Article ID: 201843
Article Last Modified on 4/22/2003
APPLIES TO
- Microsoft Active Server Pages 4.0
This article was previously published under Q201843
SYMPTOMS
When you try to access a Distributed Component Object Model (DCOM) object from Active Server Pages (ASP) using NTLM authentication, one of the following errors occurs:
-or-
CAUSE
Windows NT Challenge/Response (NTLM) authentication will not allow access to any network resources beyond the Microsoft Internet Information Server (IIS) computer. This is because NTLM authentication does not pass a user's credentials over the wire; rather it only passes a security token that is created at the time the user is authenticated on the network.
This means that the user name and password are unavailable to IIS when it is challenged for access to a network resource, and IIS is unable to create and pass a user's security token over the network. Thus, access to network resources that require authentication will be denied.
However, if the browser (Microsoft Internet Explorer) is running on the same computer as the Internet Information Server, this error will not occur using NTLM because the user name and password credentials are available.
RESOLUTION
There are a few options available to work around this problem, the merits of each are described as follows:
- If you require that users be authenticated when accessing the component, you can use Basic Authentication to overcome this limitation.
- If you use Basic Authentication, users will be sending their network credentials in plain text over the network, potentially exposing the network to a security breech. If this is a concern for you, you can use Basic Authentication over Secure Sockets Layer (SSL).
- If you do not need to authenticate a user's access to the component, you can set the remote object to be executed under specific network credentials only.
How to Enable Basic Authentication
- Open the Microsoft Management Console (MMC) for Internet Service Manager.
- Open the properties sheet of the application root (or virtual directory) to which you want to apply the changes.
- On the Directory Security tab, click Edit under Anonymous Access and Authentication Control.
- In the Authentication Methods dialog box, make sure that Basic Authentication is the only option that is selected, and then apply the changes.
How to Enable Secure Sockets Layer
If you want to use Secure Sockets Layer (SSL) in conjunction with Basic Authentication, see the Windows NT 4.0 Option Pack documentation at the following path:
Microsoft Internet Information Server\Server Administration\Security\Authentication\Setting Up SSL on Your Server
How to Run the Component as a Specific User
For more information on running the component as a specific user (that is, setting the identity), see the following article in the Microsoft Knowledge Base: For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
176799 INFO: Using DCOM Config (DCOMCNFG.EXE) on Windows NT
STATUS
This behavior is by design.
MORE INFORMATION
Steps to Reproduce Behavior
- To reproduce this scenario, you will need three separate computers:
- Computer 1: IIS server
- Computer 2: DCOM server
- Computer 3: Internet Explorer client
Create an ASP page on Computer 1 that creates an instance of the DCOM object by using the following code:
Server.CreateObject("ProgID.ClassID")- Set the authentication in IIS to NT Challenge/Response only.
- On Computer 2, start your DCOM server.
- On Computer 3, browse to the ASP page that instantiates your DCOM object. The browser displays the following error message:
REFERENCES
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
158229 INFO: Security Ramifications for IIS Applications
156223 HOWTO: Launching OLE Servers from ISAPI Extensions
Keywords: kberrmsg kbinetdev kbsecurity kbdcom kbprb KB201843
