Microsoft KB Archive/243828

= BUG: Session_OnEnd Changes Security Context of InProcess Component =

Article ID: 243828

Article Last Modified on 11/2/2006

-

APPLIES TO

 Microsoft Active Server Pages 4.0, when used with:  Microsoft Internet Information Server 4.0

 Microsoft Internet Information Services 5.0 

-



This article was previously published under Q243828



SYMPTOMS
When instantiating an InProcess COM component from ASP's Session_OnEnd event, the COM component runs using the process token. During the Session_OnEnd event, the thread of execution reverts to the process security token. If the Web application is in-process, the process token is the Local System security context. If the Web application is set to run in a separate memory space, the process token is the IWAM_ This behavior can produce a variety of unexpected results, but the most common result is an error message stating Access is Denied.



Workaround #1
Add your component to a Microsoft Transaction Server (MTS) Server Package. A server package launches a new Mtx.exe in the security context of the package user identity, thus the security context is preserved.

If you are using Microsoft Windows 2000 and Microsoft Internet Information Services (IIS) 5.0, add your component to a COM+ application. A server package launches a new Dllhost.exe file in the security context of the package user identity. Therefore, the security context is preserved.

Workaround #2
You can impersonate a specific security context by making the following calls from within your component:
 * LogonUser
 * ImpersonateLoggedOnUser

NOTE: If your Web application is in-process, the executing thread is running under the Local System account. By default, the Local System account has the correct privilege to call LogonUser successfully. If your Web application in a separate memory space from Inetinfo.exe, the executing thread is running under the IWAM_. By default, the IWAM_ account does not have the privilege to call LogonUser, so you will need to modify the account. Windows NT Auditing can be useful in diagnosing permission and privilege issues.

IMPORTANT: After you are done with the impersonation, you must call RevertToSelf.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

Keywords: kbaspobj kbbug kbnofix KB243828

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.