You may receive an error message when you try to start a CGI program that is hosted on IIS 6 (904056)



The information in this article applies to:

  • Microsoft Internet Information Services version 6.0

Important This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).

SYMPTOMS

When you try to start a Common Gateway Interface (CGI) program that is hosted on Microsoft Internet Information Services (IIS) 6, you may receive an error message that is similar to one of the following:
The configured user for the current application pool does not have enough privileges to run CGIs
Http 403-Forbidden: Access is denied
Note You receive the error message even though the application pool security account is a member of the IIS_WPG group.

CAUSE

This problem may occur if the application pool security account does not have the "Adjust memory quotas for a process" user right or the "Replace a process level token" user right.

RESOLUTION

To resolve this problem, use one of the following methods. Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it.

Method 1: Set the CreateProcessAsUser metabase setting to false

To set the CreateProcessAsUser metabase setting to false, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type cd drive:\Inetpub\adminscripts, and then press Enter.

    Note In this step, drive is the hard disk where the Inetpub folder is located.
  3. At the command prompt, type Cscript.exe Adsutil.vbs SET W3Svc/CreateProcessAsUser false, and then press Enter.

Method 2: Grant the required user right to the application pool security account

To resolve this problem, grant the required user right to the application pool security account. To do this, use one of the following methods.

Method 2a: Use the Domain Controller Security Policy tool

If the computer is a domain controller, follow these steps:
  1. Start the Domain Controller Security Policy tool.

    For more information about how to start the Domain Controller Security Policy tool, click the following article number to view the article in the Microsoft Knowledge Base:

    832214 "You may not have appropriate rights" error message when you try to open the Domain Security Policy console or the Domain Controller Security Policy console from the command prompt

  2. In the left pane, expand Local Policies, and then click User Rights Assignment.
  3. In the right pane, double-click the policy that you want.
  4. Click Add User or Group.
  5. Type the user name or the group name that is the security account for the application pool that you want, and then click OK.

    Note If you click Browse to add an account, you may have to click Object Types or Location to add the account that you want.
  6. Click OK two times.
  7. Exit the Domain Controller Security Policy tool.

Method 2b: Use the Group Policy Object Editor

If the computer is a member of a domain, follow these steps:
  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. Under Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Local Policies.
  3. In the left pane, click User Rights Assignment.
  4. In the right pane, double-click the policy that you want.
  5. Click Add User or Group.
  6. Type the user name or the group name that is the security account for the application pool that you want, and then click OK.

    Note If you click Browse to add an account, you may have to click Object Types or Location to add the account that you want.
  7. Click OK two times.
  8. Exit the Group Policy Object Editor.

Method 2c: Use the Local Security Settings tool

If the computer is not a member of a domain, follow these steps:
  1. Click Start, click Run, type secpol.msc, and then click OK.
  2. Under Security Settings, expand Local Policies.
  3. Click User Rights Assignment.
  4. In the right pane, double-click the policy that you want.
  5. Click Add User or Group.
  6. Type the user name or the group name that is the security account for the application pool that you want, and then click OK.

    Note If you click Browse to add an account, you may have to click Object Types or Location to add the account that you want.
  7. Click OK two times.
  8. Exit the Local Security Settings tool.

STATUS

This behavior is by design.

MORE INFORMATION

In IIS 6, the authenticated user account is used to start CGI programs. If the Web site accepts anonymous users, CGI programs run by using the anonymous user account instead of the security account for the application pool. If the CreateProcessAsUser metabase property is set to false, the application pool security account is used to start the CGI program.

The default security account for an application pool is the Network Service security account. The Network Service security account has the "Adjust memory quotas for a process" user right or the "Replace a process level token" user right. Additionally, the IWAM account for the computer and the Local Service accounts also have these user rights. If you change the application pool security account, the CGI program may not work as expected. For example, if you add a user to the IIS_WPG group, and this user does not have the "Adjust memory quotas for a process" user right or the "Replace a process level token" user right, the CGI program may not work as expected.

Modification Type:MajorLast Reviewed:8/16/2005
Keywords:kbpermissions kbtshoot kbprb KB904056 kbAudDeveloper kbAudITPRO