You receive an error message when you try to access a Web page on a Windows Server 2003-based server that uses an application proxy to create a COM+ object on a remote server (889830)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Web Edition
Important This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).

SYMPTOMS

You have a Microsoft Windows Server 2003-based computer that uses an application proxy to create a Microsoft COM+ object on a remote server. When you try to access a Web page that is hosted on this server, you may receive one of the following error messages:
Microsoft VBScript runtime error 800a0046 Permission denied: 'CreateObject' /VirtualDirectory/asppage.asp, line 2
ASP Error 0178 (80007005) Server.CreateObject failed while checking permissions
Note This behavior does not occur when the Web page is hosted on a Microsoft Windows 2000-based computer.

CAUSE

This issue occurs when the following conditions are true:
  • The anonymous access feature is enabled on the Windows Server 2003-based computer.
  • The anonymous access feature is configured to use the IUSR_ServerName user account.

    Note ServerName is the name of the Windows Server 2003-based computer.

RESOLUTION

To resolve this issue, use one of the following methods.

Important We recommend that you use method 1.

Method 1: Configure the anonymous account as a local user account with matching passwords or as a domain account

Follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand Web Sites, right-click the Web site that you want, and then click Properties.
  3. Click the Directory Security tab, and then click Edit under Authentication and access control.
  4. Click to select the Enable anonymous access check box, click Browse, and then type the local user account name or the domain user account name and the user account password that you want.

    Note The local user account name and the user account password must be the same on the Web server and on the COM+ server.
  5. Click OK three times, and then quit Internet Information Services (IIS) Manager.

Method 2: Change the LogonMethod IIS metabase setting

Change the LogonMethod IIS metabase setting so the Windows Server 2003 IIS service will behave the same as the Windows 2000-based IIS service.

Change the LogonMethod property for a specific Web site on the Windows Server 2003-based computer

To change the LogonMethod property for a specific Web site, follow these steps.

Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it.
  1. Determine the Web site ID. To do this, follow these steps:
    1. Click Start, click Run, type notepad, and then click OK.
    2. On the File menu, click Open.
    3. In the Files of type list, click All Files.
    4. Locate the following folder:

      %windir%\System32\Inetsrv

    5. Click MetaBase.xml, and then click Open.
    6. On the Edit menu, click Find.
    7. Type iiswebserver, and then click Find Next.
    8. In the IISWebServer element, locate the ServerComment attribute. The value of the ServerComment attribute is the name of your Web site, For example, the name of your Web site may be Default Web Site.

      Note To find additional Web sites, click Find Next until you find the Web site that you want.
    9. In the IISWebServer element, locate the Location attribute. For example, the Location attribute may appear as the following:

      /LM/W3SVC/1

      In this example, the Web site ID is 1.
  2. At a command prompt, open the Drive:\Inetpub\AdminScripts folder, type the following command, and then press ENTER:

    cscript adsutil.vbs set w3svc/WebSiteID/logonmethod 2

    Note WebSiteID is the Web site ID that you found in step 1.i.

    The following response appears, indicating the new LogonMethod property value.

    logonmethod : (INTEGER) 2

  3. Close the command prompt, and then close Notepad.

Change the LogonMethod property for all Web sites on the Windows Server 2003-based computer

Follow these steps.

Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it.
  1. At a command prompt, open the Drive:\Inetpub\AdminScripts folder, type the following command, and then press ENTER:

    cscript.exe adsutil.vbs set w3svc/logonmethod 2

    The following response appears, indicating the new LogonMethod property value.

    logonmethod : (INTEGER) 2

  2. Close the command prompt.

MORE INFORMATION

This issue occurs because of a change in the value for the Windows Server 2003 (IIS 6.0) LogonMethod metabase property. The LogonMethod property determines how IIS will pass the anonymous user account to a remote server. By default, Windows 2000 (IIS 5.0) uses an MD_LOGON_INTERACTIVE value for the type of the LogonMethod property. Conversely, Windows Server 2003 uses a default value of MD_LOGON_NETWORK_CLEARTEXT for the type of the LogonMethod method.

Windows Server 2003-based Web servers that enable anonymous access with the IUSR_ServerName account and then create a COM+ object on a remote server exhibit the following behavior:
  1. An active server page (.asp file) makes a request by using COM+ to an application proxy.
  2. The application proxy contacts the remote server for authentication.
  3. The identity that is used by the application proxy remains as ServerName\IUSR_ServerName.
  4. The ServerName\IUSR_ServerName cannot be used and the remote server denies access.
Windows 2000-based Web servers that enable anonymous access with the IUSR_ServerName account and then create a COM+ object on a remote server exhibit the following behavior:
  1. An .asp file makes a request by using COM+ to an application proxy.
  2. The application proxy contacts the remote server for authentication.
  3. The identity that is used by the application proxy is NT AUTHORITY\ANONYMOUS.
  4. The NT AUTHORITY\ANONYMOUS account maps to a local guest account. The local guest account can create the COM+ object on the remote server.
The following table illustrates the behavior for the LogonMethod property in Windows Server 2003:
Logon typeLogonMethod property valueLogon right that is requiredSecurity ID (SID)Access token outgoing credentials
Network with clear text3 -MD_LOGON_NETWORK_CLEARTEXTNetworkNT AUTHORITY\NETWORK_CLEARTEXTYes
Network2 -MD_LOGON_NETWORKNetworkNT AUTHORITY\NETWORKNo
Batch1 - MD_LOGON_BATCHBatchNT AUTHORITY\BATCHYes
Interactive0 -MD_LOGON_INTERACTIVEInteractiveNT AUTHORITY\INTERACTIVEYes

REFERENCES

For more information about the LogonMethod property, search for "LogonMethod" in Internet Information Services (IIS) Manager Help.

For more information, visit the following Microsoft Web sites:

Chapter 5 Managing a Secure IIS 6.0 Solution
http://download.microsoft.com/download/7/4/f/74fe970d-4a7d-4034-9f5d-02572567e7f7/18_CHAPTER_5_Managing_a_Secure_IIS_6.0_Solution.doc

LogonMethod (Windows Server 2003)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/ref_mb_logonmethod.asp IIS5

LogonMethod (Windows 2000)
http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2000/en/server/iis/htm/asp/apro1zms.htm

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

207671 How to access network files from IIS applications

Modification Type:MajorLast Reviewed:6/21/2006
Keywords:kbtshoot kbprb KB889830 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.