CreateObject(...); permission denied error on Win XP Professional (wors fine on NT 4)

Does this component have a .dll or .wsc that needs to be registered?

Fritz the Blank

Can you run it via vb script? If do try using server.createobject(...)

Would this component be using CDO by chance???  XP does some wierd stuff with CDO and not registering certain components...

Have you tried make a new application in Component Services and register it in COM+?

That's what I was getting at--the need to regester any components for the software.

Fritz the Blank

Where are you Bohumil?  Feedback is important.

I had a recent conversation regarding CDO on XP and found that CDO is can be unregistered on normal situations, like if Office XP or Sharepoint Portal or Team Server or Exchange 2000 is installed the machine, then CDOEX.DLL is registered instead of cdosys.dll, otherwise CDOSYS.DLL registered.  Registering one un-registers the other one.

Mark,

Bohumil speaks of registering a Cumulus5.Application component. Do you know offhand if that requires CDO?

Fritz the Blank

No, I'm not sure what the application even does?  Some kind of Asset Management software.  I did read this at their website, "It supports Mac OS, Windows NT, UNIX (Solaris, IRIX, Linux)", no mention of XP...

But since the software is suppose to do dynamic emails I would think it would use CDO or CDONTS.

Well, as far as some of the questions go I might not have enough knowledge about CDO, CDONTS and other Microsoft technologies to properly answer them.
Here is what I DO know:
1) Cumulus DOES run fine under Windows XP (I used to work with the company that makes the application, so I know for sure--probably the website needs updating)
2) I can write VB applications using the same CreateObject command
3) I tried using Server.CreateObject as well (same error)
4) The exact same asp page works just fine on my NT4 server
5) Cumulus registers a number of dlls. Most of them in \Windows\System32\Canto\...; all have at least read & execute rights for "Everyone" (I assume the local IUSR account is part of "Everyone"?

...sorry about the delay in answering comments. I'm not much online on the weekend.

Actually, I am not sure that IUSR_ and IWAM_ are part of the everyone group.

Fritz the Blank

Hmmm, OK.
I added IUSR & IWAM explicitly to all places I could think of, specifically the directory where the Cumulus.exe is stored, the directory where all the DLLs are and a few DLLs in system32 that started with the name "Cumulus"

...I almost thought it worked since the page took much longer to return the error. However I eventually got the same error. Again, the strange thing is that the application was actually launched, since the process is listed in the Task Manager after calling the page.

IUSR_ and IWAM_ ARE part of the everyone group.
and, are you sure you want to use..
set myApp = CreateObject("Cumulus5.Application")
and not...
set myApp = Server.CreateObject("Cumulus5.Application")

I'm not sure IUSER_ is part of Everyone either...  I know one of the first things I do to protect my directories and apps are to disable permissions to Everyone and give access to IUSER_

Remember to clear out the IIS Memory after launching the app.

It would seem something of a security issue to have IUSR as part of the everyone group. I have had a number of issues of web-based software not working with the Everyone permissions set, but then working fine when explicit permission is given to IUSR.

Fritz the Blank

On my W2K machines, I don't even have an Everyone Group...

This is a development system so I am not concerned about security at all at this time. I just need to get it to work. (I can worry about security later.)

I tried both: "CreateObject(...)" AND "Server.CreateObject(...)"

It should definitely be:

Server.CreateObject(...)

Are you certain that all of the components are registered?

Fritz the Blank

Here's a thought... contact Canto tech support, http://www.canto.com/

OK,
Maybe I need to redefine the question:

Is there anything special that needs to be done with any components of the application (DLLs, EXE, etc.) that is different from running the application directly as a user on that computer (launching it manually) or running it by launching it via a VB executable.

Both methods work just fine (i.e. all the DLLs are registered, etc.) However, when I try the same from an ASP page I get the error.

