"Yogita Manghnani [MSFT]" wrote:

> Hello All,
> It looks like you are running into this issue because of a change in
> Windows 2003 to enhance security. Here are the details on the issue (this
> info will be published in a KB article pretty soon- Q885656)
>
> **Symptoms**
> You have a web application running on Windows 2003. This web application
> calls a COM+ Application proxy to activate an object on a remote server. If
> you have anonymous access enabled within IIS and the anonymous account is
> set to run under the IUSR_SERVERNAME then you will may get one of the
> following two errors when trying to access the page.
>
>      Microsoft VBScript runtime error 800a0046
>      Permission denied: 'CreateObject'
>      /virtualdirectory/asppage.asp, line 2
>
>      ------ OR -----------
>
>        ASP Error 0178 (80007005)
>        Server.CreateObject failed while checking permissions
>
> This exact same design works on a Windows 2000 server environment.
>
> **Analysis**
>
> This problem occurs because of the new default value for LogonMethod
> (MD_LOGON_METHOD) metabase propety in Windows 2003. For IIS5 and Windows
> 2000, the default value for LogonMethod was MD_LOGON_INTERACTIVE (see
> references below). For IIS6 and Windows 2003, the default value for
> LogonMethod is MD_LOGON_NETWORK_CLEARTEXT (see references below). The
> LogonMethod metabase property tells IIS how the anonymous  user account
> (IUSR_MachineName) will be passed off of the web server to another remote
> server.
>
> For IIS5/Win2000 when you have a web site that allows Anonymous Access and
> the Anonymous account is configured to run under the IUSR_SERVERNAME
> account, when an asp page makes a request to a COM+ application proxy, and
> this proxy goes off to a remote server, the identity used is NT
> AUTHORITY\ANONYMOUS. The remote server accepts this NT AUTHORITY\ANONYMOUS
> account and maps the request to a local guest account giving that account
> access to activate the COM+ Server object.
>
> For IIS6/Win2003 when you have a web site that allows Anonymous Access and
> the Anonymous account is configured to run under the IUSR_SERVERNAME
> account, when an asp page makes a request to a COM+ application proxy, and
> this proxy goes off to a remote server, the outbound credentials are left
> as the configured anonymous account, meaning
> WEBSERVERNAME\IUSR_WEBSERVERNAME. This account of course will not be
> authenticated by the remote server and thus throws the permission denied
> (800a0046) error.
>
> **Solution**
> You have three options to resolve this problem. The first one is the most
> secure and is recommended over the other 2.
>
> Option #1:
> --------------------
> Configure the IIS Anonymous account to be a domain account (or a local
> admin account that have the same name and password on both machines)
> instead of IUSR_SERVERNAME
>
>        - Open up IIS
>        - Right-click on your web site and come down to properties
>        - Click on the "Directory Security" tab and then click the "Edit…"
> button in the
>          "Authentication and access control" section
>        - Put a check in the "Enable anonymous access" checkbox
>        - Click the "Browse.." button and then enter in a domain user
> account and their password.
>          Note: this domain user account will need to have access to the
> Application Server in order
>          for it to not run into any further Permissions problems.
>
> Option #2:
> ------------------
> Use the LogonMethod = MD_LOGON_NETWORK IIS metabase setting. You would
> change this setting to be a value of 2 (MD_LOGON_NETWORK) at the
> application level so that IIS6 will emulate the LogonMethod behavior of
> Windows 2000. This will change the outbound credentials of the request to
> be NT AUTHORITY\ANONYMOUS instead of SERVERNAME\IUSR_SERVERNAME
>
>      To set the LogonMethod for the entire web server run this command from
> the C:\Inetpub\AdminScripts directory
>
>               cscript.exe adsutil.vbs set w3svc/logonmethod 2
>
> To set the LogongMethod for a specific web site running on the server then
> you will need to identify the ID of that web site through the metabase. You
> can easily find this on the Windows 2003 server by opening up the
> C:\Windows\system32\Inetsrv\metabase.xml file. Then run the following
> command replacing 709041108 with the id number for your web application:
>
>                cscript.exe adsutil.vbs set w3svc/709041108/logonmethod 2
>
>
> Option #3:
> -----------------
> Enable Sub-Authentication, so that you emulate the functionality of Windows
> 2000. This is the least secure option and not recommended. You can do this
> by referencing the following link:
>
> Anonymous Authentication :
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
> roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan
> dard/proddocs/en-us/sec_auth_anonauth.asp
>
>
> **References**
>
> Chapter 5 Managing a Secure IIS 6.0 Solution: (Attached to this SOX as well)
> http://download.microsoft.com/download/7/4/f/74fe970d-4a7d-4034-9f5d-0257256
> 7e7f7/18_CHAPTER_5_Managing_a_Secure_IIS_6.0_Solution.doc
>
> IIS6 LogonMethod Values:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/
> ref_mb_logonmethod.asp
>
> IIS5 LogonMethod Values:
> http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2
> 000/en/server/iis/htm/asp/apro1zms.htm
>
> 207671 HOW TO: Access Network Files from IIS Applications
> http://support.microsoft.com/?id=207671
>
>
> Good luck,
> Yogita Manghnani
> Microsoft Developer Support
> Internet Information Server
>
> *********************************************************************
> >>Please do not send email directly to this alias. This is an online
> account name for newsgroup participation only.<<
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> You assume all risk for your use.
>
> © 2003 Microsoft Corporation. All rights reserved.
> *********************************************************************
>
>