asp application to force the loading of
> the 1.1 CLR into the w3wp.exe before any classic asp page and/or com object
> could have a chance to trigger the loading of the 2.0 CLR. Also place the
> nested asp.net web application into the same application pool as the parent
> asp application.
>
>
>
>
> I look forward to your update.
>
> Have a nice week.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

RE: More instance of the same problem

Actually, seems that my solution did not work as I had hoped - error is back.
I'll try another of the listed solutions later today.
--
Thanks;
cori


""WenJun Zhang[msft]"" wrote:

> Hi Cori and Mark,
>
> Due to t he problem is calling .net managed Dll from ASP code, one of our
> .net gurus stated a possible cause is with the version of the CLR that is
> loaded into memory when the managed DLL is referenced. If the managed DLL
> was written for 1.1, and the 2.0 CLR is loaded, it could adversely affect
> its operation. There are some former cases where a seemingly unrelated
> patch was installed and it affected the CLR version that loaded first.
>
> A suggestion is that you may firsts determine the correct version of the
> runtime that is should be loaded for the managed module. It might be as
> simple as requesting a fake .aspx page on the machine where it's working
> fine. If you request a non-existent .aspx page, ASP.NET will throw an
> error and will show the version of the loaded CLR at the bottom of that
> error. Compare the versions running on the working and non-working
> machines to ensure they are the same. If they are not, then I think that's
> your problem.
>
> There are two possible fixes for this problem:
>
> 1) Write a w3wp.exe.config file that will load an
> explicitly-determined version of the CLR (see KB 928607). Be aware that
> this will force *all* applications running in IIS to load the same version
> of the runtime, probably not a good thing.
>
> 2) Write some ASP code in the application_onstart method that loads an
> ASP.net page on the same server, running in the same application pool, that
> is running under the version of the CLR that you require. Since one
> w3wp.exe can only load one version CLR runtime, this will work around the
> problem. For example:
>
> Add the following code to the global.asa file (not global.asax but
> global.asa) in the parent classic asp application to force the loading of
> the 1.1 CLR into the w3wp.exe before any classic asp page and/or com object
> could have a chance to trigger the loading of the 2.0 CLR. Also place the
> nested asp.net web application into the same application pool as the parent
> asp application.
>
>
>
>
> I look forward to your update.
>
> Have a nice week.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

RE: More instance of the same problem

Hi Cori,

You may double-check if there are no ASP.net 2.0 applications(virtual
directories, sites) using the same application pool as well. A suggestion
of mine is you can create a new dedicated application pool with the same
setting and specify the ASP application to run in this new pool only. See
if the worker process will still load the incorrect CLR after the isolation
setting. The global.asa work around may also fail if the 2.0 CLR has
already been loaded before the pool instance receives any ASP requests.

I look forward to your test results.

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

RE: More instance of the same problem

No joy, WenJun - changing to an App Pool with only that site running under
it, and that site specified to load .Net 1.1 (and all page types mapped to
the 1.1 Framework - we do have some native ASP.Net (1.1) pages on this site),
IIS Still loads the 2.0 Framework.
--
Thanks;
cori


""WenJun Zhang[msft]"" wrote:

> Hi Cori,
>
> You may double-check if there are no ASP.net 2.0 applications(virtual
> directories, sites) using the same application pool as well. A suggestion
> of mine is you can create a new dedicated application pool with the same
> setting and specify the ASP application to run in this new pool only. See
> if the worker process will still load the incorrect CLR after the isolation
> setting. The global.asa work around may also fail if the 2.0 CLR has
> already been loaded before the pool instance receives any ASP requests.
>
> I look forward to your test results.
>
> Thanks.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

RE: Problem with IIS and MS07-045 update

I ran into this issue too and I've got a workaround. See
http://weblog.ikvm.net/PermaLink.aspx?guid=9bdc9af1-7f46-482 e-bd5a-aed5fe82a2f5

(sorry for the long URL).

To MSFT: Here's a stack trace that shows what's going wrong (this code is
running under the "Network Service" account but it is impersonating the
"Internet Guest Account", so the registry access fails:

