IIS Insider - May 2003

By Brett Hill

Permission Denied Running CDONTS Application

Q: I am trying to use the following script on my site. (http://www.microsoft.com/technet/community/columns/insider/iisi1201.mspx)

<% Dim objMail Set objMail = Server.CreateObject("CDONTS.NewMail") objMail.From = "yourname@youremail.com" objMail.Subject = "A Sample mail sent with CDONTS" objMail.To = "someone@somwhere.com" objMail.Body = "Here is the message." objMail.Send set objMail = nothing %>

but my server always give me the error code:

Microsoft VBScript runtime error '800a0046'- Permission denied.

A: CDONTS was designed to be run as an in-process component using IIS 4.0 on Windows NT 4.0. When you run an application out-of-process it runs in MTS.EXE (IIS 4.0) or DLLHOST.EXE (IIS5) process using the IWAM_<computername> account. When running applications out-of-process, the IWAM account may require access to files and system resources. In the case of the CDONTS object, the IWAM account requires access to the machine keys of the system (see Microsoft Knowledge Base article 318478) and certain folders in the Inteinfo\Mailroot folder (see Microsoft Knowledge Base article 260985).

With this information in hand, there are a few possibilities. First, as a matter of policy, you should recode your applications to use the CDOSYS object (as referenced in the December 2001 IIS Insider). This will help to ensure future support as the CDOSYS object is not installed on Windows 2000 or Windows Server 2003. This may or may not be sufficient to solve your problem. Secondly, if the CDONTS application runs in process but not out-of-process, you are almost certainly looking at an issue related to the IWAM user account permissions. Running your CDONTS application in process may not be possible or desirable for security reasons, but will avoid permissions-related problems associated with the IWAM account. Verify the Mailroot and machine keys have the proper permissions. Thirdly, you also get the error you're seeing if the user that launches the ASP script does not have proper permissions on the Mailroot\Pickup folder. By default the MailRoot folder is set to Everyone – Full Control, which is too permissive. I would suggest assigning Authenticated Users – Read/Write, in addition to System and Administrators Full Control. This will allow the IUSR and IWAM users as well as any other user accounts to write mail to the SMTP folders. You should also Deny Execute the IUSR_<computername> on these folders. If you have run the IIS Lockdown tool, you can use the Web Anonymous Users local group for this purpose. Do not deny the Web Applications group Write permissions.

Server Execution Failed After IIS 5.0 Setup

Q: On IIS 5.0, we want to run applications in the default setting for application protection – Medium (pooled). When so configured, we get the error message:

Error code 800800005 - Server execution failed.

We have tried uninstalling and reinstalling IIS but still get the message. What can we do to fix this?

A: This message usually means that something did not quite go right during the setup of your server or installation of IIS. Check the IIS5.log file (in the %systemroot% folder which is usually \Winnt) for the word FAIL. That may point out where the problem lies. This message most likely is accompanied by some Event Viewer messages that can provide useful information. Additionally, it would be worth a try to run Synciwam.vbs, which can be found in the \Inetpub\Adminscripts folder by default. Finally, for a little known tip – open Control Panel and click Add/Remove Windows Programs. Don't make any changes, and then click OK. This makes Windows 2000 perform some verification tests on the setup of IIS and COM+ objects.

How To Restart IIS from a Command Prompt

Q: How can I restart IIS from a command prompt?

A: If you open the Services console in Windows 2000 and click on the IIS Admin Service, Dependencies tab, you will find that the IIS Admin Service is dependent on the RPC and Protected Storage service, and has as dependents SMTP, the World Wide Web Publishing Service, as well as FTP and NNTP (not shown). If you stop the IIS Admin Service, the dependent services are also stopped. However, if you start the IIS Admin Service, the dependent services are not automatically started (this behavior is also true in IIS 4).

If your browser does not support inline frames, click here to view on a separate page.

To stop and start IIS, you have to do an orderly shutdown and startup of all IIS services.

There are a number of ways to do this. On IIS 5, you can issue an IISRESET command from a command prompt which will stop and then start IIS and related services. IISRESET has a number of switches available including REBOOTONERROR and NOFORCE and can be invoked from a remote server. IISRESET is not available in IIS 4.

Alternately, you can run a NET STOP IISADMIN /y at a command prompt, batch file or script. This will automatically stop all services dependent on the IISADMIN service. While shutting down, the dependent services are set to automatic. They do not start up automatically when you start the IISADMIN service. The IISADMIN service, however, will start if you start one of the dependent services. Consequently, to restart the server, you can run a series of commands to start each IIS internet protocol service. For example:


'and so on, and the IISADMIN service will automatically start.

When restarting the services in this way, timing may be a factor. If you have a large metabase, it may take some time for the IISADMIN service to start completely. Although it is not normally necessary, you may need to place some pauses in your startup scripts to correctly manage timing.

In addition to these methods, you can write a VBScript, perl, or WMI script to perform these same functions. In particular, WMI has a lot of capabilities for server administration on Windows 2000 and Window Server 2003. See the January 2003 Tales from the Script column on creating a sample WMI script that monitors a Web server to see if the service is running and automatically restarts W3SVC if not.

Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months questions and answers on IIS Insider columns, click here.