Re: IIS 6 & Server Permisions

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/28/04 

Date: Sun, 28 Nov 2004 01:51:12 -0800

Your question is worded very simply, but it is actually a very hard and open
ended question. The correct answer is -- It DEPENDS on your object.
Theoretically, you are supposed to know the answer already when you start
using this object. If you install and use an object without knowing its
dependencies, you will inevitably run into problems like this no matter the
platform.

Thus, there aren't any cookbook ways to troubleshoot this. The easiest
solution is probably "run as LocalSystem", but we all know that is a
security hazard that should be avoided. This is one of the reasons that
IIS6 runs with lower privileges by default.

Regarding your questions:
> I'd like to know where I should begin looking at the permissions.
> 1. The credentials under which the website runs in IIS ?
> 2. The credentials under which the application pool that
> this site belongs to runs ?
> 3. The credentials under which the component runs in
> component services
> ?

Once again, the answer is "it depends".

Basic concept: Windows supports the concept of impersonation, which allows a
process running as one identity to "impersonate" one of its threads to run
as another identity. The reverse of this operation is "RevertToSelf" which
allows the thread to run as the process identity.

Normally, IIS runs code using impersonation, where that identity is obtained
through authentication. Thus, anonymous authentication causes IIS to log in
the configured AnonymousUserName account, while any other authentication
protocol is handled as-is to ultimately produce a user token for IIS to
impersonate. Static files, ISAPI, CGI, and ASP pages all run in this
manner -- so identity really depends on the authentication protocol
configured and in-use between the client and server for that request.

Now, IIS can run arbitrary code, like ISAPI, CGI, and ASP pages can call COM
objects, which are also arbitrary code. IIS obviously cannot control
whether such code calls "RevertToSelf" to use process identity or
re-impersonate any other identity.

Thus, it really depends on the component as to whether your operation is
using impersonated or process identity.

Putting it together to answer your three questions:
1. Authentication controls impersonated identity. Component controls
whether using process or impersonated
2. App Pool Identity controls the process identity. Ditto as #1
3. Component Services controls the process identity. Ditto as #2

My suspicion is that your component is trying to instantiate UI-components,
which will fail on IIS6 due to systemwide security lockdown. You really
want to fix such server-side components to NOT use UI because that will
eventually cause many problems. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"ashr" <spamme@andwasteyourbandwidth.com> wrote in message
news:O2dC3Q60EHA.2196@TK2MSFTNGP14.phx.gbl...
Hi everyone
I've got the same problem as some of the guys above:
429: ActiveX component can't create object
This component should be created using server.createobject in ASP, but
I'm thinking the asp worker process don't have enough rights to create
the object. Using vbscript code on the box running under my credentials
(administrator) the code works, object gets created and functions
properly.
I'd like to know where I should begin looking at the permissions.
1. The credentials under which the website runs in IIS ?
2. The credentials under which the application pool that  this site
belongs to runs ?
3. The credentials under which the component runs in component services
?
Specifically my question is: Which objects need their permissions
altered to make provision for creating components in the server
process/thread under which a website runs ?
Seems like a simple enough question, and I hope there is someone that's
written the steps down by now, because any website administrator has at
least a few sites that use COM objects.
Thanks in advance.
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!