How do I properly instantiate 32-bit COM objects in classic ASP after installing Windows Update KB4340558?

We were affected with multiple customers too.

I ruled out invalid strong-name signing of our assemblies, since the .NET Assemblies from the Framework itself were affected by that access-denied error too.

Finally I managed to solve the issue by configuration. Apparently the authenticating identity of the website has now to match the identity of the app-pool. Or IUSR has no longer enough permissions.

enter image description here

EDIT: 19.07.2018

Warning! This change also has a side-effect:

The asp-classic event "Session_OnEnd" was no longer called and therefore resources eventually could no longer be freed. But there is a fix for that, too!

The ASP-Config-Property "system.webServer/asp/runOnEndAnonymously" has to be "false", then the event fires again.

enter image description here

EDIT 2: 23.07.2018

As Dijkgraaf pointed out, Microsoft now considers this "new behaviour" a bug. So i guess my "solution" should now be considered a workaround until a new patch comes to rescue.


We run our application pool under a specific identity, to enable a network share and database access. I too thought we were stuck after reading @keydon's answer above.

However, there are three places that we must configure the identity:

  • The Application Pool - should use the specific identity
  • The Website "Connect As" - should use the "Application pool identity"
  • The Anonymous Authentication option, under the Authentication feature - should use "Application pool identity"

That last one was the thing that we were missing - years of considering only the first two meant that we mis-read the great advice above.


Microsoft is aware of the issue and the relevant KB is "Access Denied" errors and applications with COM activation fail after installing July 2018 Security and Quality Rollup updates for .NET Framework

This has impacted BizTalk, SharePoint, IIS with classic ASP and .NET application that uses impersonation.

Workarounds for Classic ASP are as follows

IIS Hosted Classic ASP calling CreateObject for .NET COM objects may receive an "ActiveX component can't create object" error:

  • If your web site uses Anonymous Authentication: Change the Web Site Anonymous Authentication credentials to use the "Application pool identity".
  • If your site uses Basic Authentication or Windows Authentication: Log into the application once as the application pool identity, then create an instance of the .NET COM component. Afterwards other site users will be able to active the .NET COM component without the failure.
  • Alternatively, if you are using Windows Authentication and accessing the web site from the console of the Windows Server where the ASP application runs: Creating an instance of the .NET COM component also resolves error for other site users.