ASP error 0178 (0x80070005) - COM permission problem

I have COM object that my client need to use from ASP pages.  The situation I have is:

1. The COM object runs fine under user account (e.g. from VB and Wsh)
2. The COM object runs fine from ASP if IIS anon account is a user account, such as local 'Administrator'.
3. The COM object runs fine from ASP on my developer environment, where IIS anon account is 'IUSR_machinename'.
4. The COM object fails to launch from ASP on my client's production (where IIS anon account is 'IUSR_machinename'), with ASP error 0178 (Server.CreateObject failed, permission denied).  The COM dll resides on his server locally, i.e. no DCOM.

Basically I want to know what exactly I'm supposed to do to make the COM object work on that production machine.  Here are the steps I've already taken:

1. I've set the security permission for the folder where the asp resides to 'readable' by 'everyone'.
2. I've set the security permission for the folder where the COM dll resides to 'readable' by 'everyone'.
3. I've set the IIS directory security to readable and selected 'scripts and executables'.
3. In dcomcfg, I've added IUSR_.. and IWAM_.. to default access (allowed).
4. In dcomcfg, I've added IUSR_.. and IWAM_.. to default launch permissions (allow launch).

.. But I couldn't make it work on his IIS.  Even worse, even when I tried to 'reverse' the procedure on my develop machine to reproduce the problem, I couldn't make it *not* work. (The dconcnfg stuff should be irrelevant anyway since it's COM and not DCOM.) After researching on the web, it seems like there's a way to set 'execute' permission or something for COM objects on IIS, but I can't find where/how to do it.  Any suggestions?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

try setting the permissions for the iusr_machineName on the production machine component.  I don't think that the IUSR account is part of the everyone group.
better yet, create a package in MTS or Com component manager.  You can then assign any user account to be used when running the component.
Maybe your COM object is trying to load a DLL that reside in another directory to which you do not have permission, such as MFC42.Dll etc.

In order to change the directory permission to exectute
open the internet service manager, select your directory, open its properties window, and the choose execute.(I don't think it will help you though)
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Michel SakrCommented:
as sain include tha dll in a com+/mts package and assign an admin account to run the package..
Michel SakrCommented:
as sain= as said
ttsuchiAuthor Commented:
Thanks for the comments everyone. After I was looking at the configuration for the developer instance of IIS, I noticed that I was using 'Integrated Windows Authentication'..  Since I was testing everything from the IE browser on the same computer, I suspect that's why it still worked even after I denied read & exec priv on the dll for the IUSR_machine acct.  After I turned off Windows Auth, the ASP on the develop machine failed as expected. It still doesn't explain why it doesn't work on the production tho.  Since my clients use Windows Auth mode, maybe I have to make the dll readable by the domain users as well as IUSR_machine account?
I do use "advapi32.dll" in the COM object for reading registry values, but I think it should have 'everyone' readable (and IUSR_machine acct belongs to 'everyone' too, doesn't it?) That will be one more thing I can check in the production machine though.
Also, pardon my ignorance but what is COM+/MTS packager?  Is it part of .NET sdk or Visual Studio 6, and if so, where can I find it?

Michel SakrCommented:
look how to fix this:
MTS is Microsoft Transaction Server.. it's on IIS4, COM+ is MTS but on IIS5... read how to set your package in MTS/COM+

Start the Component the tree select computers.. applications...right click on it--> new -> application.. now in the wizard click next and select an empty application -> name your package  leave it in server process and click next -> Select the user and enter an account with enough rights to fufill your com jobs (admin account for ex) -> Finish..

now in the tree expand the new package untill you see the component directory-> right click it -> select new component-> in the wizard click next.. you can either install a new component if it's not registred or install a registred one if you already registred your dll (you select the 2nd choice) -> Select your component from the list (internal name displayed) -> Finish..

and voila..


Start MMC (Microsoft management console.. from IIS or MTS) -> Select in the tree Microsoft Transaction.. -> My computer ->right click packages installed -> new package -> click on create an empty package and name the package, next -> select this user and give an admin user for the package -> finish  , now we'll need to include your registered component in the package(dll).. Expand the newly created package in the tree and right click on components folder-> new component -> select import components that are already registered -> you'll get a list of registered components on that machine.. select your component to include by it's class name -> Finish  note that your activex dll should be set to run unattended while compiling..

this should resolve your problems..


Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Unregister your component, copy it to system32 dir and register it again.
ttsuchiAuthor Commented:
I went to my client's site today and added my COM objects in the MTS Packager so that it runs under local Administrator account. And it finally started working! I still don't know why I have to do it over there and not on my develop environment, but at least everything is working the way it should be.  I learned a lot about how to deal with COM objects permissions along the way too.  Thanks everyone for your input!
Michel SakrCommented:
Because MTS is for such issues.. it acts as a tier for components..
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.