Re: How do I give ASP.NET process network credentials?

From: Joseph Geretz (jgeretz@nospam.com)
Date: 10/29/02 

From: "Joseph Geretz" <jgeretz@nospam.com>
Date: Tue, 29 Oct 2002 06:48:36 -0500

Yes it is, and I have the feeling that this is at the root of my problem.
Can a local account impersonate a domain account?

- Joe Geretz -

"Willy Denoyette [MVP]" <willy.denoyette@pandora.be> wrote in message
news:uaISQvzfCHA.1732@tkmsftngp08...
> Sure, but SYSTEM is a local account isn't it?
>
> Willy.
>
> "JJ" <jj@nospam.com> wrote in message news:u2Kf9YqfCHA.2308@tkmsftngp12...
> > You missed a part of the suggestion. You need to have
impersonate="false",
> > not true. Then you can specify as userName= and password= and it will
have
> > sufficient rights because you are running as SYSTEM as specified in
> > machine.config. SYSTEM has enough rights to impersonate.
> >
> >
> > "Joseph Geretz" <jgeretz@nospam.com> wrote in message
> > news:#Z9pXz3eCHA.1492@tkmsftngp09...
> > > Hi Jay,
> > >
> > > I was unable to implement your suggestion. The following identity in
> > > web.config
> > >
> > > <identity impersonate="true" userName="DOMAIN\UserID" password="PWD"/>
> > >
> > > results in the following error:
> > >
> > > Could not create Windows user token from the credentials specified in
the
> > > config file. Error from the operating system 'A required privilege is
not
> > > held by the client. '
> > >
> > > The client, in this case, would I guess be the user ASPNET since my
> > > processModel settings specify 'machine'. (I tried this using SYSTEM,
but
> > > that had no effect.) So I'm back to the original question. How do I
get an
> > > ASP.NET process to run under the identity of a domain user, rather
than as
> > a
> > > local user?
> > >
> > > Thanks,
> > >
> > > - Joe Geretz -
> > >
> > > "Jay Warmack" <jwarmack@weblandingzone.net> wrote in message
> > > news:u9AGi1xeCHA.1788@tkmsftngp11...
> > > > In web.config you should be able to use:
> > > >
> > > > <identity impersonate="false" userName="domain\localuser"
> > > > password="password"/>
> > > >
> > > >
> > > > "Joseph Geretz" <jgeretz@nospam.com> wrote in message
> > > > news:uZ00wfueCHA.2128@tkmsftngp12...
> > > > > I have a Source Safe database installed on my Win2K 'domain
> > controller'.
> > > A
> > > > > Source Safe database is not a database in the traditional sense of
the
> > > > word.
> > > > > It is actually a file system folder structure. Source Safe
workstation
> > > > users
> > > > > access this 'database' via a folder share or mapped drive. The VSS
> > > > database
> > > > > is installed on a machine called Dimension2.
> > > > >
> > > > > I have written an ASP.NET process (web services) which interacts
with
> > > the
> > > > > VSS API in order to access the VSS database on dimension. These
web
> > > > services
> > > > > are hosted under IIS on a member server named Dimension. I was
finding
> > > > that
> > > > > if I logged on locally to Dimension and ran the VSS Win32 Explorer
> > > client,
> > > > I
> > > > > was able to successfully access the VSS database on Dimension2.
> > However,
> > > > the
> > > > > ASP.NET code was unable to access this database.
> > > > >
> > > > > I changed the ASP.NET username in the processmodel section of
> > > > machine.config
> > > > > to SYSTEM. Still no success. So I made the following changes to
the
> > > > > web.config file at the root of the web service site.
> > > > >
> > > > > Authentication: Windows
> > > > > Impersonation: true
> > > > >
> > > > > Now the code runs successfully, since the ASP.NET code is now
running
> > > > using
> > > > > my interactive session network credentials. This was a useful test
to
> > > > > isolate the problem and to confirm that the problem is based on
> > > > credentials
> > > > > and security. However this is no solution for a production
> > environment.
> > > I
> > > > > need to allow this to work for anonymous users coming in over the
> > > Internet
> > > > > without domain credentials.
> > > > >
> > > > > How can I set this up? Can ASPNET on Dimension be set up as a
network
> > > > > account? Can a new network account be created and ASP.NET or my
web
> > > > services
> > > > > be configured to use this special account? Or is there a different
way
> > > in
> > > > > which this is typically done?
> > > > >
> > > > > Thanks for your help.
> > > > >
> > > > > - Joe Geretz -
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Slow logon on XP client with W2003 Server
    ... minutes to log on at the XP client using a domain account and approximately 5 ... seconds using a local account. ... Prev by Date: ...
    (microsoft.public.windows.server.general)
  • Re: It must be simple, but...
    ... I tried to run the connectcomputer wizzard on the client again, ... don;t have any of the user settings. ... is there an easy way to transfer all the settings of a local account ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows 2000 Professional Security
    ... >> private and no one other than the client computer's owner knows the ... One day this computer's owner logs on to the client computer ... the local account accesses including that of the default ...
    (microsoft.public.win2000.security)
  • Re: Windows 2000 Professional Security
    ... It is possible if someone else had undetected administrator access to that ... > Can anyone tell me if it's possible for a Windows 2000 Professional client ... One day this computer's owner logs on to the client computer ... the local account accesses including that of the default administor ...
    (microsoft.public.win2000.security)
  • Re: Windows 2000 Professional Security
    ... It is possible if someone else had undetected administrator access to that ... > Can anyone tell me if it's possible for a Windows 2000 Professional client ... One day this computer's owner logs on to the client computer ... the local account accesses including that of the default administor ...
    (microsoft.public.windows.server.security)
Quantcast