?
Solved

CreateObject(...); permission denied error on Win XP Professional (wors fine on NT 4)

Posted on 2003-03-15
36
Medium Priority
?
3,113 Views
Last Modified: 2009-03-10
I am trying to remote control an application via the web with an ASP page.

I am using the command:
set myApp = CreateObject("Cumulus5.Application")

("Cumulus5" is the application name)
I get the following error:

Microsoft VBScript runtime (0x800A0046)
Permission denied: 'CreateObject'
/asp_test/createApp.asp, line 8

I am using the anonymous web user. I am calling the page locally on my server and am logged in as a user with Administrator rights. Everyone has full access to the application (the actual executable) as well as the tlb file. I tried changing permissions in the Component Services with no success. Currently I am using the Interactive User for that application under the DCOM config.

This is a Windows XP Professional system. The same asp page works fine under a different server running NT 4.0. Also, the page actually seems to start the process for the application (if it's not already running) even though it gives the above error. After accessing the page I can see the process for the Cumulus application running in the Task Manager.
0
Comment
Question by:Bohumil
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
  • 9
  • +4
36 Comments
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8144879
Does this component have a .dll or .wsc that needs to be registered?

Fritz the Blank
0
 
LVL 4

Expert Comment

by:iozturk
ID: 8144900
Can you run it via vb script? If do try using server.createobject(...)
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8145101
Would this component be using CDO by chance???  XP does some wierd stuff with CDO and not registering certain components...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:arthuryeung
ID: 8145283
Have you tried make a new application in Component Services and register it in COM+?
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8146536
That's what I was getting at--the need to regester any components for the software.

Fritz the Blank
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8146587
Where are you Bohumil?  Feedback is important.

I had a recent conversation regarding CDO on XP and found that CDO is can be unregistered on normal situations, like if Office XP or Sharepoint Portal or Team Server or Exchange 2000 is installed the machine, then CDOEX.DLL is registered instead of cdosys.dll, otherwise CDOSYS.DLL registered.  Registering one un-registers the other one.
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8146629
Mark,

Bohumil speaks of registering a Cumulus5.Application component. Do you know offhand if that requires CDO?

Fritz the Blank
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8146668
No, I'm not sure what the application even does?  Some kind of Asset Management software.  I did read this at their website, "It supports Mac OS, Windows NT, UNIX (Solaris, IRIX, Linux)", no mention of XP...

But since the software is suppose to do dynamic emails I would think it would use CDO or CDONTS.
0
 

Author Comment

by:Bohumil
ID: 8148769
Well, as far as some of the questions go I might not have enough knowledge about CDO, CDONTS and other Microsoft technologies to properly answer them.
Here is what I DO know:
1) Cumulus DOES run fine under Windows XP (I used to work with the company that makes the application, so I know for sure--probably the website needs updating)
2) I can write VB applications using the same CreateObject command
3) I tried using Server.CreateObject as well (same error)
4) The exact same asp page works just fine on my NT4 server
5) Cumulus registers a number of dlls. Most of them in \Windows\System32\Canto\...; all have at least read & execute rights for "Everyone" (I assume the local IUSR account is part of "Everyone"?

...sorry about the delay in answering comments. I'm not much online on the weekend.
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8148804
Actually, I am not sure that IUSR_ and IWAM_ are part of the everyone group.

Fritz the Blank
0
 

Author Comment

by:Bohumil
ID: 8148918
Hmmm, OK.
I added IUSR & IWAM explicitly to all places I could think of, specifically the directory where the Cumulus.exe is stored, the directory where all the DLLs are and a few DLLs in system32 that started with the name "Cumulus"

...I almost thought it worked since the page took much longer to return the error. However I eventually got the same error. Again, the strange thing is that the application was actually launched, since the process is listed in the Task Manager after calling the page.
0
 
LVL 14

Expert Comment

by:puranik_p
ID: 8149784
IUSR_ and IWAM_ ARE part of the everyone group.
and, are you sure you want to use..
set myApp = CreateObject("Cumulus5.Application")
and not...
set myApp = Server.CreateObject("Cumulus5.Application")
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8151206
I'm not sure IUSER_ is part of Everyone either...  I know one of the first things I do to protect my directories and apps are to disable permissions to Everyone and give access to IUSER_

Remember to clear out the IIS Memory after launching the app.
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8152209
It would seem something of a security issue to have IUSR as part of the everyone group. I have had a number of issues of web-based software not working with the Everyone permissions set, but then working fine when explicit permission is given to IUSR.

Fritz the Blank
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8152539
On my W2K machines, I don't even have an Everyone Group...
0
 

Author Comment

by:Bohumil
ID: 8153471
This is a development system so I am not concerned about security at all at this time. I just need to get it to work. (I can worry about security later.)

