Server2k3 with ASP script calling a com object, "Access is denied" error.

Server2k3 with ASP script calling a com object, "Access is denied" error.

am 30.01.2008 20:38:50 von nmaier

Hello,
I'm a C++ developer that could use some help with a Windows 2003 server
permissions problem for an ASP script running in IIS that calls a Com
object we developed. I apologize if this is in the wrong newsgroup.

This is the error message a webuser gets:

Server object error 'ASP 0178 : 80070005'
Server.CreateObject Access Error
/inc/connection.asp, line 34
The call to Server.CreateObject failed while checking permissions. Access
is denied to this object.

Some congifuration info:
The server is part of a domain, and all webusers are on the same
intranet. There are no internet users. The IIS website does not have
anonymous access enabled. Only "Integrated Windows authentication" can be
allowed. ASP scripts are running fine, besides when it makes calls to the
com object. Also created a perl test script that calls the com object
with the same permissions error. So the scripts are fine. Tried the same
setup on a windows 2000 server with the same error. So it doesn't seem to
be a Windows 2003 config problem. The com object is configured to use the
Identity of "This user:", and is set to a domain user. The security tab
has "Domain Users" specified in the "Launch and Activation Permissions"
and "Access Permissions". "The launching user" Identity option
successfully works, but unfortunately this isn't an option for us for
various security reasons. Worth mentioning is that if the webuser is the
same user specified in "This user" setting for the com object it works, so
it appears the com object has the needed permissions to access whichever
resources if it can get started.

I'm hoping my explanation makes sense, and I'm really hoping someone can
help me out. Thanks a ton in advance!

Nate

RE: Server2k3 with ASP script calling a com object, "Access is denied" error.

am 31.01.2008 08:31:40 von wjzhang

Hi Nate,

Have you also tried calling the component in a .vbs script file via
cscript? Will it return the same Access Denied error?

1. Open your web site(inetpub\wwwroot) directory's properties dialog. In
Security tab->Advanced->Auditing, add Everyone group and select all the
Failed events.

2. Go to administrative tools->Local Security Settings->Local
Policies->Audit Policy, enable all kinds of failure audits.

3. Then open event viewer, clear and save as current Security log. Browse
to the ASP page in IE to reproduce the error and then refresh security log
to check if there is any failure event appears.

Another approach we can have a try is using filemon to trace the I/O of IIS
worker process.

http://www.microsoft.com/technet/sysinternals/utilities/file mon.mspx

1) Launch filemon,stop capture and click filter on its toolbar. Remove *
and input w3wp.exe as the included string. (w3wp.exe is IIS worker process.)

2) Change font if necessary(need restart filemon).

3) Start capture.

4) Browse to the page to reproduce the access denied error.

5) Stop capture and save as the log.

You may be able to find some access denied errors in the log which point
out the root cause.

Please feel free send the security log and filemon.log to me. I will be
glad to help on reviewing them. My email is: wjzhang@online.microsoft.com
(please remove online.)

Have a nice day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.