I can find out all the info about components of the application from Canto support but they do not provide support for writing ASP pages (although they say it should work.) So what I do not know is exactly what permissions need to exist on what files (in general, for ANY application) and if DLLs have to be registered somewhere else than they would have to be if you start the application through VB or the user interface.

Okay, that makes sense except:

As I mentioned, the application actually DOES get launched (the executable shows up under the Task Manager under Processes); and since I have set the "Identity" in the DCOM config for the Application to "Interactive User", the process shows up as launched by the "Administrator", which is the account I am currently logged in under on the server that runs the ASP page.
So Shouldn't that mean that the permissions of the "Administrator" apply? (and the Administrator can launch and use the application)

That I don't know. Perhaps some other process is trying to launch, and then that doesn't happen?

I suppose that you could give IUSR_ and IWAM_ full control to your whole machine temporarily to test....


Fritz the Blank

Well, now as far as I can tell IUSR, IWAM and everyone else has full access to my entire C drive and things still don't work. No idea what component still does not have permissions...

However, I seem to be able to launch other applications (such as MS Word) so I guess it has to do with the application specifically.

Looks like I might get no satisfactory answer...

What should I do with my question here? (to close it)

Have you even tried calling Canto and asking them for help?  It's obvious that you are missing a COM object that the application requires to run correctly.  

Again, check the registration of CDOSYS.dll and CDOEX.dll, one or the other could be killing the app.

There isn't any situation of a remote dB or the Canto app being installed on a remote server is there?

> Have you even tried calling Canto..

Haha, well here's the problem: I am actually currently working for Canto. The official position of Canto is that we do not support scripting the Cumulus Client directly via ASP.
However, I have got it to work for a Client on Win NT before and in unofficial discussions with our developers they believed that it should be possible but did not have the time to look into it.
My department has generally always taken the lead in finding new ways to do things with the software...

Anyway: I did get things to work by changing the anonymous login account in IIS to the local Administrator (as well as to a user with slightly less priviledges) So the problem must in fact lie with the permissions of the IUSR and IWAM, although they both have read & execute on every single file & directory.

...I will continue to try to hunt down the offending file

And: No, nothing is running remotely. Everything is local.

lol... I thought there might be something like that... ;-)

Trust me, I know all about trying to find new ways to do something and how certain departments might look at the effort...

maybe there is a way to build in some good error trapping inn the scripts?

Yoo hoo!!! I knew it was the IUSR_ IWAM_ issue!!!

Fritz the Blank

So now who gets the points for the question? As I understand it I have to assign a comment as an answer to free up the points again?

So now who gets the points for the question? As I understand it I have to assign a comment as an answer to free up the points again?

Oh boy, that's a tough one. There are a few options here. Theoretically, you should assign the points to the first person who posted the correct answer. On the other hand, there is a certain amount of sense in awarding the points to the person who helped you out the most. You could also request that the points are split among those who helped you out the most. Finally, you could accept one of the comments here as an answer and post separate questions with points for others who helped you out (this is what I do invariably--I like to make certain that everyone who made a meaningful contribution gets recognized because it is good manners and you never know when you'll need their help again).

Does any of this make sense?

I think I owe one to my friend Patrick anyway, he earned them.  ;-)

Oh no you don't....that wouldn't be fair!

--Patrick

OK, I'll accept the answer about the IUSR & IWAM accounts from Patrick. That seems to be the one that led to figuring out what is going on.

Thanks to everyone!

Just to be fair, here is something for MGFranz:

https://www.experts-exchange.com/questions/20556405/Points-for-MGFranz.html

Fritz the Blank

Bohumil - I had the exact EXACT same problem.. (XP SP2 & ISS 5.1)

And your comment:
Anyway: I did get things to work by changing the anonymous login account in IIS to the local Administrator (as well as to a user with slightly less priviledges) So the problem must in fact lie with the permissions of the IUSR and IWAM, although they both have read & execute on every single file & directory.

Solved my problem....! Woooohooo.. it was really getting fustrating...