I tried both: "CreateObject(...)" AND "Server.CreateObject(...)"
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8153496
It should definitely be:

Server.CreateObject(...)

Are you certain that all of the components are registered?

Fritz the Blank
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8153616
Here's a thought... contact Canto tech support, http://www.canto.com/
0
 

Author Comment

by:Bohumil
ID: 8154196
OK,
Maybe I need to redefine the question:

Is there anything special that needs to be done with any components of the application (DLLs, EXE, etc.) that is different from running the application directly as a user on that computer (launching it manually) or running it by launching it via a VB executable.

Both methods work just fine (i.e. all the DLLs are registered, etc.) However, when I try the same from an ASP page I get the error.

I can find out all the info about components of the application from Canto support but they do not provide support for writing ASP pages (although they say it should work.) So what I do not know is exactly what permissions need to exist on what files (in general, for ANY application) and if DLLs have to be registered somewhere else than they would have to be if you start the application through VB or the user interface.
0
 
LVL 46

Accepted Solution

by:
fritz_the_blank earned 720 total points
ID: 8154383
Okay, that is slightly different. If it works fine with a local user but fails when accessed via a web page, that says that all the .dlls are registered correctly and that you definitely have a permissions issue.

You will need to make certain the IUSR_ and IWAM_ accounts have all necessary permissions to all related directories.

Perhaps the folks at Canto could be of help there?

Fritz the Blank
0
 

Author Comment

by:Bohumil
ID: 8154460
Okay, that makes sense except:

As I mentioned, the application actually DOES get launched (the executable shows up under the Task Manager under Processes); and since I have set the "Identity" in the DCOM config for the Application to "Interactive User", the process shows up as launched by the "Administrator", which is the account I am currently logged in under on the server that runs the ASP page.
So Shouldn't that mean that the permissions of the "Administrator" apply? (and the Administrator can launch and use the application)
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8154484
That I don't know. Perhaps some other process is trying to launch, and then that doesn't happen?

I suppose that you could give IUSR_ and IWAM_ full control to your whole machine temporarily to test....


Fritz the Blank
0
 

Author Comment

by:Bohumil
ID: 8162619
Well, now as far as I can tell IUSR, IWAM and everyone else has full access to my entire C drive and things still don't work. No idea what component still does not have permissions...

However, I seem to be able to launch other applications (such as MS Word) so I guess it has to do with the application specifically.

Looks like I might get no satisfactory answer...

What should I do with my question here? (to close it)
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8162648
Have you even tried calling Canto and asking them for help?  It's obvious that you are missing a COM object that the application requires to run correctly.  

Again, check the registration of CDOSYS.dll and CDOEX.dll, one or the other could be killing the app.

There isn't any situation of a remote dB or the Canto app being installed on a remote server is there?
0
 

Author Comment

by:Bohumil
ID: 8163075
> Have you even tried calling Canto..

Haha, well here's the problem: I am actually currently working for Canto. The official position of Canto is that we do not support scripting the Cumulus Client directly via ASP.
However, I have got it to work for a Client on Win NT before and in unofficial discussions with our developers they believed that it should be possible but did not have the time to look into it.
My department has generally always taken the lead in finding new ways to do things with the software...

Anyway: I did get things to work by changing the anonymous login account in IIS to the local Administrator (as well as to a user with slightly less priviledges) So the problem must in fact lie with the permissions of the IUSR and IWAM, although they both have read & execute on every single file & directory.

...I will continue to try to hunt down the offending file

And: No, nothing is running remotely. Everything is local.
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8163107
lol... I thought there might be something like that... ;-)

Trust me, I know all about trying to find new ways to do something and how certain departments might look at the effort...

maybe there is a way to build in some good error trapping inn the scripts?
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8163162
Yoo hoo!!! I knew it was the IUSR_ IWAM_ issue!!!

Fritz the Blank
0
 

Author Comment

by:Bohumil
ID: 8163499
So now who gets the points for the question? As I understand it I have to assign a comment as an answer to free up the points again?
0
 

Author Comment

by:Bohumil
ID: 8163500
So now who gets the points for the question? As I understand it I have to assign a comment as an answer to free up the points again?
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8163577
Oh boy, that's a tough one. There are a few options here. Theoretically, you should assign the points to the first person who posted the correct answer. On the other hand, there is a certain amount of sense in awarding the points to the person who helped you out the most. You could also request that the points are split among those who helped you out the most. Finally, you could accept one of the comments here as an answer and post separate questions with points for others who helped you out (this is what I do invariably--I like to make certain that everyone who made a meaningful contribution gets recognized because it is good manners and you never know when you'll need their help again).

Does any of this make sense?
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 8163798
I think I owe one to my friend Patrick anyway, he earned them.  ;-)
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8166562
Oh no you don't....that wouldn't be fair!

