Re: IIS 6 CreateObject premissions issue

From: Yogita Manghnani [MSFT] (yonlinemanghn_at_online.microsoft.com)
Date: 11/13/04 

Date: Fri, 12 Nov 2004 23:49:12 GMT

Hello All,
It looks like you are running into this issue because of a change in
Windows 2003 to enhance security. Here are the details on the issue (this
info will be published in a KB article pretty soon- Q885656)

**Symptoms**
You have a web application running on Windows 2003. This web application
calls a COM+ Application proxy to activate an object on a remote server. If
you have anonymous access enabled within IIS and the anonymous account is
set to run under the IUSR_SERVERNAME then you will may get one of the
following two errors when trying to access the page.

     Microsoft VBScript runtime error 800a0046
     Permission denied: 'CreateObject'
     /virtualdirectory/asppage.asp, line 2

     ------ OR -----------

       ASP Error 0178 (80007005)
       Server.CreateObject failed while checking permissions

This exact same design works on a Windows 2000 server environment.

**Analysis**

This problem occurs because of the new default value for LogonMethod
(MD_LOGON_METHOD) metabase propety in Windows 2003. For IIS5 and Windows
2000, the default value for LogonMethod was MD_LOGON_INTERACTIVE (see
references below). For IIS6 and Windows 2003, the default value for
LogonMethod is MD_LOGON_NETWORK_CLEARTEXT (see references below). The
LogonMethod metabase property tells IIS how the anonymous user account
(IUSR_MachineName) will be passed off of the web server to another remote
server.

For IIS5/Win2000 when you have a web site that allows Anonymous Access and
the Anonymous account is configured to run under the IUSR_SERVERNAME
account, when an asp page makes a request to a COM+ application proxy, and
this proxy goes off to a remote server, the identity used is NT
AUTHORITY\ANONYMOUS. The remote server accepts this NT AUTHORITY\ANONYMOUS
account and maps the request to a local guest account giving that account
access to activate the COM+ Server object.

For IIS6/Win2003 when you have a web site that allows Anonymous Access and
the Anonymous account is configured to run under the IUSR_SERVERNAME
account, when an asp page makes a request to a COM+ application proxy, and
this proxy goes off to a remote server, the outbound credentials are left
as the configured anonymous account, meaning
WEBSERVERNAME\IUSR_WEBSERVERNAME. This account of course will not be
authenticated by the remote server and thus throws the permission denied
(800a0046) error.

**Solution**
You have three options to resolve this problem. The first one is the most
secure and is recommended over the other 2.

Option #1:
--------------------
Configure the IIS Anonymous account to be a domain account (or a local
admin account that have the same name and password on both machines)
instead of IUSR_SERVERNAME

       - Open up IIS
       - Right-click on your web site and come down to properties
       - Click on the "Directory Security" tab and then click the "Edit…"
button in the
         "Authentication and access control" section
       - Put a check in the "Enable anonymous access" checkbox
       - Click the "Browse.." button and then enter in a domain user
account and their password.
         Note: this domain user account will need to have access to the
Application Server in order
         for it to not run into any further Permissions problems.

Option #2:
------------------
Use the LogonMethod = MD_LOGON_NETWORK IIS metabase setting. You would
change this setting to be a value of 2 (MD_LOGON_NETWORK) at the
application level so that IIS6 will emulate the LogonMethod behavior of
Windows 2000. This will change the outbound credentials of the request to
be NT AUTHORITY\ANONYMOUS instead of SERVERNAME\IUSR_SERVERNAME

     To set the LogonMethod for the entire web server run this command from
the C:\Inetpub\AdminScripts directory

              cscript.exe adsutil.vbs set w3svc/logonmethod 2

To set the LogongMethod for a specific web site running on the server then
you will need to identify the ID of that web site through the metabase. You
can easily find this on the Windows 2003 server by opening up the
C:\Windows\system32\Inetsrv\metabase.xml file. Then run the following
command replacing 709041108 with the id number for your web application:

               cscript.exe adsutil.vbs set w3svc/709041108/logonmethod 2

Option #3:
-----------------
Enable Sub-Authentication, so that you emulate the functionality of Windows
2000. This is the least secure option and not recommended. You can do this
by referencing the following link:

Anonymous Authentication :
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan
dard/proddocs/en-us/sec_auth_anonauth.asp

**References**

Chapter 5 Managing a Secure IIS 6.0 Solution: (Attached to this SOX as well)
http://download.microsoft.com/download/7/4/f/74fe970d-4a7d-4034-9f5d-0257256
7e7f7/18_CHAPTER_5_Managing_a_Secure_IIS_6.0_Solution.doc

IIS6 LogonMethod Values:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/
ref_mb_logonmethod.asp

IIS5 LogonMethod Values:
http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2
000/en/server/iis/htm/asp/apro1zms.htm

207671 HOW TO: Access Network Files from IIS Applications
http://support.microsoft.com/?id=207671

Good luck,
Yogita Manghnani
Microsoft Developer Support
Internet Information Server

*********************************************************************
>>Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.<<

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.

© 2003 Microsoft Corporation. All rights reserved.
*********************************************************************