Re: Server Application Unavailable

From: G.V. (gv_at_mail.lt)
Date: 06/16/03 

Date: Mon, 16 Jun 2003 16:59:57 +0300

Hi,

It is stated, that in .NET Framework 1.0 you need to allow custom ASP.NET
user to "Act as part of operating system" privelege in Local Policies.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp

"
Windows Authentication Using a Fixed Identity
The <identity> element in Web.config supports optional user name and
password attributes, which allows you to configure a specific fixed identity
for your application to impersonate. This is shown in the following
configuration file fragment.

<identity impersonate="true" userName="DomainName\UserName"
                             password="ClearTextPassword" />
When to use
This approach is not recommended for the current version (version 1) of the
.NET Framework in secure environments for two reasons:

  a.. User names and passwords should not be stored in plain text in
configuration files, particularly configuration files stored in virtual
directories.
  b.. On Windows 2000, this approach forces you to grant the ASP.NET process
account the "Act as part of the operating system" privilege. This reduces
the security of your Web application and increases the threat should an
attacker compromise the Web application process.
The .NET Framework version 1.1 will provide an enhancement for this scenario
on Windows 2000:

  a.. The credentials will be encrypted.
  b.. The log on will be performed by the IIS process, so that ASP.NET does
not required the "Act as part of the operating system" privilege.
"

I think the same applies if you change ASP.NET user in machine.config.

One more test you could do - add ASP.NET account temporary to your server
Administrators group. If it works after doing this - this is definetly
security configuration problem.

hope this helps,
G.V.

"Apogee" <developer@bitefish.net> wrote in message
news:%23iFcYcANDHA.2308@TK2MSFTNGP11.phx.gbl...
> I followed the steps in this document, it does not work.
>
> Apogee
>
>
> "G.V." <gv@mail.lt> wrote in message
> news:uB54gQ$MDHA.304@tk2msftngp13.phx.gbl...
> > It's not that simple. You need to configure security settings too:
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT01.asp
> >
> > G.V.

Relevant Pages

  • Re: Beginner needs a few questions answered please
    ... While I acn't herlp you with your ACT queries, I can say that it is not ... which IMO is a more feature rich VB. ... and in particular the .NET Framework is anotehr matter. ... > fammiliar with VBA accessing controls running commands, ...
    (microsoft.public.dotnet.framework)
  • Re: WSE Samples and the need to give ASP.NET....
    ... "Act as Part of operating system" is a security policy. ... You can modify it using the "Local Security Policy" mmc under the ... Give the ASPNET account "Act as Part of Operating System" rights. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: SQL Integrated Security in .NET
    ... ASPNET account needs "Act as part of operation system" right if you are ... using fixed identity. ... > Act as part of the operating system privilege is ...
    (microsoft.public.dotnet.security)
  • Re: SQL Integrated Security in .NET
    ... ASPNET account needs "Act as part of operation system" right if you are ... using fixed identity. ... > Act as part of the operating system privilege is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Programmatic verification of password
    ... which needs to veryify an account password - actually the password of ... I'm suspecting this is the 'act as a part of the ... operating system' right, which indeed my user doesn't have. ... it's then able to use LogonUser to tell if the stored password ...
    (microsoft.public.win2000.security)