How do I properly instantiate 32-bit COM objects in classic ASP after installing Windows Update KB4340558?

31
votes

On Windows Server 2012 R2, after installing update KB4340558 (update history) / KB4338424 (installed updates) we can no longer instantiate .NET .DLLs (interop) in classic ASP in 32-bit mode using server.createobject. We receive the error 0x800A01AD "ActiveX component can't create object"

When we uninstall the update, the error disappears. Despite my best efforts, I was unable to find an alternate solution to uninstalling. We would prefer to reinstall the update and make whatever changes were necessary to Windows Server and/or the DLL's to allow the COM objects to be instantiated properly. There are no clues in the system logs, no clues in the CVE database, and no clues in the errors ASP is generating. Please help!

5
asp-classiccomiis-8windows-server-2012-r2
Does it change anything if you use plain CreateObject instead of Server.CreateObject? - Simon Mourier
Same result using plain CreateObject. - user2458080
Is Enable 32-bit Applications set to True in the app pool configuration? - mjw
Yes. The issue is a result of installing a .NET security rollup that came out yesterday (7/10/2018). The control worked fine prior to installing the update, and again after uninstalling the update. The KB articles and CVE database didn't directly address any changes that the rollup fixed that might cause this error-- or if they did I missed them. - user2458080
The two are urgent security patches to address recent disclosed security vulnerability. I assume that while fixing issues the patch did not pass more compatibility testing, like your case. Thus, your only hope is to come after Microsoft via its support services, so that they release a better patch than the current version. This site won't help you much. - Lex Li

5 Answers

35
votes

We were affected with multiple customers too.

I ruled out invalid strong-name signing of our assemblies, since the .NET Assemblies from the Framework itself were affected by that access-denied error too.

Finally I managed to solve the issue by configuration. Apparently the authenticating identity of the website has now to match the identity of the app-pool. Or IUSR has no longer enough permissions.

enter image description here

EDIT: 19.07.2018

Warning! This change also has a side-effect:

The asp-classic event "Session_OnEnd" was no longer called and therefore resources eventually could no longer be freed. But there is a fix for that, too!

The ASP-Config-Property "system.webServer/asp/runOnEndAnonymously" has to be "false", then the event fires again.

enter image description here

EDIT 2: 23.07.2018

As Dijkgraaf pointed out, Microsoft now considers this "new behaviour" a bug. So i guess my "solution" should now be considered a workaround until a new patch comes to rescue.

18
votes

We run our application pool under a specific identity, to enable a network share and database access. I too thought we were stuck after reading @keydon's answer above.

However, there are three places that we must configure the identity:

  • The Application Pool - should use the specific identity
  • The Website "Connect As" - should use the "Application pool identity"
  • The Anonymous Authentication option, under the Authentication feature - should use "Application pool identity"

That last one was the thing that we were missing - years of considering only the first two meant that we mis-read the great advice above.

8
votes

Microsoft is aware of the issue and the relevant KB is "Access Denied" errors and applications with COM activation fail after installing July 2018 Security and Quality Rollup updates for .NET Framework

This has impacted BizTalk, SharePoint, IIS with classic ASP and .NET application that uses impersonation.

Workarounds for Classic ASP are as follows

IIS Hosted Classic ASP calling CreateObject for .NET COM objects may receive an "ActiveX component can't create object" error:

  • If your web site uses Anonymous Authentication: Change the Web Site Anonymous Authentication credentials to use the "Application pool identity".
  • If your site uses Basic Authentication or Windows Authentication: Log into the application once as the application pool identity, then create an instance of the .NET COM component. Afterwards other site users will be able to active the .NET COM component without the failure.
  • Alternatively, if you are using Windows Authentication and accessing the web site from the console of the Windows Server where the ASP application runs: Creating an instance of the .NET COM component also resolves error for other site users.
5
votes

We support a Classic ASP site running in IIS Anonymous Authentication. The application instantiates a DLL .NET object exposed as COM visible.

After applying recent security Windows Updates and reboot OS our application crashed with following error:

Microsoft VBScript runtime error '800a01ad'
ActiveX component can't create object: 'NameOfObjectInDLL'

In our case, this last advice fixed our problems.

IIS > Authentication > Anonymous Authentication - Edit > "Application pool identity"

screenshot1

5
votes

This is only to confirm the solution provided by keydon, combined by the one provided by TimP. And give them thanks!!

In our case we've changed the following 3 parts (and an additional 4th for new permissions):

  1. Web server Authentication properties: set Anonymous Authentication with "Application pool identity" instead of "Specific User".

  2. Application Pool "Identity" property: set to "ApplicationPoolIdentity" instead of "LocalSystem".

  3. Web Site "Connect As" for physical path: set to "Application user (pass-through authentication)" instead of "Specific User".

  4. Add permissions for "Application Pool Identity user name" in the shared folder where the web application files are. Have a look to https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities#securing-resources

Thank you!! (I'm sorry I can't vote your solutions because I'm starter and I don't have any reputation)