iis 5 and asp & other file extension permissions not working - need help

ok this has been annoying me for sometime and i finally need it to work right. so here i am.

here are the specs.

isa server 2000 + sp1 + feature pack 1 with urlscan
iis 5 with iis lockdown and urlscan
.net framework 1.1

what i can't seem to do is configure the server to allow asp scripts. during the iislockdown installer wizard i allowed asp, in the urlscan i check to see if asp is allowed, it is. i even dissabled urlscan on isa server. the .asp extension is mapped to C:\WINNT\system32\inetsrv\asp.dll

ntfs permissions allow anonymous users. iis allows anonymous users. html extensions work, but asp won't!
also since i reinstalled to try and start from scratch, i lost the file extensions that the .net framework installed, how can i get those back?

any ideas or links to a REALLY good site on how to configure urlscan. like maybe an entire book. lol
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

URLScan is quite easy to configure and all the info you need is in the ini file, just search for URLScan.ini

If I understand you correctly ASP won't allow anonymous access? Maybe you need to add the user IUSR_<machine name> to the .DLL ? Or somewhere it is missing, I am no ASP expert, never installed it so can't say for sure.

Adding a file extension to IIS is easy, right click the web server -> properties -> and I believe it's under home directory -> configuration
add another extension and point it to the right dll..

That should do it, or I am way of and finally need catch some shuteye...
nonsenceAuthor Commented:
i already looked in the urlscan.ini file. but it still won't work, even after i setup allow permissions for .asp

and the extension in iis goes to asp.dll

as for permissions, i gave everyone full ntfs access and still it didn't work.

i tried publishing iss through isa server. didn't work. now i'm running it locally on a virtual network driver with as the ip address. so it's only accessible by me unless i publish it through isa server or tell iis to listen on all ports.

but it still won't work. html and other static files seem to work fine
Falco Bethkeperformance engineeringCommented:
do you use files like global.asa? Did you set rights for the IWAM_ account on those files and folders?
What is the error message?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

nonsenceAuthor Commented:
it only works when i set the Application Protection to LOW. otherwise when it's set to Medium it doesn't work and i get an error msg in the Event Logs.

The server failed to load application '/LM/W3SVC/1/ROOT/SUSAdmin'.  The error was 'Server execution failed
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM within the required timeout.

that's what i get when i try to access the Software Update Services I installed a few days ago. damn thing doesn't work. and since the admin consol is an asp script i can't get access to it. and same thing goes for all other .asp files

i read a bit about it and it seems it has something to do about COM permissions, and the GUID 3D14228D-FBE1-11D0-995D-00C04FD919C1 that i get in the event logs. but i don't understand how to fix it.
Falco Bethkeperformance engineeringCommented:
you add dcom permissions with the tool dcomcnfg.exe

try to find the guid there or a step before in the registry. then add IWAM_ User to the access and start permissions.

Falco Bethkeperformance engineeringCommented:
if you have a single and clean server for SUS, and you don't want to play with dcom permissions, you can also uninstall SUS and IIS, delete the iwam/iusr accounts and reinstall IIS and SUS.
nonsenceAuthor Commented:
it's not a clean install. that's why i know i gotta get down and dirty with the settings for dcomcnfg.exe but i've used it before just a bit and i don't know exactly what i need to do.
from what i know i did allow the IWAM_ user account Default launch permissions. and it's also allowed default configuration permissions. under default access permissions, i have no accounts there.
what about COM Internet Services on the computer? should that be enabled?
Falco Bethkeperformance engineeringCommented:
what do you mean with enabling COM Services? COM is always enabled...
Forget about the IWAM_ user account you need IUSR_<machine name>
Falco Bethkeperformance engineeringCommented:
not correct. IWAM ist the process owner of medium and high/isolated sites (dllhost.exe). IWAM needs to launch the objects.
nonsenceAuthor Commented:
the IUSR_<machine name> is also in the list of allowed accounts.
by COM Services i mean; when clicking the Default Properties tab, there are two check boxes on the top of the window that can be enabled. one is "Enable Ditributed COM on this computer" and the other is "Enable COM Internet Services on this computer". and the only one i have enabled is "Enable Ditributed COM on this computer".

also, should the dllhost.exe on my computer have acl permissions to allow anonymous users to read and execute it? such as the IWAM and IUSR accounts?
Falco Bethkeperformance engineeringCommented:
leave Enable Ditributed COM on this computer settings default!

you also dont need to change any permission on the dllhost.exe
nonsenceAuthor Commented:
ok i did that. but still asp isn't working.

only works when protection is set to LOW. and even with LOW susadmin doesn't load either.
Falco Bethkeperformance engineeringCommented:
after editing dcomcnfg, did you reboot?

what is the security log telling you? further error msgs?
nonsenceAuthor Commented:
what do you mean edit dcomcnfg? so far all i did was add the IWAM account to the default launch permissions. what else should i be editing?
nonsenceAuthor Commented:
oh and the event log still says same old stuff. when i try to access asp pages:


The server failed to load application '/LM/W3SVC/1/Root'.  The error was 'Server execution failed
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.



The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM within the required timeout.
Falco Bethkeperformance engineeringCommented:
after changing permissons with dcomcnfg especially the default permission, you need to reboot the server.

regarding ID 10010 I found another hint that may help but in many cases I knew not :-))

The NT AUTHORITY\Authenticated Users or NT AUTHORITY\INTERACTIVE entries have been removed from the Users group.

