PRB: DCOM and ASP - A Security Package Specific Error Occurred

ID: Q201843


The information in this article applies to:
  • Microsoft Internet Information Server version 4.0
  • Active Server Pages


SYMPTOMS

When attempting to access a Distributed Component Object Model (DCOM) object from Active Server Pages (ASP) using NTLM authentication one of the following errors occurs:

Server object error 'ASP 0177 : 80070721'
Server.CreateObject Failed
/<file>.asp, line ##
A security package specific error occurred.
-or-
80070721 RPC_S_SEC_PKG_ERROR "A security package specific error occurred."


CAUSE

Windows NT Challenge/Response (NTLM) Authentication will not allow access to any network resources beyond the Internet Information Server (IIS) computer. This is because NTLM authentication does not pass a user's credentials over the wire, rather it only passes a security token created at the time the user is authenticated on the network.

This means that the username and password are unavailable to IIS when it is challenged for access to a network resource, and IIS is unable to create and pass a user's security token over the network. Thus, access to network resources requiring authentication will be denied.

However, if the browser (Internet Explorer) is running on the same computer as the Internet Information Server, this error will not occur using NTLM since the username and password credentials are available.


RESOLUTION

There are a few options available to work around this problem, the merits of each are described as follows:

  • If you require that users be authenticated when accessing the component, using Basic Authentication will overcome this limitation.


  • Using Basic Authentication means users will be sending their network credentials in plain text over the network, potentially exposing the network to a security breech. If this is a concern for you, you can use Basic Authentication over Secure Sockets Layer (SSL).


  • If you do not need to authenticate a user's access to the component, you can set the remote object to be executed under specific network credentials only.


Enabling Basic Authentication

  1. Open the Microsoft Management Console (MMC) for Internet Service Manager.


  2. Open the properties sheet of the application root (or virtual directory) to which you wish to apply the changes.


  3. Select the Directory Security tab and click the Edit button under Anonymous Access and Authentication Control.


  4. A new dialog box titled Authentication Methods opens. Make sure Basic Authentication is the only option selected, then apply the changes.


Enabling Secure Sockets Layer

If you wish to use Secure Sockets Layer in conjunction with Basic Authentication, please see the Windows NT 4.0 Option Pack documentation at the following path:


   Microsoft Internet Information Server\Server Administration\Security\Authentication\Setting Up SSL on Your Server 

Running the Component as a Specific User

For more information on running the component as a specific user (that is, setting the identity), please see the following article in the Microsoft Knowledge Base:
Q176799 INFO: Using DCOM Config (DCOMCNFG.EXE) on Windows NT


STATUS

This behavior is by design.


MORE INFORMATION

Steps to Reproduce Behavior

  1. To reproduce this scenario, you will need three separate computers:

    
          - computer(1): IIS server
          - computer(2): DCOM server
          - computer(3): Internet Explorer client 


  2. Create an ASP page on computer(1) that creates an instance of the DCOM object using the following:

       Server.CreateObject("ProgID.ClassID") 


  3. Set the authentication in IIS to NT Challenge/Response only.


  4. On computer(2) start your DCOM server.


  5. On computer(3) browse to the ASP page that instantiates your DCOM object.


The following error displays on the browser:

Server object error 'ASP 0177 : 80070721'
Server.CreateObject Failed
/<file>.asp, line ##
A security package specific error occurred.


REFERENCES

For additional information, please see the following article(s) in the Microsoft Knowledge Base:

Q158229 INFO: Security Ramifications for IIS Applications
Q156223 HOWTO: Launching OLE Servers from ISAPI Extensions

Additional query words: kbDSupport kbSecurity kbErrMsg

Keywords : kbole kbASP kbCOMt kbDCOM kbInternet kbSecurity kbGrpASP kbInetDev
Version : winnt:4.0
Platform : winnt
Issue type : kbprb


Last Reviewed: February 25, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.