Re: <identity impersonate="true"> question

From: Microsoft Newsgroups (me@yahoo.com)
Date: 07/30/02

• Next message: Jason Jing: "RE: How to get the login from IIS in C#"
• Previous message: jeff: "how do I code a user created subdirectory?"
• In reply to: Aaron Margosis [MS]: "Re: <identity impersonate="true"> question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Microsoft Newsgroups" <me@yahoo.com>
Date: Tue, 30 Jul 2002 13:48:23 -0700

Actually I manually set my ASPNET to use the SYSTEM account on my
development box to get the event log working.

I'll take your advice and not have the production system use an impersonated
admin account. But HOW do you create those categories manually?

Thanks,
<<Kevin Finck>>

"Aaron Margosis [MS]" <aaronmaronline@microsoft.com> wrote in message
news:u3VRnP5MCHA.1352@tkmsftngp11...
> Did you originally have a beta version of the .NET Framework on your
> development computer? The default setup used to be to run the ASPNET
worker
> process in the SYSTEM context. You may still be running in SYSTEM context
> on your development box. The production system is probably running as the
> unprivileged ASPNET local account.
>
> Does your app actually need to create categories? Can the categories be
> established by an interactively logged-on administrator instead? Or,
> instead of having the app run as administrator all the time, can you use
> Windows authentication, and impersonate the authenticating user? If the
> user is an admin then your app can create new categories in that user's
> session.
>
> As discussed below, the TCB privilege (a.k.a., "act as part of the
operating
> system") needs to be granted to the aspnet_wp.exe's process account
> (probably ASPNET on your production system) in order for it to use the
> <identity> element with the userName/password attributes. (I strongly
> recommend against using that form.)
>
> -- Aaron
>
>
> "Microsoft Newsgroups" <me@yahoo.com> wrote in message
> news:OPZzxkyMCHA.2604@tkmsftngp11...
> > What is required to make LogonUser work?
> >
> > I have an ASP.NET app that needs to create categories in the Event Log.
> On
> > my development box, setting impersonate true, and setting the
username/pwd
> > to the administrator works fine. But when I put it on the production
IIS
> > server (Win2K) I get an error something about invalid rights or
> credentials.
> > What am I missing?
> >
> > Thanks!
> > <<Kevin Finck>>
> >
> > "Aaron Margosis [MS]" <aaronmaronline@microsoft.com> wrote in message
> > news:OeJEhp6KCHA.1008@tkmsftngp10...
> > > Good question! Impersonating an already authenticated (logged on)
user
> > does
> > > not require TCB (trusted computing base, a.k.a. "act as part of the
> > > operating system"). What does require TCB is use of the LogonUser API
> to
> > > create a new logon session. That comes up when you use this form of
the
> > > <identity> element:
> > >
> > > <identity impersonate="true" userName="YOYODYNE\JBigBoote"
> > > password="Sekrit!" />
> > >
> > > Rather than impersonating the user authenticated by IIS (which is what
> > > you're doing), the app always runs with the specified credentials. In
> > order
> > > to do this, ASPNET needs to be able to call LogonUser.
> > >
> > > HTH
> > >
> > > -- Aaron
> > >
> > >
> > > "Dave" <DaveAtHome_spam@nc.rr.com> wrote in message
> > > news:#L#Gcc0KCHA.1008@tkmsftngp10...
> > > > I added <identity impersonate="true"> to my web.config file and was
> > > > expecting to have to add "Act as part of the OS" to the local
> machine's
> > > > security policy for the ASPNET user as was posted various places but
> in
> > > fact
> > > > did NOT have to do this for the impersonation to work. Is that not a
> > > > required action? I'm running on Windows 2000 and not Windows XP
where
> my
> > > > understanding was that policy for ASPNET would not need to be set.
> There
> > > are
> > > > no users explicity added with that security right on my machine.
> Thanks,
> > > > Dave
> > > >
> > > >
> > >
> > >
> >
> >
>
>

---

• Next message: Jason Jing: "RE: How to get the login from IIS in C#"
• Previous message: jeff: "how do I code a user created subdirectory?"
• In reply to: Aaron Margosis [MS]: "Re: <identity impersonate="true"> question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: IIS6 on DC failing ASP.Net Service Unavailable ... On IIS 6.0 ASP.NET does not use the ASPNET account. ... identity of the web app pool that it is assigned to. ... Q1) Does you app work if you use one of the standard process identities? ... (microsoft.public.inetserver.iis) Re: Shared Hosting ... ASPNET account. ... a professional hosting company. ... they could put the application in its own app pool ... (microsoft.public.dotnet.framework.aspnet.security) Re: userName="machine" didnt work ... The .210 dlls I had for ASP.NET are newer than the .42 dlls. ... Deleted the ASPNET account from "Local Users and Group - Users". ... This problem occurs because the process model user account (in our case, ... (microsoft.public.dotnet.framework.aspnet) Re: userName="machine" didnt work ... The .210 dlls I had for ASP.NET are newer than the .42 dlls. ... Deleted the ASPNET account from "Local Users and Group - Users". ... This problem occurs because the process model user account (in our case, ... (microsoft.public.dotnet.framework.aspnet) Re: userName="machine" didnt work ... so only the ASP.NET related dlls ... Deleted the ASPNET account from "Local Users and Group - Users". ... This problem occurs because the process model user account (in our case, ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)