PRB: DCOM and ASP - A Security Package Specific Error Occurred

• Microsoft Internet Information Server version 4.0
• Active Server Pages

SYMPTOMS

When attempting to access a Distributed Component Object Model (DCOM) object from Active Server Pages (ASP) using NTLM authentication one of the following errors occurs:

Server object error 'ASP 0177 : 80070721'
Server.CreateObject Failed
/<file>.asp, line ##
A security package specific error occurred.

-or-

80070721 RPC_S_SEC_PKG_ERROR "A security package specific error occurred."

CAUSE

Windows NT Challenge/Response (NTLM) Authentication will not allow access to any network resources beyond the Internet Information Server (IIS) computer. This is because NTLM authentication does not pass a user's credentials over the wire, rather it only passes a security token created at the time the user is authenticated on the network.

This means that the username and password are unavailable to IIS when it is challenged for access to a network resource, and IIS is unable to create and pass a user's security token over the network. Thus, access to network resources requiring authentication will be denied.

However, if the browser (Internet Explorer) is running on the same computer as the Internet Information Server, this error will not occur using NTLM since the username and password credentials are available.

RESOLUTION

There are a few options available to work around this problem, the merits of each are described as follows:

• If you require that users be authenticated when accessing the component, using Basic Authentication will overcome this limitation.



• Using Basic Authentication means users will be sending their network credentials in plain text over the network, potentially exposing the network to a security breech. If this is a concern for you, you can use Basic Authentication over Secure Sockets Layer (SSL).



• If you do not need to authenticate a user's access to the component, you can set the remote object to be executed under specific network credentials only.

Enabling Basic Authentication

1. Open the Microsoft Management Console (MMC) for Internet Service Manager.



2. Open the properties sheet of the application root (or virtual directory) to which you wish to apply the changes.



3. Select the Directory Security tab and click the Edit button under Anonymous Access and Authentication Control.



4. A new dialog box titled Authentication Methods opens. Make sure Basic Authentication is the only option selected, then apply the changes.

Enabling Secure Sockets Layer

   Microsoft Internet Information Server\Server Administration\Security\Authentication\Setting Up SSL on Your Server 

Running the Component as a Specific User

Q176799 INFO: Using DCOM Config (DCOMCNFG.EXE) on Windows NT

STATUS

This behavior is by design.

MORE INFORMATION

Steps to Reproduce Behavior

1. To reproduce this scenario, you will need three separate computers:
   
   

   
         - computer(1): IIS server
         - computer(2): DCOM server
         - computer(3): Internet Explorer client 




2. Create an ASP page on computer(1) that creates an instance of the DCOM object using the following:
   
   

      Server.CreateObject("ProgID.ClassID") 




3. Set the authentication in IIS to NT Challenge/Response only.



4. On computer(2) start your DCOM server.



5. On computer(3) browse to the ASP page that instantiates your DCOM object.

Server object error 'ASP 0177 : 80070721'
Server.CreateObject Failed
/<file>.asp, line ##
A security package specific error occurred.

REFERENCES

For additional information, please see the following article(s) in the Microsoft Knowledge Base:

Q158229 INFO: Security Ramifications for IIS Applications

Q156223 HOWTO: Launching OLE Servers from ISAPI Extensions

Additional query words: kbDSupport kbSecurity kbErrMsg

Keywords : kbole kbASP kbCOMt kbDCOM kbInternet kbSecurity kbGrpASP kbInetDev
Version : winnt:4.0
Platform : winnt
Issue type : kbprb