(c50.4bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0296b238 ecx=00000002 edx=00002000 esi=00000278
edi=0296b238
eip=77e61fa4 esp=0296b208 ebp=0296b294 iopl=0 nv up ei ng nz ac pe
cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010297
kernel32!WaitForMultipleObjectsEx+0x87:
77e61fa4 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
es:0023:0296b238=00000000 ds:0023:00000278=????????
0:019> k 40
ChildEBP RetAddr
0296b294 77e62fbe kernel32!WaitForMultipleObjectsEx+0x87
0296b2b0 770e6ac7 kernel32!WaitForMultipleObjects+0x18
0296b2c8 770f11a0 SETUPAPI!BeginSynchronizedAccess+0x14
0296b310 472c55a7 SETUPAPI!SetupFindFirstLineW+0x20
0296b340 472cb55c ADVPACK!MySetupGetLineByIndex+0x22
0296b380 472cca68 ADVPACK!GetTranslatedLine+0x1bb
0296b6f8 472ccd27 ADVPACK!MyGetPlatformSection+0x139
0296bb30 472cd59b ADVPACK!GetInfInstallSectionName+0x60
0296bb54 472cd9fe ADVPACK!CommonInstallInit+0x66
0296c7cc 472ce98d ADVPACK!CoreInstall+0xa5
0296c7f4 472c6da0 ADVPACK!RunSetupCommandW+0xca
0296ce60 472c6f38 ADVPACK!ExecuteInfSection+0xcd
0296d094 472c703e ADVPACK!RegInstallW+0xc5
0296d0b4 46c1b365 ADVPACK!RegInstallA+0x43
0296d0d0 46c1b64e urlmon!CallRegInstall+0x3a
0296d6cc 46bde5e3 urlmon!ZonesDllInstall+0x12c
0296d704 46bba5e9 urlmon!CRegZoneContainer::SelfHeal+0xbf
0296d724 46bb9a66 urlmon!CRegZoneContainer::Attach+0x29
0296d760 46baabba urlmon!CUrlZoneManager::Initialize+0x7f
0296d778 46baaf75 urlmon!InternetCreateZoneManager+0x87
0296d790 46b94e29 urlmon!CSecurityManager::EnsureZoneManager+0x1a
0296d7b4 46b96f7a urlmon!CSecurityManager::MapUrlToZoneEx2Internal+0x10
0296d7dc 7a0f440b urlmon!CSecurityManager::MapUrlToZone+0xa6
0296d818 79edba59 mscorwks!PEFile::GetSecurityIdentity+0xa1
0296dc68 79edb8a9 mscorwks!AssemblySecurityDescriptor::GetZone+0x6e
0296dc7c 79edb9c8 mscorwks!SecurityDescriptor::CheckQuickCache+0x49
0296dcb0 79eadcc7
mscorwks!AssemblySecurityDescriptor::QuickIsFullyTrusted+0xb 7
0296dd84 79eadbe3 mscorwks!AssemblySecurityDescriptor::ResolveWorker+0x118
0296dd8c 79eadf2a mscorwks!AssemblySecurityDescriptor::Resolve+0xe
0296ddc0 79eadee4 mscorwks!SecurityPolicy::EarlyResolveThrowing+0x2e
0296de34 79eade7a mscorwks!Assembly::SetDomainAssembly+0x238
0296de44 79eade44 mscorwks!DomainAssembly::SetAssembly+0x21
0296df90 79ea8459 mscorwks!DomainAssembly::Allocate+0x1e9
0296df9c 79ea7f55 mscorwks!DomainFile::DoIncrementalLoad+0x63
0296e020 79ea7e4c mscorwks!AppDomain::TryIncrementalLoad+0x97
0296e070 79ead572 mscorwks!AppDomain::LoadDomainFile+0x19d
0296e0f0 79eaa624 mscorwks!AppDomain::LoadDomainAssembly+0x116
0296e3a4 79eaa408 mscorwks!LoadDomainAssemblyHelper+0xc2
0296e418 79f3a51c mscorwks!AssemblySpec::LoadDomainAssembly+0x168
0296e43c 79f2e01e mscorwks!AssemblySpec::LoadAssembly+0x1d
0296e6f4 79f2ddcb mscorwks!AppDomain::LoadAssemblyHelper+0x14a
0296e7e0 79f3b1ad mscorwks!AppDomain::LoadCOMClass+0x184
0296e808 79f2dbd2 mscorwks!GetTypeForCLSID+0x35
0296e8b0 79f2dd0b mscorwks!EEDllGetClassObject+0x2d6
0296e8ec 79f2dd8d mscorwks!InternalDllGetClassObject+0xd4
0296e928 79003f37 mscorwks!DllGetClassObjectInternal+0x5c
0296e970 776a9116 mscoree!DllGetClassObject+0x12e
0296e98c 776ad544 ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x2d
0296e9a4 776ad12b
ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x 1f
0296e9d4 776a1b7f ole32!CClassCache::GetClassObject+0x3d
0296ea48 776a19b5 ole32!CServerContextActivator::GetClassObject+0xfd
0296ea80 776a1c4e ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3
0296eaa0 776a1bfa ole32!CApartmentActivator::GetClassObject+0x4d
0296eab8 776acb27 ole32!CProcessActivator::GCOCallback+0x2b
0296ead8 776acad8 ole32!CProcessActivator::AttemptActivation+0x2c
0296eb14 776a1ca1 ole32!CProcessActivator::ActivateByContext+0x4f
0296eb3c 776a19b5 ole32!CProcessActivator::GetClassObject+0x48
0296eb74 776a1925 ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3
0296edbc 776a19b5 ole32!CClientContextActivator::GetClassObject+0x88
0296edf4 776a1a07 ole32!ActivationPropertiesIn::DelegateGetClassObject+0xf3
0296f5ac 776a187e ole32!ICoGetClassObject+0x3a5
0296f5dc 776a1841 ole32!CComActivator::DoGetClassObject+0xe0
0296f5fc 027308e9 ole32!CoGetClassObject+0x20
0296f69c 027307c0 vbscript!GetObjectFromProgID+0x1ab


