Article ID: 243828
Article Last Modified on 11/2/2006
APPLIES TO
- Microsoft Active Server Pages 4.0, when used with:
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
This article was previously published under Q243828
SYMPTOMS
When instantiating an InProcess COM component from ASP's Session_OnEnd event, the COM component runs using the process token. During the Session_OnEnd event, the thread of execution reverts to the process security token. If the Web application is in-process, the process token is the Local System security context. If the Web application is set to run in a separate memory space, the process token is the IWAM_<machine> This behavior can produce a variety of unexpected results, but the most common result is an error message stating Access is Denied.
RESOLUTION
Workaround #1
Add your component to a Microsoft Transaction Server (MTS) Server Package. A server package launches a new Mtx.exe in the security context of the package user identity, thus the security context is preserved.
If you are using Microsoft Windows 2000 and Microsoft Internet Information Services (IIS) 5.0, add your component to a COM+ application. A server package launches a new Dllhost.exe file in the security context of the package user identity. Therefore, the security context is preserved.
Workaround #2
You can impersonate a specific security context by making the following calls from within your component:
- LogonUser
- ImpersonateLoggedOnUser
NOTE: If your Web application is in-process, the executing thread is running under the Local System account. By default, the Local System account has the correct privilege to call LogonUser successfully. If your Web application in a separate memory space from Inetinfo.exe, the executing thread is running under the IWAM_<machine>. By default, the IWAM_<machine> account does not have the privilege to call LogonUser, so you will need to modify the account. Windows NT Auditing can be useful in diagnosing permission and privilege issues.
IMPORTANT: After you are done with the impersonation, you must call RevertToSelf.
STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.
Keywords: kbaspobj kbbug kbnofix KB243828