Re: LogonUser failed with error code : 1314 [After explicitly giving T
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: Tue, 10 Aug 2004 09:31:03 -0500
You need to call LogonUser to create a token that you can use to create the
WindowsIdentity that gives you the WindowsPrincipal, so WindowsPrincipal
doesn't really help you here unless something has already created the token.
My previous comment was that you seem to be impersonating the anonymous user
for no reason at all. This is based on your comment that
WindowsIdentity.GetCurrent() returns the name of the anonymous user. This
is the reason that changing the permissions on the ASPNET account didn't
work to allow you to call LogonUser because you were running as the
anonymous user at the time. The first thing I'd do is make sure impersonate
is set to false in your web.config.
Also, it seems like it would be much wiser to just give the ASPNET account
the permissions it needs to write to the event log and the file system than
to give it "Act as part of the operating system" so that it can call
LogonUser to create a token for a user that has those privileges.
Generally, writing to the eventlog isn't a big deal, it is just creating new
sources that you need to be an admin for. If you create the event log
source in advance (with an installer or something), you should be fine.
Doing ACLs on the file system so that you can write to specific locations is
also not that big of a deal.
If you want to get a much better handle on all this Windows and .NET
security stuff, I cannot recommend enough to read Keith Brown's Windows
Security for .NET Developers book, which can be found online at
http://www.pluralsight.com. You will learn a ton and its free for the
"Pradeep Kumar C" <email@example.com> wrote in message
> Hi Joe,
> Thanks for your speedy response. Actually In web Application there is
> some situation arise to write in to the os registry.
> For example while doing the Encryption,Event Log writing,Writing some
> on the file system etc. Here my web Application
> is using the Anonymous user right and it doesn't got any right to do all
> these things and if i want to do this my only other option
> is run the page under some Administration privilege , but i know this will
> be a security vulnerability. So i need to impersonate the
> part of code which is doing this operation.
> Note : I was participated this year TechEd India conference from
> and from there some of the people ask me to use WindowsPrincipal
> class for achieving this. but i am not sure how to use this.
> This is the Reason why i was doing this.
> Thanks and Regards,
> Pradeep Kumar C
> "Joe Kaplan (MVP - ADSI)" <firstname.lastname@example.org> wrote
> in message news:ODeXkihfEHA.3916@TK2MSFTNGP11.phx.gbl...
> > That sounds like you are impersonating the anonymous user then instead
> > running as the process account, so the IUSER_* account would need the
> > as part of the operating system" privilege, not ASPNET. However, I
> > you want to be impersonating the IUSER_ account in the first place.
> > If you really need to create a logon token based on a user's
> > you need to call LogonUser or do some tricky calls with SSPI to
> > to yourself. These both involve pinvoke though.
> > I never got the original reason why you needed the logon token though.
> > you explain?
> > Joe K.