ttsuchi
asked on
ASP error 0178 (0x80070005) - COM permission problem
I have COM object that my client need to use from ASP pages. The situation I have is:
1. The COM object runs fine under user account (e.g. from VB and Wsh)
2. The COM object runs fine from ASP if IIS anon account is a user account, such as local 'Administrator'.
3. The COM object runs fine from ASP on my developer environment, where IIS anon account is 'IUSR_machinename'.
4. The COM object fails to launch from ASP on my client's production (where IIS anon account is 'IUSR_machinename'), with ASP error 0178 (Server.CreateObject failed, permission denied). The COM dll resides on his server locally, i.e. no DCOM.
Basically I want to know what exactly I'm supposed to do to make the COM object work on that production machine. Here are the steps I've already taken:
1. I've set the security permission for the folder where the asp resides to 'readable' by 'everyone'.
2. I've set the security permission for the folder where the COM dll resides to 'readable' by 'everyone'.
3. I've set the IIS directory security to readable and selected 'scripts and executables'.
3. In dcomcfg, I've added IUSR_.. and IWAM_.. to default access (allowed).
4. In dcomcfg, I've added IUSR_.. and IWAM_.. to default launch permissions (allow launch).
.. But I couldn't make it work on his IIS. Even worse, even when I tried to 'reverse' the procedure on my develop machine to reproduce the problem, I couldn't make it *not* work. (The dconcnfg stuff should be irrelevant anyway since it's COM and not DCOM.) After researching on the web, it seems like there's a way to set 'execute' permission or something for COM objects on IIS, but I can't find where/how to do it. Any suggestions?
1. The COM object runs fine under user account (e.g. from VB and Wsh)
2. The COM object runs fine from ASP if IIS anon account is a user account, such as local 'Administrator'.
3. The COM object runs fine from ASP on my developer environment, where IIS anon account is 'IUSR_machinename'.
4. The COM object fails to launch from ASP on my client's production (where IIS anon account is 'IUSR_machinename'), with ASP error 0178 (Server.CreateObject failed, permission denied). The COM dll resides on his server locally, i.e. no DCOM.
Basically I want to know what exactly I'm supposed to do to make the COM object work on that production machine. Here are the steps I've already taken:
1. I've set the security permission for the folder where the asp resides to 'readable' by 'everyone'.
2. I've set the security permission for the folder where the COM dll resides to 'readable' by 'everyone'.
3. I've set the IIS directory security to readable and selected 'scripts and executables'.
3. In dcomcfg, I've added IUSR_.. and IWAM_.. to default access (allowed).
4. In dcomcfg, I've added IUSR_.. and IWAM_.. to default launch permissions (allow launch).
.. But I couldn't make it work on his IIS. Even worse, even when I tried to 'reverse' the procedure on my develop machine to reproduce the problem, I couldn't make it *not* work. (The dconcnfg stuff should be irrelevant anyway since it's COM and not DCOM.) After researching on the web, it seems like there's a way to set 'execute' permission or something for COM objects on IIS, but I can't find where/how to do it. Any suggestions?
try setting the permissions for the iusr_machineName on the production machine component. I don't think that the IUSR account is part of the everyone group.
better yet, create a package in MTS or Com component manager. You can then assign any user account to be used when running the component.
Maybe your COM object is trying to load a DLL that reside in another directory to which you do not have permission, such as MFC42.Dll etc.
In order to change the directory permission to exectute
open the internet service manager, select your directory, open its properties window, and the choose execute.(I don't think it will help you though)
In order to change the directory permission to exectute
open the internet service manager, select your directory, open its properties window, and the choose execute.(I don't think it will help you though)
as sain include tha dll in a com+/mts package and assign an admin account to run the package..
as sain= as said
ASKER
Thanks for the comments everyone. After I was looking at the configuration for the developer instance of IIS, I noticed that I was using 'Integrated Windows Authentication'.. Since I was testing everything from the IE browser on the same computer, I suspect that's why it still worked even after I denied read & exec priv on the dll for the IUSR_machine acct. After I turned off Windows Auth, the ASP on the develop machine failed as expected. It still doesn't explain why it doesn't work on the production tho. Since my clients use Windows Auth mode, maybe I have to make the dll readable by the domain users as well as IUSR_machine account?
I do use "advapi32.dll" in the COM object for reading registry values, but I think it should have 'everyone' readable (and IUSR_machine acct belongs to 'everyone' too, doesn't it?) That will be one more thing I can check in the production machine though.
Also, pardon my ignorance but what is COM+/MTS packager? Is it part of .NET sdk or Visual Studio 6, and if so, where can I find it?
Thanks
I do use "advapi32.dll" in the COM object for reading registry values, but I think it should have 'everyone' readable (and IUSR_machine acct belongs to 'everyone' too, doesn't it?) That will be one more thing I can check in the production machine though.
Also, pardon my ignorance but what is COM+/MTS packager? Is it part of .NET sdk or Visual Studio 6, and if so, where can I find it?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Unregister your component, copy it to system32 dir and register it again.
ASKER
I went to my client's site today and added my COM objects in the MTS Packager so that it runs under local Administrator account. And it finally started working! I still don't know why I have to do it over there and not on my develop environment, but at least everything is working the way it should be. I learned a lot about how to deal with COM objects permissions along the way too. Thanks everyone for your input!
Because MTS is for such issues.. it acts as a tier for components..