Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

You may receive an error message when you try to start a CGI program that is hosted on IIS 6

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 904056 - Last Review: December 3, 2007 - Revision: 1.2

You may receive an error message when you try to start a CGI program that is hosted on IIS 6

View products that this article applies to.
Important This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).

On This Page

SYMPTOMS

When you try to start a Common Gateway Interface (CGI) program that is hosted on Microsoft Internet Information Services (IIS) 6, you may receive an error message that is similar to one of the following:
The configured user for the current application pool does not have enough privileges to run CGIs
Http 403-Forbidden: Access is denied
Note You receive the error message even though the application pool security account is a member of the IIS_WPG group.
Back to the top

CAUSE

This problem may occur if the application pool security account does not have the "Adjust memory quotas for a process" user right or the "Replace a process level token" user right.
Back to the top

RESOLUTION

To resolve this problem, use one of the following methods. Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it.
Back to the top

Method 1: Set the CreateProcessAsUser metabase setting to false

To set the CreateProcessAsUser metabase setting to false, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type cd drive:\Inetpub\adminscripts, and then press Enter.

    Note In this step, drive is the hard disk where the Inetpub folder is located.
  3. At the command prompt, type Cscript.exe Adsutil.vbs SET W3Svc/CreateProcessAsUser false, and then press Enter.
Back to the top

Method 2: Grant the required user right to the application pool security account

To resolve this problem, grant the required user right to the application pool security account. To do this, use one of the following methods.

Method 2a: Use the Domain Controller Security Policy tool

If the computer is a domain controller, follow these steps:
  1. Start the Domain Controller Security Policy tool.

    For more information about how to start the Domain Controller Security Policy tool, click the following article number to view the article in the Microsoft Knowledge Base:
    832214  (http://kbalertz.com/Feedback.aspx?kbNumber=832214/ ) "You may not have appropriate rights" error message when you try to open the Domain Security Policy console or the Domain Controller Security Policy console from the command prompt
  2. In the left pane, expand Local Policies, and then click User Rights Assignment.
  3. In the right pane, double-click the policy that you want.
  4. Click Add User or Group.
  5. Type the user name or the group name that is the security account for the application pool that you want, and then click OK.

    Note If you click Browse to add an account, you may have to click Object Types or Location to add the account that you want.
  6. Click OK two times.
  7. Exit the Domain Controller Security Policy tool.

Method 2b: Use the Group Policy Object Editor

If the computer is a member of a domain, follow these steps:
  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. Under Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Local Policies.
  3. In the left pane, click User Rights Assignment.
  4. In the right pane, double-click the policy that you want.
  5. Click Add User or Group.
  6. Type the user name or the group name that is the security account for the application pool that you want, and then click OK.

    Note If you click Browse to add an account, you may have to click Object Types or Location to add the account that you want.
  7. Click OK two times.
  8. Exit the Group Policy Object Editor.

Method 2c: Use the Local Security Settings tool

If the computer is not a member of a domain, follow these steps:
  1. Click Start, click Run, type secpol.msc, and then click OK.
  2. Under Security Settings, expand Local Policies.
  3. Click User Rights Assignment.
  4. In the right pane, double-click the policy that you want.
  5. Click Add User or Group.
  6. Type the user name or the group name that is the security account for the application pool that you want, and then click OK.

    Note If you click Browse to add an account, you may have to click Object Types or Location to add the account that you want.
  7. Click OK two times.
  8. Exit the Local Security Settings tool.
Back to the top

STATUS

This behavior is by design.
Back to the top

MORE INFORMATION

In IIS 6, the authenticated user account is used to start CGI programs. If the Web site accepts anonymous users, CGI programs run by using the anonymous user account instead of the security account for the application pool. If the CreateProcessAsUser metabase property is set to false, the application pool security account is used to start the CGI program.

The default security account for an application pool is the Network Service security account. The Network Service security account has the "Adjust memory quotas for a process" user right or the "Replace a process level token" user right. Additionally, the IWAM account for the computer and the Local Service accounts also have these user rights. If you change the application pool security account, the CGI program may not work as expected. For example, if you add a user to the IIS_WPG group, and this user does not have the "Adjust memory quotas for a process" user right or the "Replace a process level token" user right, the CGI program may not work as expected.
Back to the top
APPLIES TO
  • Microsoft Internet Information Services 6.0
Back to the top
Keywords: 
kbtshoot kbprb kbpermissions KB904056
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting