RE: Upload File error - Logon failure: unknown user name or bad password - HELP

From: Mike Moore [Microsoft] (michmo@online.microsoft.com)
Date: 02/04/03 

From: michmo@online.microsoft.com ("Mike Moore [Microsoft]")
Date: Tue, 04 Feb 2003 00:09:11 GMT

Hi Tony,

There are two likely causes for this error. One is that the account you are
using does not have write access to the remote share. Another is that your
web pages do not have permission to access remote resources (secondary
token).

1)
Please set your web application to impersonate a domain user. On the remote
machine, grant this user permission to the share permissions and to the
NTFS permissions.

In your text, you wrote that you tried impersonation. However, the example
you sited (impersonating "Administrator") is a local account which is not
recognized by the remote machine. If you instead impersonate a domain user,
then the other machine will recognize the account.

You can also replicate your account on the remote machine. This means
creating a user account on the remote machine with the same user name and
password as the account on this machine. Then the remote machine will
recognize the account.

You also wrote that you gave the account privilege to 'Act as part of the
operating system'. This gives additional privileges for local functions. It
does not change any privileges which this account has with remote resources.

2)
If you use Windows authentication with impersonation set to use the account
of the end user making the request, then the web page will have a
"secondary token". -- If you share a directory, someone else can map a
drive to your share. However, they cannot re-share your directory so that
others can access it via their computer. They have a secondary token
privilege to the remote share and secondary tokens cannot be re-shared.

This means that your web pages have privileges to access the IIS Server's
local resources, but they do not have privilege to access remote resources.

The workarounds are:
 * Do not use Windows authentication with impersonation set to use the end
user's account.
 * Perform additional impersonation in your code prior to using the remote
resource & then revert back after using it.
 * Use Kerberos and enable delegation. 

---
I think your problem is addressed by part 1, above. Please post your 
results.
Thank you, Mike Moore
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
>From: "Tony Kurzendoerfer" <tony@tksoftwareinc.com>
>Subject: Upload File error - Logon failure: unknown user name or bad 
password - HELP
>Date: Fri, 24 Jan 2003 16:29:06 -0500
>Lines: 24
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2720.3000
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>Message-ID: <uzT4T##wCHA.2680@TK2MSFTNGP09>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: pcp985138pcs.northw01.in.comcast.net 68.58.126.245
>Path: cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP09
>Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:3765
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>I have a web page to upload a file.  The upload works fine when uploading 
to
>a local drive.
>When I attempt to upload to a mapped drive I get the following message:
>Logon failure: unknown user name or bad password.....
>I have read many articles about security settings that may apply.
>I tried setting impersonation to true as follows in the web.config file:
><identity impersonate="true"/>
>This gave me the following error:
>Access is denied: 'Hipaa'.  - Hipaa is my DLL (a called module)
>So, I also tried this:
><identity impersonate="true" userName="Administrator" password="xxxyyy"/>
>This option gave me the following error:
>'A required privilege is not held by the client. '
>So, I tried setting the IUSR_machinename and ASPNET user priviledges in
>local policies to
>'Act as part of the operating system'
>That didn't help either.
>
>Can anyone help me????
>
>
>
>
>
>

Relevant Pages

  • Re: [Full-disclosure] Question for the Windows pros
    ... What services running on Windows allow clients to access them? ... Or do they allow Remote Access? ... helps to have an understanding of what this privilege governs. ... *in general* what an impersonation privilege is. ...
    (Full-Disclosure)
  • Re: How to remote access Windows XP Pro computer?
    ... you happen to use Norton Internet Security please read the following link. ... link for the remote person to access their system. ... "Is LogMeIn secure and what is SSL? ... separate passwords to access both your LogMeIn account and your Target ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: RWW and Remote desktop stopped working on all clients
    ... After diggin through ALL the group policies, I found Remote ... Desktop DISABLED under the Account Lockout policy - I don't think I've even ... adminsitrator or another account with Domain Admin role; also the server ...
    (microsoft.public.windows.server.sbs)
  • Re: DomainLocalServer$ is not a valid user
    ... I have traced by SQL-profiler on remote computer. ... it's always traced the user account. ... Its Security is ... to use the current user credential to logon to the remote server. ...
    (microsoft.public.sqlserver.security)
  • Network share as a Publishing Point source
    ... Give the common user appropriate permissions on folders, ... publishing points, ... >original account would keep me from mapping a publishing ... >>>I tried setting up a remote share for WM9 Services, ...
    (microsoft.public.windowsmedia.server)