Re: ASP.NET impersonation generating configuration error

From: Joe Kaplan (ilearnedthisthehardway@noway.com)
Date: 03/26/03

  • Next message: Hoop Somuah: "Remoting Context" 
    From: "Joe Kaplan" <ilearnedthisthehardway@noway.com>
Date: Tue, 25 Mar 2003 23:12:56 -0600

    This burned me after the 1.0 final release.

    If you are using Windows 2000 and the default ASP.NET processModel (with the
    ASPNET local machine account), you can't use that version of impersonation
    that takes credentials. The reason is that the ASPNET account does not have
    the SE_TCB_NAME privilege which is required to call LogonUser under Windows
    2000. Normally, the only account that has that privilege is SYSTEM. Note
    that Windows XP and 2003 Server do not require this privilege to call
    LogonUser anymore.

    To get around this, you can upgrade your OS or switch your processModel to
    run under SYSTEM instead of ASPNET.

    Joe K.

    "Stan Huff" <stanhuff@yahoo.com> wrote in message
    news:eTDrYLy8CHA.2308@TK2MSFTNGP10.phx.gbl...
    > When I try to set the config element
    > <identity impersonate="true" userName="xxx" password="xxx"/>
    >
    > in my web.config, I always get a Parse Error of:
    >
    > Could not create Windows user token from the credentials specified in the
    > config file. Error from the operating system 'A required privilege is not
    > held by the client. '
    >
    > Which privilege is required and which user needs it? This fails even when
    I
    > set userName and password to my account and I am an admin on the machine.
    > If I remove the userName, password attributes, it works just fine when
    > coupled to Windows authentication and in that case it is still using my
    > account for execution. What am I doing wrong here?
    >
    > Thanks,
    > Stan
    >
    >

  • Next message: Hoop Somuah: "Remoting Context"

    Relevant Pages

    • Re: Adding a Privilege via LsaAddAccountRights()
      ... > Security snapin. ... This privilege was introduced with SP4. ... You can add ASPNET account there as well. ...
      (microsoft.public.platformsdk.security)
    • Re: Access Denied Temporary ASP.NET files
      ... ASPNET, so all the security experiments I was making were ... >SERVICE account, unless you have modified the settings. ... >> I have a web service which is working on a Windows XP ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • RE: router, windows authentication and passing credentials
      ... Bear in mind that Windows 2000 does *NOT* support impersonation by the ... ASP.NET worker process account. ... The reason is that the ASPNET account lacks ... web service router ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: KB842773
      ... Please check if your account has the required privileges and enable what is ... This privilege identifies its holder ... As a background,> installation was launched from Admin account on a network and there is no> policies are implemented to deny pems to install hotfixes, tried as local> machine admin, tried to download and then install. ... we> need a fix ASAP due to a lot of people getting the same:> I receive this error when trying to download updated Windows Update> utility: ...
      (microsoft.public.windowsupdate)
    • Re: Is the aspnet account called "aspnet" for all non-English versions of Windows and IIS?
      ... For Windows 2003 Server, the aspnet account is "network service". ...
      (microsoft.public.dotnet.framework.aspnet)