Microsoft KB Archive/168425

= Credentials lost inside single-threaded ASP components =

Article ID: 168425

Article Last Modified on 6/30/2006

-

APPLIES TO


 * Microsoft Active Server Pages 4.0
 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q168425



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
If a single-threaded Active Server Pages (ASP) component tries to access resources on a remote machine, access may denied to these resources. One example of this scenario would be a Visual Basic 4.0 OLE DLL calling the DIR command on a UNC path. In this scenario, a "Path Not Found" error is returned.



CAUSE
This problem is caused by a limitation in the way Internet Information Server (IIS) uses NT threads to manage single-threaded objects. Because of this limitation, the security credentials are not propagated between threads. As a result, the single-threaded component is operating in the security context of the SYSTEM account. When you try to access resources on other machines, the SYSTEM account is not recognized and access is denied.



RESOLUTION
There are two common workarounds for this problem:


 * Components that have their ThreadingModel registry key set to either "Apartment" or "Both" do not have this problem. Therefore the best solution is to create components that use Apartment model threading. Because Visual Basic 4.0 produces only single-threaded objects, you need to create your components with another tool such as Visual Basic 5.0 or Visual C++.
 * A final workaround is to add impersonation code to your component so that it inherits the security credentials of another user that has access to the desired resources. This approach has some limitations and is not recommended.



STATUS
This behavior is by design.

