Re: "ASP.NET Machine Account" problem

Hi, I will try it, thx~



"Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> ¼¶¼g©ó¶l¥ó·s»D:VSCmCTrxGHA.5460@xxxxxxxxxxxxxxxxxxxxxxxx
Hello James,

From your description, when your ASP.NET application(which running under
the machine\ASPNET account) try accessing some remote protected resource,
you got premission issue, correct?

Since your ASP.NET application's work process account is "MACHINE\ASPNET",
I think your development machine is windows XP or Windows 2000 with IIS5,
correct?

As for ASP.NET application, by default all the code is running under the
worker process account. And default worker process account is different
depend on the OS/IIS version:

** on XP/2000 with IIS5, by default ASP.NET process(aspnet_wp.exe) running
under "machine\ASPNET" account, this can be changed in the machine.config
file (under framework
directory----C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG)

** on windows 2003 server with IIS6, ASP.NET use IIS application pool
mode,
and the worker process(w3wp.exe) running under "NT AUTHORITY\NETWORK
SERVICE" account.

Here is a msdn article describing how to check ASP.NET worker process
identity and how to configure it:


#Configuring ASP.NET Process Identity
http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx

so for your scenario, your ASP.NET application will access some protected
remote resource, I think you can consider configure your ASP.NET
application to use a different process account. This account should be
recognizable by the remote machine and have sufficient permission. It can
be:

** a domain account

** a duplicated local account which has a mapping account (with the same
username and password) on the remote machine)

You can decide which one to use according to your detailed condition.
Also,
to make sure your custom account has sufficient permission to run ASP.NET
application, you can follow the below msdn article:

#How To: Create a Service Account for an ASP.NET 2.0 Application
https://msdn.microsoft.com/library/en-us/dnpag2/html/paght000009.asp?frame=t
rue


In addition, if there is only little number of page or code which will
access remote secured resource and you do not want to change the worker
process account for the entire web application(in machine.config). You can
consider programmatically impersonate in your application/page's code:


Here is a good article introducing impersonate in ASP.NET 2.0:


#How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000023.asp?frame=tr
ue


You can have a look at the above options. If you have anything unclear or
any other information wonder, please feel free to let me know.


Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no
rights.



.

Relevant Pages

  • RE: cannot add user rights assignments on windows server 2003 for user that exists in same workgroup
    ... Have you setup a local account with the same name and password on remote ... Regarding remote debugging, the local debugger's debugging request to the ... Microsoft Online Community Support ...
    (microsoft.public.vsnet.debugging)
  • Re: How to remote access Windows XP Pro computer?
    ... you happen to use Norton Internet Security please read the following link. ... link for the remote person to access their system. ... "Is LogMeIn secure and what is SSL? ... separate passwords to access both your LogMeIn account and your Target ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: DomainLocalServer$ is not a valid user
    ... I have traced by SQL-profiler on remote computer. ... it's always traced the user account. ... Its Security is ... to use the current user credential to logon to the remote server. ...
    (microsoft.public.sqlserver.security)
  • Network share as a Publishing Point source
    ... Give the common user appropriate permissions on folders, ... publishing points, ... >original account would keep me from mapping a publishing ... >>>I tried setting up a remote share for WM9 Services, ...
    (microsoft.public.windowsmedia.server)
  • RE: Upload File error - Logon failure: unknown user name or bad password - HELP
    ... One is that the account you are ... using does not have write access to the remote share. ... you wrote that you tried impersonation. ... You also wrote that you gave the account privilege to 'Act as part of the ...
    (microsoft.public.dotnet.framework.aspnet.security)