Cannot access network resources in Application_OnEnd or Session_OnEnd Events (277329)


The information in this article applies to:

  • Microsoft Active Server Pages
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Server 5.0
This article was previously published under Q277329

SYMPTOMS

When you try to access a network resource from the Application_OnEnd or Session_OnEnd event, the action may fail, and the event is terminated. In addition, you may receive an error in the Application Log of the Event Viewer or in the browser window itself. This error refers to a line of code in the Global.asa file.

For example, when you use the Scripting.FileSystemObject method to open a file, you may receive the following error message:
Microsoft VBScript runtime (0x800A0046)
Permission denied
When you connect to an Access database, you may receive the following error message:
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot open the file '(unknown)'. It is already opened exclusively by another user, or you need permission to view its data.
When you connect to a SQL Server database, you may receive the following error message:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E4D)
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

CAUSE

The Application_OnEnd and Session_OnEnd events do not run with the security context of the impersonated user, that is, the user that is determined by the Internet Information Server (IIS) authentication method (Anonymous, Basic, NT Integrated, and so on). Instead, these events run in the security context of the process itself.

For in-process or Low application protection applications, SYSTEM is the identity of the IIS service. Because the SYSTEM user ID is restricted to local computer access, access to network resources fails.

For isolated processes, Medium pooled, or High isolated applications, this is the identity of the Microsoft Transaction Server (MTS) or COM+ package. By default, this identity is IWAM_<computername>, which is an account that exists in the local NT user database. If the Web server is not running on a Domain controller (which it is usually not), this user ID cannot access resources other than those that are local to the Web server.

RESOLUTION

There are two ways to resolve this problem:
  • Set the ASP application to run as an MTS or COM+ package that is run in separate memory space for IIS 4.0 or to High (isolated) for IIS 5.0. Then, set the identity of that package to a user ID that can access the network resource. This changes the process from the IIS process (inetinfo.exe) to either Mtx.exe (IIS 4.0) or Dllhost.exe (IIS 5.0) and changes the security context of the process to the MTS or COM+ identity.

    For information on how to set up an ASP application as an MTS or COM+ package, see the "More Information" section.
  • To change the security context, call the impersonation APIs. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    248187 How to impersonate a user from Active Server Pages

MORE INFORMATION

How to configure the Web application as a COM+ application and set the identity

IIS 5.0

  1. Open the Internet Services Manager: On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
  2. Right-click the Web application that you want to run as High (isolated), and then click Properties.
  3. On the Directory or Virtual Directory tab, set the Application Protection to High (Isolated), and then click OK.
  4. Open the Component Services console: On the Start menu, point to Programs, point to Administrative Tools, and then click Component Services.
  5. Click to expand the Component Service, Computers, My Computer, and COM+ Applications folders. Locate the COM+ application for your Web application (for example, IIS-Default Web Site//Root/AppName).
  6. Right-click the COM+ application, and then click Properties.
  7. On the Identity tab, click This User. Type a domain\user ID and password with the appropriate domain access to your network resource, and then click OK.

IIS 4.0

  1. Open the Internet Services Manager: On the Start menu, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Services Manager.
  2. In the Internet Information Server folder, right-click the Web application that you want to run in a separate memory space, and then click Properties.
  3. On the Directory or Virtual Directory tab, select the Run in separate memory space (isolated process) check box, and then click OK.
  4. Open the Transaction Server Explorer: On the Start menu, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Transaction Server, and then click Transaction Server Explorer.
  5. Click to expand the Microsoft Transaction Server, Computers, My Computer, and Packages Installed folders. Locate the MTS Package for your Web application (for example, IIS-Default Web Site//Root/AppName).
  6. Right-click the MTS Package, and then click Properties.
  7. On the Identity tab, click This User. Type a domain\user ID and password with the appropriate domain access to your network resource, and then click OK.

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

248187 How to impersonate a user from Active Server Pages

Modification Type:MajorLast Reviewed:6/27/2006
Keywords:kbprb kbSecurity KB277329
©2004 Microsoft Corporation. All rights reserved.