hometriangle-righttriangle-leftmenu3

Setup 2008 R2 Server - SMTP Setup (SendUsing Error)

I was getting a CDO SendUsing configuration error when sending email''s. This is down to the new way permissions are handled in IIS7 i.e. they belong to application pools (ApplicationPoolIdentity) rather than NetworkService.

http://forums.iis.net/t/1164349.aspx/1

I just found an easy solution to this problem that does not involve using the NetworkService as the account to run the AppPool or changing your code that used to work on 2003.

I have applied this solution to my 2008R2 using IIS7.5 (using IIS6Compatibility mode and the local SMTP server Feature installed and all ASP AppPools running in 32bit mode); I have not tested this outside of that environment, so your mileage may vary.

let me preface by saying, this issue didnt happen when the AppPool was running as NetworkService, only when using ApplicationPoolIdentity. The reason for this is explained below.

The initial error being seen was a 500 when trying to send email. There was no further debugging information being displayed in the browser, even when using detailed, non-friendly errors on the server.

Investigation showed that, the error was showing up in the EventLog as:

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Active Server Pages" />
<EventID Qualifiers="49152">5</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-05-10T17:11:54.000000000Z" />
<EventRecordID>7224</EventRecordID>
<Channel>Application</Channel>
<Computer>SERVERNAME</Computer>
<Security />
</System>
<EventData>
<Data>File /email.asp Unexpected error. A trappable error (E06D7363) occurred in an external object. The script cannot continue running.</Data>
</EventData>
</Event>

FREB reports, when enabled and allowed to grow past 5mb, showed that the ASP page was returning the 500 Error on the ObjEmail.Send() function:

625. ? ASP_SCRIPT_TRACE_COM_CALL_START FilePath="D:\WWWROOT\EMAIL.ASP", LineNumber="864", CurrentStatement="emailResult = objEmail.Send()", SizeOfStatement="29"
626. r ASP_LOG_ERROR Error LineNumber="", ErrorCode="ASP 0115", Description="Unexpected error"


Detailed debugging of the application showed that CDO was throwing the "CDO_E_INVALID_SEND_OPTION (0x80040220)" error when trying to send email as ApplicationPoolIdentity.


In 2008/IIS7+ the ApplicationPoolIdentity accounts are hidden accounts that have dynamically assigned SID''s (created and assigned when the ApplicationPool is started). But the accounts live as (hidden) users under the IIS_IUSRS group on the local machine (this makes giving them permissions to the AppPools pretty easy, since you can use the normal GUI interface for perms or use scripts while specifying the local user group).

To fix the issue with ASP sites running under IIS7.5 not being able to send email:

Give Read/Write permissions for the IIS_IUSRS group to the Mailroot folder (permissions will inherit down to Pickup/etc folders).
Now use a Metabase Permissions modifier (Metabase Explorer works, so does METAACL.VBS from 2003), Open LM\SMTPSVC and SMTPSVC\1 and add IIS_IUSRS with read permissions to those branches of the metabase.

cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC %computername%\IIS_IUSRS R
cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC/1 %computername%\IIS_IUSRS R

Those permissions will allow any of the ApplicationPoolIdentity users to create and send email using the local SMTP service.
This can be tested with SMTP service on the local machine stopped, which will force the .EML files to show up in the mailroot\pickup folder.

The reason sending email works for NetworkService and LocalService and not the ApplicationPoolIdentity is that the Metabase, by default, has read permissions for SYSTEM and NetworkService. This is an yet another example of why running AppPools as ApplicationPoolIdentity provides more security than running as NetworkService: the applications must be given explicit privileges to any registry entry, folder hierarchy, file, etc that it must read or write.

MetaACL.vbs can be downloaded directly from Microsoft here (my tests show it works fine on 2008R2): http://support.microsoft.com/kb/267904/

Restart server for changes to come into affect and don''t forget to enable auto start on SMTP service!

Hope this helps all the other people who found this thread.
Copyright © 2026 Spiderscope. All Rights Reserved.