Microsoft KB Archive/214804

= PRB: Creating DCOM Obj. from Membership Authenticated Page Fails =

Article ID: 214804

Article Last Modified on 8/27/2002

-

APPLIES TO


 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q214804



SYMPTOMS
When trying to launch an object through DCOM, in a membership authenticated ASP page, the following error may occur:

Server object error ASP 0177: 80070721 Server.CreateObject failed. A security package error occurred.



CAUSE
Site Server Membership (when using Membership Authentication mode) may use a proxy account to allow Web clients access to resources on a Windows NT Server. This proxy account is not created such that it has access to network resources. As a result, instantiation of DCOM objects may not succeed.



RESOLUTION
This problem can be resolved by creating identical proxy accounts on the Site Server computer and the computer that runs the DCOM object. Be aware that this fix may not work in future versions of Windows NT.



STATUS
This behavior is by design.



MORE INFORMATION
When it is necessary to distinguish a user or control access to resources with greater granularity than that provided by the anonymous user account, Site Server Membership uses a proxy account. The account used as the proxy account can be configured through the Site Server Microsoft Management Console (MMC). You select properties for the membership instance in the MMC. By default, the account name is MemProxyUser(n). This is an actual Windows NT account that can be configured (including the password) through the Windows NT User Manager.

The DCOM instantiation problem can be worked around by creating identical proxy accounts (including passwords) on both the Site Server and DCOM object computers. User Manager should be used for this. The easiest way to do this is to change the password for the existing proxy account on the Site Server computer (with the User Manager), set and check the new password for the Membership instance in the MMC, then create an identical account on the computer that runs the DCOM object.

NOTE: Be aware that this fix may not work in future versions of Windows NT.

A second work around would be to use an account with domain access as the proxy account. In this case however, Membership may not handle access to Windows NT resources (including files) properly. When Membership uses a local proxy account, privileges are added to the account dynamically according to which Membership groups the client accessing the Web Server belongs. In the case of a domain account, privileges will not be added correctly.

(c) Microsoft Corporation 1999, All Rights Reserved. Contributions by Robert Duke, Microsoft Corporation.