I had my Anti-Virus un-installed (to eliminate script blocking potentially), Gave Full C: access to my ISR & IWAM accounts & EvERYoNE.... Toggled this, Regedited this, changed that, ran this script... changed Dlls, re-configured my Dlls.

Thanks Bohumil ! your answer helped

mrRecNeps@gmail.com

Here are some handy pointers that I learnt along the way of trying to solve my problem:

Hope these resources & pointers below can help save somebody some time in the future!

Amongst others:
1.
If IIS does not want to run/process ASP Pages:
Go to CMD
Go to "C:\Inetpub\AdminScripts"
Type the following in & press Enter:
cscript.exe synciwam.vbs -v
This will synchronize all your passwords for ISR_ IWAM_ (sometimes they will go out of sync)

2.
Create the entry for VB ASP Debugging in DCOM:
a.       Start Microsoft Notepad or another text editor and type the following case-sensitive syntax:
REGEDIT4 [HKEY_CLASSES_ROOT\CLSID\{70F214BA-94E2-4bdf-8F30-32CB4A905E4D}] @="VB ASP Debugging" [HKEY_CLASSES_ROOT\CLSID\{70F214BA-94E2-4bdf-8F30-32CB4A905E4D}\LocalServer32] @="vb6.exe" [HKEY_CLASSES_ROOT\AppID\vb6.exe] "AppId"="{70F214BA-94E2-4bdf-8F30-32CB4A905E4D}"
b.       Save the file as Vbaspdbg.reg.
c.       Locate the folder where you saved the Vbaspdbg.reg file and double-click the file (it automatically registers itself in the Windows registry).

Windows XP
a.       Start COM+ Explorer. On the Start menu, click Admin Tools, and then click Component Services.
b.       Click to expand Component Services, click to expand Computers, click to expand My Computer, and then click to expand DCOM Config.
c.       Right-click VB ASP Debugging, and the click Properties.
d.       On the Securities tab, under Access Permissions, select Customize, and then click Edit.
e.       In the Access Permission window, click Add, and then add the Everyone account for Allow Access option.
f.       Click OK, click Apply, and then click OK to apply the changes and exit the DCOM Configuration properties page.
g.       Restart the computer so that the changes take effect.


3.
http://support.microsoft.com/kb/q259725/http://support.microsoft.com/kb/q259725/

4.
http://www.aspemporium.com/support.aspx?PRB020


5.
http://translate.google.com/translate?hl=en&sl=it&u=http://online.infomedia.it/riviste/cp/96/articolo02/articolo.htm&prev=/search%3Fq%3DPermission%2Bdenied:%2B%2527CreateObject%2527%2B(0x800A0046)%26start%3D20%26hl%3Den%26lr%3D%26sa%3DN
(half way down)

I would also like to mention Bohumil :

The error that it indicates is legacy in kind to problems of authorizations that are taken place when IIS tries to approach resources that are found on an other machine or the same machine but with restrictive permissions. As an example if yours member COM is installed on a various machine from that one of IIS or approaches resources that are found on it blots some various from that one of IIS.
Supposing that this is the case, you would have to create on the machine on which the member or the resource finds themselves an identical customer to that impersonato from IIS on its machine, that is IUSR_NomeMacchinaIIS, where NomeMacchinaIIS is the name of the machine on which IIS is installed. To this point you would have to assure to this customer the access to the resources which it must approach.


Possibly when we copied our "original" code from our W2k machine to our XP machine...their could've been some pointers or registers hooked within our code/dlls/exe's (depends on your setup) and this could've cause a permission issue.
I suspect both your 2000 & XP pcs are on the same network....! And the code on your XP code (originally from your 2000 pc) is somehow/somewhat pointing to the 2000 pc!

@Bohumil...
 Try run your XP code with your pc not plugged into the network!

Ah blissm... the additional down falls of working with two or more pcs!

Keep the thinking lateral lads & out of the Box!

2019 is approaching fast!

The Java syndicate!