--Patrick
0
 

Author Comment

by:Bohumil
ID: 8168212
OK, I'll accept the answer about the IUSR & IWAM accounts from Patrick. That seems to be the one that led to figuring out what is going on.

Thanks to everyone!
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 8168353
Just to be fair, here is something for MGFranz:

http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_20556405.html

Fritz the Blank
0
 

Expert Comment

by:mrRecNeps1
ID: 13015173
Bohumil - I had the exact EXACT same problem.. (XP SP2 & ISS 5.1)

And your comment:
Anyway: I did get things to work by changing the anonymous login account in IIS to the local Administrator (as well as to a user with slightly less priviledges) So the problem must in fact lie with the permissions of the IUSR and IWAM, although they both have read & execute on every single file & directory.

Solved my problem....! Woooohooo.. it was really getting fustrating...

I had my Anti-Virus un-installed (to eliminate script blocking potentially), Gave Full C: access to my ISR & IWAM accounts & EvERYoNE.... Toggled this, Regedited this, changed that, ran this script... changed Dlls, re-configured my Dlls.

Thanks Bohumil ! your answer helped

mrRecNeps@gmail.com

Here are some handy pointers that I learnt along the way of trying to solve my problem:

Hope these resources & pointers below can help save somebody some time in the future!

Amongst others:
1.
If IIS does not want to run/process ASP Pages:
Go to CMD
Go to "C:\Inetpub\AdminScripts"
Type the following in & press Enter:
cscript.exe synciwam.vbs -v
This will synchronize all your passwords for ISR_ IWAM_ (sometimes they will go out of sync)

2.
Create the entry for VB ASP Debugging in DCOM:
a.       Start Microsoft Notepad or another text editor and type the following case-sensitive syntax:
REGEDIT4 [HKEY_CLASSES_ROOT\CLSID\{70F214BA-94E2-4bdf-8F30-32CB4A905E4D}] @="VB ASP Debugging" [HKEY_CLASSES_ROOT\CLSID\{70F214BA-94E2-4bdf-8F30-32CB4A905E4D}\LocalServer32] @="vb6.exe" [HKEY_CLASSES_ROOT\AppID\vb6.exe] "AppId"="{70F214BA-94E2-4bdf-8F30-32CB4A905E4D}"
b.       Save the file as Vbaspdbg.reg.
c.       Locate the folder where you saved the Vbaspdbg.reg file and double-click the file (it automatically registers itself in the Windows registry).

Windows XP
a.       Start COM+ Explorer. On the Start menu, click Admin Tools, and then click Component Services.
b.       Click to expand Component Services, click to expand Computers, click to expand My Computer, and then click to expand DCOM Config.
c.       Right-click VB ASP Debugging, and the click Properties.
d.       On the Securities tab, under Access Permissions, select Customize, and then click Edit.
e.       In the Access Permission window, click Add, and then add the Everyone account for Allow Access option.
f.       Click OK, click Apply, and then click OK to apply the changes and exit the DCOM Configuration properties page.
g.       Restart the computer so that the changes take effect.


3.
http://support.microsoft.com/kb/q259725/http://support.microsoft.com/kb/q259725/

4.
http://www.aspemporium.com/support.aspx?PRB020


5.
http://translate.google.com/translate?hl=en&sl=it&u=http://online.infomedia.it/riviste/cp/96/articolo02/articolo.htm&prev=/search%3Fq%3DPermission%2Bdenied:%2B%2527CreateObject%2527%2B(0x800A0046)%26start%3D20%26hl%3Den%26lr%3D%26sa%3DN
(half way down)
0
 

Expert Comment

by:mrRecNeps1
ID: 13015262
I would also like to mention Bohumil :

The error that it indicates is legacy in kind to problems of authorizations that are taken place when IIS tries to approach resources that are found on an other machine or the same machine but with restrictive permissions. As an example if yours member COM is installed on a various machine from that one of IIS or approaches resources that are found on it blots some various from that one of IIS.
Supposing that this is the case, you would have to create on the machine on which the member or the resource finds themselves an identical customer to that impersonato from IIS on its machine, that is IUSR_NomeMacchinaIIS, where NomeMacchinaIIS is the name of the machine on which IIS is installed. To this point you would have to assure to this customer the access to the resources which it must approach.


Possibly when we copied our "original" code from our W2k machine to our XP machine...their could've been some pointers or registers hooked within our code/dlls/exe's (depends on your setup) and this could've cause a permission issue.
I suspect both your 2000 & XP pcs are on the same network....! And the code on your XP code (originally from your 2000 pc) is somehow/somewhat pointing to the 2000 pc!

@Bohumil...
 Try run your XP code with your pc not plugged into the network!

Ah blissm... the additional down falls of working with two or more pcs!

Keep the thinking lateral lads & out of the Box!

2019 is approaching fast!

The Java syndicate!

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question