Re: How do I give ASP.NET process network credentials?

From: Willy Denoyette [MVP] (willy.denoyette@pandora.be)
Date: 10/30/02 

From: "Willy Denoyette [MVP]" <willy.denoyette@pandora.be>
Date: Wed, 30 Oct 2002 11:43:41 +0100

Joseph,
As I stated previously, when using alternate credentials in your web.config identity tag, the account specified
("INTERNAL\Administrator") must have the TCB privilege (run as part of the OS).
This requirement has been lifted as from XP on but is still required on NT4 and W2K.
Now, running a processes like asp.net with such privilege is questionable if you care about security.

Willy.

"Joseph Geretz" <jgeretz@nospam.com> wrote in message news:eHzSKN5fCHA.2556@tkmsftngp08...
> Hi Willy,
>
> > 1. Running as SYSTEM should be no problem when impersonating but you need
> to create a logon session by calling Win32 LogonUser. What
> > exactly did you encounter as a problem?
>
> I'm not explicitly creating a logon session, but I'd like to get the ASP.NET
> code running under a specific domain account, by adjusting the various
> settings in Machine.config and in Web.config, specifically the processModel
> settings and the identity settings. Here are my settings and here is the
> error presented below, beneath my signature:
>
> > 2. .NET classes can be used as COM+ server application
> > (see EnterpriseServices).
>
> Yes, I know this and I routinely engineer claases for COM+, however since
> this would be the only usage of COM+ for the entire system, I'd rather find
> a solution that doesn't require COM+. I don't belive that I should need to
> use COM+ to do this.
>
> Thanks,
>
> - Joe Geretz -
>
> Machine.config:
> <processModel enable="true"
> timeout="Infinite"
> idleTimeout="Infinite"
> shutdownTimeout="0:00:05"
> requestLimit="Infinite"
> requestQueueLimit="5000"
> restartQueueLimit="10"
> memoryLimit="60"
> webGarden="false"
> cpuMask="0xffffffff"
> userName="SYSTEM"
> password="AutoGenerate"
> logLevel="Errors"
> clientConnectedCheck="0:00:05"
> comAuthenticationLevel="Connect"
> comImpersonationLevel="Impersonate"
> responseRestartDeadlockInterval="00:09:00"
> responseDeadlockInterval="00:03:00"
> maxWorkerThreads="25"
> maxIoThreads="25"
> />
>
> Web.config:
> <identity impersonate="false" userName="INTERNAL\Administrator"
> password="bigcheese"/>
>
>
> Server Error in '/PDPortal' Application.
>
> ----------------------------------------------------------------------------
> ----
>
> Configuration Error
> Description: An error occurred during the processing of a configuration file
> required to service this request. Please review the specific error details
> below and modify your configuration file appropriately.
>
> Parser Error Message: Could not create Windows user token from the
> credentials specified in the config file. Error from the operating system 'A
> required privilege is not held by the client. '
>
> Source Error:
>
>
> Line 51: password="password of above specified account" | empty
> string
> Line 52: -->
> Line 53: <identity impersonate="false"
> userName="INTERNAL\Administrator" password="bigcheese"/>
> Line 54:
> Line 55: <!-- APPLICATION-LEVEL TRACE LOGGING
>
>
>
>