Add these users back to the Users group, and then restart Internet Information Services (IIS):

nonsenceAuthor Commented:
hmmm. you might be right about the Users group thing.
NT AUTHORITY\Authenticated Users (S-1-5-11)

from what i know, anytime there are those (s-numbers), in brackets instead of a user account it means that the sid for the user account is messed up or there is no user account that the permission is supposed to link to.

umm, should i be removing the permissions and then add them again?
Falco Bethkeperformance engineeringCommented:
if the sid 2 name resolution need some secs, that may be caused by another domain user, but if it doesnt work at all you should fix it of course
nonsenceAuthor Commented:
it's still not working. and the s-5-11 numbers are still behind the authenticated users and interactive users accounts even after i remove them and add them to the permissions again.

is there something i'm missing here? any more info that i can give?
Falco Bethkeperformance engineeringCommented:
i'm still waiting for some eventlog msgs from the security part, where IWAM and IUSR are logged on the server!
BTW, is the server a domain controller?
Have you ever deleted IWAM user and recreated it?

If IIS can logon IWAM, see this:


And it helps in 99%...
nonsenceAuthor Commented:
the IUSR and IWAM accounts both pass as Success Audit in the security logs when i access the web server. as for deleting them, no i haven't ever. unless uninstalling and reinstalling iis counts.
the computer isn't a domain controller. but i have dns installed and set to system.com. but that just for my own private use really. and even when i uninstalled dns i still got the same errors in iis.

the system log is where it's all at:

Warning      11/12/2003      4:04:41 AM      W3SVC      None      36      N/A      PDC
The server failed to load application '/LM/W3SVC/1/Root'.  The error was 'Server execution failed
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

Error      11/12/2003      4:04:41 AM      DCOM      None      10010      SYSTEM      PDC
The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM within the required timeout.

that's basically all i know. as for ntfs permissions. it doesn't seem like it even matters. i allow everyone full permissions and it doesn't work. in iis i've done just about everything i could to give everyone full access to everything in hopes that it would work and then i could just secure it from there, but still nothing.
Falco Bethkeperformance engineeringCommented:
anyway: can you please do the synciwam described in the kb article before, because IIS needs to pass credentials to COM+ too!

if some errors occur:

Falco Bethkeperformance engineeringCommented:
no updates?
nonsenceAuthor Commented:
i haven't tried the information in the kb article though, but i have read it. but i don't think it would apply to me since i haven't changed the password on the IWAM account. but i did change the password on the IUSR account. so then, wouldn't it syn the passwords from the sam to iis to com+ afterwards? and if not, then how do i fix that. i already did it in iis. but this com+ thing i've only heard of, still don't know anything about it really...
Falco Bethkeperformance engineeringCommented:
try it!
com+ is nothing else than DCOM and the error msgs point to it.
nonsenceAuthor Commented:
ok i did what the article says. but i still get the same event viewer errors and the same 500 internal server error from iis.
Falco Bethkeperformance engineeringCommented:
btw.: what does the IIS log tell you about the HTTP error 500 (asp error in a certain asp file and line)?

have you ever tried the tools from www.sysinternals.com for examining fine and registry access / failures? (filemon/regmon)

Falco Bethkeperformance engineeringCommented:
hey this one sounds very professional:


start with point 3! and putting IWAM in admin group, I would bet, it will work after that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Falco Bethkeperformance engineeringCommented:
did I also mentioned to check IWAM, IUSR, and other groups that may access the site or System having the privilege "Bypass Traverse Checking"?
It's in the local security policies.
nonsenceAuthor Commented:
well i've been progressing through some of the steps you linked me to in those articles. the one that works for sure is making the iwam account part of the administrators group. nothing else works 100%
i did deleted the components in the Component Services mmc and did the command line scripts to rebuild them with iis. that didn't work either. now i'm reading through the ntfs permissions needed for iis 5. still not working yet. so from all the evidence it's definetly a problem with the iwam account permissions. but what, i haven't been able to find out yet.
Falco Bethkeperformance engineeringCommented:
try to put IWAM in the user or power user group (needs iisreset)

the rest the sysinternal tools like filemon and regmon will tell you.

dcom permissions are clean now?
nonsenceAuthor Commented:
i guess dcom are clean. there seem to be missing links to user account in some of my local security policy settings.

deny local logon, and logon as a batch file

but i don't know what accounts it's supposed to be linked too. both the iusr and iwam accounts are in the, logon as a batch file permissions though.

and my Users Group, shows:
NT AUTHORITY\Authenticated Users (S-1-5-11)

what's up with the numbers behind the accounts? cus i think they are causing some sort of problem....
nonsenceAuthor Commented:
ok well, i'm still trying to fix the problem. but i gave you the points anyways cus you helped alot, and i've been slowly progressing through this annoying thing.
if you got more links please share :-)
thanks for the help. it has so far gone a long way
I recently encountered same problem, and this is my solution
open component service in administrative tools
computers/COM+ Application/IIS Out-of-process Pooled Applications

then properties tab Identity and radio "Interactive usere -the current logged on user"

hmm maybe is just fine to fill right user bellow IWAM<comp name> + correct password, but I lost a day finding solution and I'm satisfationed with Inter. User.
hope this help.
Falco Bethkeperformance engineeringCommented:
this is no good idea:  "Interactive usere -the current logged on user" !!!

Servers don't have always logged on users!

and "fill right user bellow IWAM" is that what synciwam.vbs does....
well, I have made some progress on this

following permisson needs to be set

winnt\system32\mmdrv.dll  - RX for USERS ( maybe just my dll needs this)
winnt\system32\  - entire directory RX for "iwam"
winnt\TEMP RX for iwam (helps but not nessesary)

just check this

if this still not work try tu turn up all fail audit in audit policy + turn audit on disk, may help tracking.

about logged on users - this means user logged on service or user logged on desktop ?

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.