Re: IIS 6 CreateObject premissions issue

From: Yogita Manghnani [MSFT] (yonlinemanghn_at_online.microsoft.com) Date: 11/13/04 Next message: Yogita Manghnani [MSFT]: "Re: integrated windows security requests user name and password..." Previous message: Yogita Manghnani [MSFT]: "RE: 2k3 IIS application protection" Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ] Date: Fri, 12 Nov 2004 23:49:12 GMT Hello All, It looks like you are running into this issue because of a change in Windows 2003 to enhance security. Here are the details on the issue (this info will be published in a KB article pretty soon- Q885656) **Symptoms** You have a web application running on Windows 2003. This web application calls a COM+ Application proxy to activate an object on a remote server. If you have anonymous access enabled within IIS and the anonymous account is set to run under the IUSR_SERVERNAME then you will may get one of the following two errors when trying to access the page. Microsoft VBScript runtime error 800a0046 Permission denied: 'CreateObject' /virtualdirectory/asppage.asp, line 2 ------ OR ----------ASP Error 0178 (80007005) Server.CreateObject failed while checking permissions This exact same design works on a Windows 2000 server environment. **Analysis** This problem occurs because of the new default value for LogonMethod (MD_LOGON_METHOD) metabase propety in Windows 2003. For IIS5 and Windows 2000, the default value for LogonMethod was MD_LOGON_INTERACTIVE (see references below). For IIS6 and Windows 2003, the default value for LogonMethod is MD_LOGON_NETWORK_CLEARTEXT (see references below). The LogonMethod metabase property tells IIS how the anonymous user account (IUSR_MachineName) will be passed off of the web server to another remote server. For IIS5/Win2000 when you have a web site that allows Anonymous Access and the Anonymous account is configured to run under the IUSR_SERVERNAME account, when an asp page makes a request to a COM+ application proxy, and this proxy goes off to a remote server, the identity used is NT AUTHORITY\ANONYMOUS. The remote server accepts this NT AUTHORITY\ANONYMOUS account and maps the request to a local guest account giving that account access to activate the COM+ Server object. For IIS6/Win2003 when you have a web site that allows Anonymous Access and the Anonymous account is configured to run under the IUSR_SERVERNAME account, when an asp page makes a request to a COM+ application proxy, and this proxy goes off to a remote server, the outbound credentials are left as the configured anonymous account, meaning WEBSERVERNAME\IUSR_WEBSERVERNAME. This account of course will not be authenticated by the remote server and thus throws the permission denied (800a0046) error. **Solution** You have three options to resolve this problem. The first one is the most secure and is recommended over the other 2. Option #1: -------------------Configure the IIS Anonymous account to be a domain account (or a local admin account that have the same name and password on both machines) instead of IUSR_SERVERNAME

- Open up IIS - Right-click on your web site and come down to properties - Click on the "Directory Security" tab and then click the "Edit" ***on in the "Authentication and access control" section - Put a check in the "Enable anonymous access" checkbox - Click the "Browse.." ***on and then enter in a domain user account and their password. Note: this domain user account will need to have access to the Application Server in order for it to not run into any further Permissions problems. Option #2: -----------------Use the LogonMethod = MD_LOGON_NETWORK IIS metabase setting. You would change this setting to be a value of 2 (MD_LOGON_NETWORK) at the application level so that IIS6 will emulate the LogonMethod behavior of Windows 2000. This will change the outbound credentials of the request to be NT AUTHORITY\ANONYMOUS instead of SERVERNAME\IUSR_SERVERNAME To set the LogonMethod for the entire web server run this command from the C:\Inetpub\AdminScripts directory cscript.exe adsutil.vbs set w3svc/logonmethod 2 To set the LogongMethod for a specific web site running on the server then you will need to identify the ID of that web site through the metabase. You can easily find this on the Windows 2003 server by opening up the C:\Windows\system32\Inetsrv\metabase.xml file. Then run the following command replacing 709041108 with the id number for your web application: cscript.exe adsutil.vbs set w3svc/709041108/logonmethod 2 Option #3: ----------------Enable Sub-Authentication, so that you emulate the functionality of Windows 2000. This is the least secure option and not recommended. You can do this by referencing the following link: Anonymous Authentication : http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan dard/proddocs/en-us/sec_auth_anonauth.asp **References** Chapter 5 Managing a Secure IIS 6.0 Solution: (Attached to this SOX as well) http://download.microsoft.com/download/7/4/f/74fe970d-4a7d-4034-9f5d-0257256 7e7f7/18_CHAPTER_5_Managing_a_Secure_IIS_6.0_Solution.doc IIS6 LogonMethod Values: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/ ref_mb_logonmethod.asp IIS5 LogonMethod Values: http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2 000/en/server/iis/htm/asp/apro1zms.htm 207671 HOW TO: Access Network Files from IIS Applications http://support.microsoft.com/?id=207671 Good luck, Yogita Manghnani Microsoft Developer Support Internet Information Server ********************************************************************* >>Please do not send email directly to this alias. This is an online account name for newsgroup participation only.<< This posting is provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use. 2003 Microsoft Corporation. All rights reserved. *********************************************************************

Next message: Yogita Manghnani [MSFT]: "Re: integrated windows security requests user name and password..." Previous message: Yogita Manghnani [MSFT]: "RE: 2k3 IIS application protection" Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages
Re: Cannot connect to the Internet ... My Windows 2000 pro PC is connected to the internet (Local Area ... Connection 2 Status icon shows "Connected" with a speed of 10..0 ... The master browser has received a server announcement from ... Posted via a free Usenet account from http://www.teranews.com ... (microsoft.public.mac.virtualpc) Re: Using EFS with Network Shares and SFU 3.5 ... It does not take EFS into account. ... could again use the sharing server audit logs to see if success ... Read extended attribute and Read data, since the NFS client may ... Windows and *nix clients. ... (microsoft.public.windows.server.security) Re: Error 10061, 0x800ccc0e, bug? ... It's definitely the April Windows update!!!! ... Checked program files after restore and the updates are gone and OE is ... receive mail after changing account in windows. ... Mike, the error indicates that you are failing to connect to the server, ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress) Re: Permission Errors ... Windows 2003 server but suddenly I cannot get the web service to work, ... >a domain account so that it can be validated on the win2k server machine. ... >|>webservice failed with permission error when perform the file accessing ... (microsoft.public.dotnet.general) Re: IIS 6 CreateObject premissions issue ... In my web server machine, ... > You have a web application running on Windows 2003. ... > you have anonymous access enabled within IIS and the anonymous account is ... > the Anonymous account is configured to run under the IUSR_SERVERNAME ... (microsoft.public.inetserver.iis.security)

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland. (01) // Security UNIX Linux Coding Usenet News Mailing-Lists Newsgroups Service About Privacy Search Imprint www.derkeiler.com > Newsgroups > microsoft.public.inetserver.iis.security > 2004-11 http://www.derkeiler.com/pdf/Newsgroups/microsoft.public.inetserver.iis.security/200411/0146.pdfhttp://www.derkeiler.com/pdf/Newsgroups/microsoft.public.inetserver.iis.security/200411/0146.pdfhttp://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/rss.xmlhttp://www.derkei ler.com/Newsgroups/microsoft.public.inetserver.iis.security/rss.xml