Re: How do I give ASP.NET process network credentials?

From: Joseph Geretz (jgeretz@nospam.com)
Date: 10/28/02


From: "Joseph Geretz" <jgeretz@nospam.com>
Date: Mon, 28 Oct 2002 14:30:53 -0500


Hi JJ,

Thanks for pointing that out. Unfortunately it did not help.

Joe Geretz

Machine.config:
        <processModel enable="true"
                      timeout="Infinite"
                      idleTimeout="Infinite"
                      shutdownTimeout="0:00:05"
                      requestLimit="Infinite"
                      requestQueueLimit="5000"
                      restartQueueLimit="10"
                      memoryLimit="60"
                      webGarden="false"
                      cpuMask="0xffffffff"
                      userName="SYSTEM"
                      password="AutoGenerate"
                      logLevel="Errors"
                      clientConnectedCheck="0:00:05"
                      comAuthenticationLevel="Connect"
                      comImpersonationLevel="Impersonate"
                      responseRestartDeadlockInterval="00:09:00"
                      responseDeadlockInterval="00:03:00"
                      maxWorkerThreads="25"
                      maxIoThreads="25"
        />

Web.config:
        <identity impersonate="false" userName="INTERNAL\Administrator"
password="bigcheese"/>

Server Error in '/PDPortal' Application.

----------------------------------------------------------------------------

----
Configuration Error
Description: An error occurred during the processing of a configuration file
required to service this request. Please review the specific error details
below and modify your configuration file appropriately.
Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating system 'A
required privilege is not held by the client. '
Source Error:
Line 51:             password="password of above specified account" | empty
string
Line 52:         -->
Line 53:         <identity impersonate="false"
userName="INTERNAL\Administrator" password="bigcheese"/>
Line 54:
Line 55:         <!--  APPLICATION-LEVEL TRACE LOGGING
Source File: D:\My Documents\Visual Studio
Projects\ParaDocs\PDPortal\web.config    Line: 53
----------------------------------------------------------------------------
----
Version Information: Microsoft .NET Framework Version:1.0.3705.0; ASP.NET
Version:1.0.3705.0
"JJ" <jj@nospam.com> wrote in message news:u2Kf9YqfCHA.2308@tkmsftngp12...
> You missed a part of the suggestion.  You need to have
impersonate="false",
> not true.  Then you can specify as userName= and password= and it will
have
> sufficient rights because you are running as SYSTEM as specified in
> machine.config.  SYSTEM has enough rights to impersonate.
>
>
> "Joseph Geretz" <jgeretz@nospam.com> wrote in message
> news:#Z9pXz3eCHA.1492@tkmsftngp09...
> > Hi Jay,
> >
> > I was unable to implement your suggestion. The following identity in
> > web.config
> >
> > <identity impersonate="true" userName="DOMAIN\UserID" password="PWD"/>
> >
> > results in the following error:
> >
> > Could not create Windows user token from the credentials specified in
the
> > config file. Error from the operating system 'A required privilege is
not
> > held by the client. '
> >
> > The client, in this case, would I guess be the user ASPNET since my
> > processModel settings specify 'machine'. (I tried this using SYSTEM, but
> > that had no effect.) So I'm back to the original question. How do I get
an
> > ASP.NET process to run under the identity of a domain user, rather than
as
> a
> > local user?
> >
> > Thanks,
> >
> > - Joe Geretz -
> >
> > "Jay Warmack" <jwarmack@weblandingzone.net> wrote in message
> > news:u9AGi1xeCHA.1788@tkmsftngp11...
> > > In web.config you should be able to use:
> > >
> > > <identity impersonate="false" userName="domain\localuser"
> > > password="password"/>
> > >
> > >
> > > "Joseph Geretz" <jgeretz@nospam.com> wrote in message
> > > news:uZ00wfueCHA.2128@tkmsftngp12...
> > > > I have a Source Safe database installed on my Win2K 'domain
> controller'.
> > A
> > > > Source Safe database is not a database in the traditional sense of
the
> > > word.
> > > > It is actually a file system folder structure. Source Safe
workstation
> > > users
> > > > access this 'database' via a folder share or mapped drive. The VSS
> > > database
> > > > is installed on a machine called Dimension2.
> > > >
> > > > I have written an ASP.NET process (web services) which interacts
with
> > the
> > > > VSS API in order to access the VSS database on dimension. These web
> > > services
> > > > are hosted under IIS on a member server named Dimension. I was
finding
> > > that
> > > > if I logged on locally to Dimension and ran the VSS Win32 Explorer
> > client,
> > > I
> > > > was able to successfully access the VSS database on Dimension2.
> However,
> > > the
> > > > ASP.NET code was unable to access this database.
> > > >
> > > > I changed the ASP.NET username in the processmodel section of
> > > machine.config
> > > > to SYSTEM. Still no success. So I made the following changes to the
> > > > web.config file at the root of the web service site.
> > > >
> > > > Authentication: Windows
> > > > Impersonation: true
> > > >
> > > > Now the code runs successfully, since the ASP.NET code is now
running
> > > using
> > > > my interactive session network credentials. This was a useful test
to
> > > > isolate the problem and to confirm that the problem is based on
> > > credentials
> > > > and security. However this is no solution for a production
> environment.
> > I
> > > > need to allow this to work for anonymous users coming in over the
> > Internet
> > > > without domain credentials.
> > > >
> > > > How can I set this up? Can ASPNET on Dimension be set up as a
network
> > > > account? Can a new network account be created and ASP.NET or my web
> > > services
> > > > be configured to use this special account? Or is there a different
way
> > in
> > > > which this is typically done?
> > > >
> > > > Thanks for your help.
> > > >
> > > > - Joe Geretz -
> > > >
> > > >
> > >
> > >
> >
> >
>
>