"cori" wrote:

> Greetings;
>
> We installed the latest round of patches last week, and on our dev web
> server found that after install we were receiving an error when trying to
> access the site. The error was "Server object error 'ASP 0115 : 8000ffff'"
> on a specific line of the script running for the page requested.
>
> The application in question is an Classic ASP application that calls a .Net
> dll for backend processing. The line that causes the error is always a line
> containing a Server.CreateObject call to our dll.
>
> I'm asking here instead of in an ASP or .Net programming forum because I
> don't believe the issue is related to the code that's running - identical
> code runs successfully on our production server without the above referenced
> update (all other updates in the patches from last week have been applied),
> and when we rolled back the patches we installed last week one at a time to
> troubleshoot this issue, the code stared to run successfully again
> immediately after we uninstalled MS07-045, but did not run until that update
> was uninstalled.
>
> I know that some folks are having issues with this update and IE
> connectivity, but this problem exhibits itself when connections are made from
> both patched and unpatched client systems, and is shown in at least Firefox
> and IE7 - the only difference seems to be the patch state of the web server.
>
> Thanks in advance.
>
> --
> Thanks;
> cori

RE: More instance of the same problem

Hi Cori,

We may need to deeply diagnose into the problem to check what causes
w3wp.exe loads the 2.0 CLR. Could you please give me your real email
address for me to talk with your offline? You can send an email to me at:

wjzhang@online.microsoft.com (please remove online.)

I wait for your message.

Have a great weekend.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

It"s a fix!

Thanks massively guys. Changing the registry permissions seems to fix the problem for me too. Some clarification for others:

1) I think the SID specified is for the Network Service. If, like me, you are using different identity for your application pool, you will use the SID for that account.

2) I found I had to set the everyone:R permission on Zones, ZoneMap and Lockdown_Zones keys to make this work. If you are struggling, breaking out RegMon.exe and looking for the "Access Denied"s. I think you need to recycle the pool immediately before running the test though.



EggHeadCafe - .NET Developer Portal of Choice
http://www.eggheadcafe.com

RE: It"s a fix!...or not.

Sorry for my delay in testing - other things became a priority, of course
until patch day.

Nope, that didn't do it for us. Set Everyone Read perms on the Network
Service user, on the user that the app pool is running under, and looked at
regmon - a few access denied for the internet guest account on some HKCU
keys, including the zone keys. Set Everyone Read and Internet Guest Full
Control on all of these keys (the ones causing access denied errors) and
still no joy.

Perhaps these are 2 different problems - I'll work back up the thread and
try one of the more complicated resolutions next.
--
Thanks for the idea, though;
cori


"Mark Treveil" wrote:

> Thanks massively guys. Changing the registry permissions seems to fix the problem for me too. Some clarification for others:
>
> 1) I think the SID specified is for the Network Service. If, like me, you are using different identity for your application pool, you will use the SID for that account.
>
> 2) I found I had to set the everyone:R permission on Zones, ZoneMap and Lockdown_Zones keys to make this work. If you are struggling, breaking out RegMon.exe and looking for the "Access Denied"s. I think you need to recycle the pool immediately before running the test though.
>
>
>
> EggHeadCafe - .NET Developer Portal of Choice
> http://www.eggheadcafe.com
>

RE: It"s a fix!...or not.

FYI
https://blogs.msdn.com/sukeshak/archive/2007/09/18/installin g-ms07-045-c
umulative-security-update-for-internet-explorer-createobject -call-fails-
with-8000ffff.aspx

Sukesh Ashok Kumar
http://blogs.msdn.com/sukeshak/

*** Sent via Developersdex http://www.developersdex.com ***

RE: It"s a fix!...or not.

for those whose browsers don't habndle newlines in urls:
http://dwarfurl.com/eda4a
--
Thanks;
cori


"Sukesh Ashok Kumar" wrote:

> FYI
> https://blogs.msdn.com/sukeshak/archive/2007/09/18/installin g-ms07-045-c
> umulative-security-update-for-internet-explorer-createobject -call-fails-
> with-8000ffff.aspx
>
> Sukesh Ashok Kumar
> http://blogs.msdn.com/sukeshak/
>
> *** Sent via Developersdex http://www.developersdex.com ***
>