Permission denied sending mail using CDONTS

Monday, October 28, 2002

I use the CDONTS object to easily send SMTP messages through my Exchange server in all sorts of web pages. I recently upgraded to Exchange 2000, and applied SP3, and all of a sudden coudn't send anymore. This one took a little digging, so here's the solution for reference.

The permission denied issue has been around a long time with Exchange 5.5, and usually it was a folder permissions issue:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q228465

However, I'm not using Exchange 5.5, I'm using 2000, and besides, all the permission are correct.

So, it turns out it's actually an SP3 issue, not really Exchange 2000. In SP3, Microsoft removed the general ability to be able to read some IIS metabase settings, requiring the administrator to specifically grant access to the specific user to the specific item needed.

Here's basically what's needed. First, the following script (copy and paste into a MbaAdd.VBS file on your machine), then run it as such:

MbaAdd.vbs <ComputerName>\<AccountName>

    Option explicit
    Dim objSMTP, objInst, objSD, objACL, objACE, objNew
    Dim sAccount

    sAccount = wscript.arguments(0)
    wscript.echo "Updating SMTP service instances..."
    Set objSMTP = GetObject("IIS://LOCALHOST/SMTPSVC")

    For Each objInst In objSMTP
       If objInst.class = "IIsSmtpServer" Then
          wscript.echo objInst.ADSPath
          set objSD = objInst.AdminACL
          set objACL = objSD.DiscretionaryACL
          set objNew = CreateObject("AccessControlEntry")
          objNew.AccessMask = 9 ' read + enumerate
          objNew.AceType = 0 ' ADS_ACETYPE_ACCESS_ALLOWED
          objNew.AceFlags = 2 ' ADS_ACEFLAG_INHERIT_ACE
          objNew.Trustee = sAccount

          objACL.AddAce objNew
          objSD.DiscretionaryACL = objACL
          objInst.Put "adminACL", Array(objSD)
          objInst.SetInfo
       End If
    Next

Refer to http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q324037 for more information.

