PRB: DCOM and ASP Error "A Security Package Specific Error Occurred" (201843)

SYMPTOMS

When you try to access a Distributed Component Object Model (DCOM) object from Active Server Pages (ASP) using NTLM authentication, one of the following errors occurs:

Server object error 'ASP 0177 : 80070721'
Server.CreateObject Failed
/<file>.asp, line ##
A security package specific error occurred.

-or-

80070721 RPC_S_SEC_PKG_ERROR "A security package specific error occurred."

CAUSE

Windows NT Challenge/Response (NTLM) authentication will not allow access to any network resources beyond the Microsoft Internet Information Server (IIS) computer. This is because NTLM authentication does not pass a user's credentials over the wire; rather it only passes a security token that is created at the time the user is authenticated on the network.

This means that the user name and password are unavailable to IIS when it is challenged for access to a network resource, and IIS is unable to create and pass a user's security token over the network. Thus, access to network resources that require authentication will be denied.

However, if the browser (Microsoft Internet Explorer) is running on the same computer as the Internet Information Server, this error will not occur using NTLM because the user name and password credentials are available.

RESOLUTION

There are a few options available to work around this problem, the merits of each are described as follows:

If you require that users be authenticated when accessing the component, you can use Basic Authentication to overcome this limitation.
If you use Basic Authentication, users will be sending their network credentials in plain text over the network, potentially exposing the network to a security breech. If this is a concern for you, you can use Basic Authentication over Secure Sockets Layer (SSL).
If you do not need to authenticate a user's access to the component, you can set the remote object to be executed under specific network credentials only.

How to Enable Basic Authentication

Open the Microsoft Management Console (MMC) for Internet Service Manager.
Open the properties sheet of the application root (or virtual directory) to which you want to apply the changes.
On the Directory Security tab, click Edit under Anonymous Access and Authentication Control.
In the Authentication Methods dialog box, make sure that Basic Authentication is the only option that is selected, and then apply the changes.

How to Enable Secure Sockets Layer

If you want to use Secure Sockets Layer (SSL) in conjunction with Basic Authentication, see the Windows NT 4.0 Option Pack documentation at the following path:

Microsoft Internet Information Server\Server Administration\Security\Authentication\Setting Up SSL on Your Server

How to Run the Component as a Specific User

For more information on running the component as a specific user (that is, setting the identity), see the following article in the Microsoft Knowledge Base: For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

176799 INFO: Using DCOM Config (DCOMCNFG.EXE) on Windows NT

MORE INFORMATION

Steps to Reproduce Behavior

To reproduce this scenario, you will need three separate computers:
- Computer 1: IIS server
- Computer 2: DCOM server
- Computer 3: Internet Explorer client
Create an ASP page on Computer 1 that creates an instance of the DCOM object by using the following code:
```
Server.CreateObject("ProgID.ClassID")
					
```
Set the authentication in IIS to NT Challenge/Response only.
On Computer 2, start your DCOM server.
On Computer 3, browse to the ASP page that instantiates your DCOM object. The browser displays the following error message:
Server object error 'ASP 0177 : 80070721'
Server.CreateObject Failed
/<file>.asp, line ##
A security package specific error occurred.