37 Comments

• Barbarin: It works, it works!!! Thanks Thanks, very, very much (commented on 11/23/2002 11:00:40 PM)
• greig: Hello, Found this article and had the same problem and the above fixed it. Thanks. (commented on 11/29/2002 6:37:27 AM)
• Alan Wu: Thank you very much!!! (commented on 12/13/2002 3:56:22 PM)
• Geof: Thanks a real life saver!! (commented on 12/30/2002 10:04:29 PM)
• Oliver Degnan: Well, it worked UNTIL I restarted the machine. After rebooting the machine, everything went back to the previous settings. Any idea what could cause this? (commented on 12/31/2002 1:33:30 PM)
• greig: Commented previously...agree now with oliver, server went down after a powercut and the settings went back to previous setting....im looking for a permanent fix, will post if I do find anything... (commented on 1/2/2003 6:36:32 AM)
• wesley lichtert: Thanks a million works great but i had to remove to computername and just specify the account name (commented on 1/2/2003 8:26:53 AM)
• Tommy Højholt: I have same problem, but my Exchange 2000 is placed on the same server as IIS. I guess, I have to change permissions on Exchange SMTP in the same way. Can anyone tell me how to modify the script? (commented on 1/14/2003 6:34:04 AM)
• Prashant Shah: If nothing else works, try this Depending on the security settings on the Web server you may receive a permission denied error when executing the Send method. If this is the case check to make sure that the IUSR_MachineName has Full Control permissions on the mail root directories (usually C:\InetPub\mailroot\). (For example, if your Web server's name is Bob, ensure that IUSR_Bob has these permissions.) I did this and it worked!!! (commented on 1/21/2003 10:59:36 AM)
• David LaRocque: My solution to the reboot problem is crude, but it works. I created a batch file that runs the script, so when I login after a reboot, it runs without me having to remember to do so. The caveats are that if I don't login, it doesn't run, and there are a couple OK dialogs to push. But then again, I never boot up except on purpose, so this meets my needs. (commented on 1/22/2003 11:03:59 PM)
• Greg: I was thinking of solution number two in MS article - because I am having to remodify on every reboot, as tech support, I do not have time for this. The above is solution #1 (The least destabilizing option is to determine what account the applications are running under and to grant that account access to the metabase. Because other applications may use the existing account (for example, IWAM_ or IUSR_), this workaround may introduce vulnerabilities if these other applications are granted access to the IIS metabase) ---- MS Ooption #2 (Alternatively, you can create an account, grant that account access to the metabase, and then modify the virtual directory in which the application is running to run as that account) Check out this URL: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q324037 Just for the record I also leave OUT the machine name, otherwise it finds no instances to bind or some error like that. (commented on 1/24/2003 4:59:23 AM)
• Stu: How about this solution? In Exchange System Manager, open the properties of the server with the SMTP service, on the security tab, add the IUSR_MACHINENAME account (or whatever account is logged in on your website) and grant open mail send queue read metabase properties create named properties in the information store send as permissions. This seemed to work for me. (commented on 2/5/2003 10:13:11 AM)
• Mike: If your web site is set up to run in a separate memory space, it may not have access to SMTP which will cause a permissions error. Check the web site properties under the Home Directory tab (IIS4) and make sure the "Run in separate memory space" box is un-checked. (commented on 2/8/2003 12:44:52 AM)
• Dan Crandell: Everyone, I have IIS and Exchange on same computer with sp3 on exchange. However I can not install smtp on IIS at all if I do my exchange server fails to send out any emails at all. Just trying to get asp and forms to work with smtp..... Help Help (commented on 2/14/2003 5:59:58 PM)
• David LaRocque: SMTP is built into Exchange; Windows' SMTP service needs to remain uninstalled / disabled. You have to configure the SMTP Connector to get your email sending. (commented on 2/18/2003 11:56:26 AM)
• Prashant: I did what Stu suggested. it worked. my only question is, does the system become vulnerable here? (commented on 2/21/2003 3:19:53 PM)
• adam: Right on! (commented on 2/27/2003 2:15:43 PM)
• Randy W: Stu!!!! YOU ARE A LIFE SAVER!! I was about to take the suggestion of Microsoft in one of their articles which would've been so much more involved than your suggestion. Your suggestion worked like a charm!!! Thank you soooooooooooo much!!! (commented on 3/7/2003 3:51:28 PM)
• ron: Prashant Shah 's solution was good for me. (commented on 4/1/2003 5:26:36 PM)
• Stuart: I used this fix from microsoft and it worked... Verify that HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Active Messaging\Use Exchange exists and is set to 1. (commented on 4/16/2003 9:09:23 AM)
• Justin: Thanks. This is a HUGE saver!! I ended up going right to the source (the KB article in MS's site) and used one of the many suggestions on that article (added configuration information to point to the pickup directory from my asp page) and it worked like a charm. Thank you so much! (commented on 5/13/2003 11:57:46 PM)
• Ricky: Stu, You are the man! Your exchange tip worked a treat. Thanks!! (commented on 5/15/2003 10:40:49 AM)
• Dave: Your Awesome! Thank you so much for sharing the knowledge! (commented on 5/29/2003 1:53:39 PM)
• kumar shiva: Thanks for sharing this knowledge friends.. (commented on 6/16/2003 1:04:38 PM)
• Pedro Melo: for me Prashant Shah solution of granting full access to the mailroot directories, was enough.I didn't need to run a vbs script. (commented on 6/18/2003 4:35:07 AM)
• Phranque: My webserver has several sites running on it with several different forms that send email. Only one of these forms is giving me the "Permission Denied" error, but inconsistently. If I access the site through its domain name, it gives me the error. If I run the script from the webserver itself "http://localhost/virtual/sendmail.asp" then the script works fine. Any ideas? (commented on 6/20/2003 4:37:52 PM)
• David LaRocque: Phranque, are the forms in different folders? If so, compare the folder permissions (in Windows, not IIS) between one that works, and this one that doesn't. Most lilely there will be some difference. (commented on 6/22/2003 10:33:27 PM)
• Lloyd Cormier: I did what Prashant Shah suggested and it now works fine, Thanks (commented on 8/6/2003 1:50:07 AM)
• Ben Slivka: If you get an error like "C:\mbaadd.vbs(22, 11) (null): No mapping between account names and security IDs was done." when you run mbaadd.vbs, then try "cscript mbaadd.vbs IUSR_". I got this error when I used "cscript mbaadd.vbs /IUSR_". On a whim, I omitted the "/" portion, and the script ran with no errors. I restarted IIS, and my CDONTS.Send scripts worked as before! If you are curious, the line that is failing is: objInst.Put "adminACL", Array(objSD) (commented on 8/27/2003 10:39:20 PM)
• madhava: for me Prashant Shah solution worked. If nothing else works, try this Depending on the security settings on the Web server you may receive a permission denied error when executing the Send method. If this is the case check to make sure that the IUSR_MachineName has Full Control permissions on the mail root directories (usually C:\InetPub\mailroot\). (For example, if your Web server's name is Bob, ensure that IUSR_Bob has these permissions.) I did this and it worked!!! (commented on 1/21/2003 10:59:36 AM) (commented on 10/17/2003 2:39:47 PM)
• Ken: You are a life saver. (commented on 11/20/2003 8:45:55 AM)
• Adam: Kewlness! (commented on 1/4/2004 12:49:01 PM)
• Jeff W: I have been looking for this fix for quite a while. I used on our SBS Windows 2000 server, with IIS and Exchange 2000, and Windows SP4 installed. I could not send mail though ASP web pages. I coppied info to script and ran from command line and now I can send mail!!! (commented on 1/22/2004 7:43:24 PM)
• Nathan: Thank you so much. This fix is a hair saver (commented on 4/1/2004 7:33:24 AM)
• Thomas H: Stu, your suggestion works wonderfully! Very easy, now (commented on 4/22/2004 9:40:38 AM)
• James C: Stu suggestion worked for me, W2K server SP4 & Exchange 2K SP4. (commented on 6/15/2004 4:28:12 AM)
• Sally Kraus: your site is very useful. (commented on 5/1/2007 12:00:37 AM)

Comments are closed for this article.