Re: LogonUser failed with error code : 1314 [After explicitly giving T

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 08/10/04


Date: Tue, 10 Aug 2004 09:31:03 -0500

You need to call LogonUser to create a token that you can use to create the
WindowsIdentity that gives you the WindowsPrincipal, so WindowsPrincipal
doesn't really help you here unless something has already created the token.

My previous comment was that you seem to be impersonating the anonymous user
for no reason at all. This is based on your comment that
WindowsIdentity.GetCurrent() returns the name of the anonymous user. This
is the reason that changing the permissions on the ASPNET account didn't
work to allow you to call LogonUser because you were running as the
anonymous user at the time. The first thing I'd do is make sure impersonate
is set to false in your web.config.

Also, it seems like it would be much wiser to just give the ASPNET account
the permissions it needs to write to the event log and the file system than
to give it "Act as part of the operating system" so that it can call
LogonUser to create a token for a user that has those privileges.
Generally, writing to the eventlog isn't a big deal, it is just creating new
sources that you need to be an admin for. If you create the event log
source in advance (with an installer or something), you should be fine.
Doing ACLs on the file system so that you can write to specific locations is
also not that big of a deal.

If you want to get a much better handle on all this Windows and .NET
security stuff, I cannot recommend enough to read Keith Brown's Windows
Security for .NET Developers book, which can be found online at
http://www.pluralsight.com. You will learn a ton and its free for the
online version!

Good luck,

Joe K.

"Pradeep Kumar C" <pkumar@cordiant.com> wrote in message
news:%237z6pPpfEHA.1972@TK2MSFTNGP09.phx.gbl...
> Hi Joe,
>
> Thanks for your speedy response. Actually In web Application there is
> some situation arise to write in to the os registry.
> For example while doing the Encryption,Event Log writing,Writing some
thing
> on the file system etc. Here my web Application
> is using the Anonymous user right and it doesn't got any right to do all
> these things and if i want to do this my only other option
> is run the page under some Administration privilege , but i know this will
> be a security vulnerability. So i need to impersonate the
> part of code which is doing this operation.
>
> Note : I was participated this year TechEd India conference from
Bangalore,
> and from there some of the people ask me to use WindowsPrincipal
> class for achieving this. but i am not sure how to use this.
>
> This is the Reason why i was doing this.
>
> Thanks and Regards,
> Pradeep Kumar C
>
>
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:ODeXkihfEHA.3916@TK2MSFTNGP11.phx.gbl...
> > That sounds like you are impersonating the anonymous user then instead
of
> > running as the process account, so the IUSER_* account would need the
"Act
> > as part of the operating system" privilege, not ASPNET. However, I
doubt
> > you want to be impersonating the IUSER_ account in the first place.
> >
> > If you really need to create a logon token based on a user's
credentials,
> > you need to call LogonUser or do some tricky calls with SSPI to
> authenticate
> > to yourself. These both involve pinvoke though.
> >
> > I never got the original reason why you needed the logon token though.
> Can
> > you explain?
> >
> > Joe K.
> >
> >
>
>



Relevant Pages

  • Re: Did not "activate" my XP...???
    ... something that triggered Windows Product Activation ... Is it safe to write to the HD? ... Evacuate data from HD, test HD, test file system, exclude malware ... Make whatever non-HD boot disk you like; ...
    (microsoft.public.windowsxp.general)
  • Re: NT server 4 dual booting with XP
    ... > How To Create a Multiple-Boot System in Windows XP ... > Installing Programs on More Than One Operating System ... > You can install more than one operating system on your computer and choose ... > Note that Encrypting File System is not available in the Windows XP ...
    (microsoft.public.windows.server.setup)
  • Re: Mount problems
    ... case on file names, even on FAT. ... looking for "bill" will match files with names such as ... Windows in most cases prohibits creating a file if the ... If, on the contrary, you delete the short name entry, the file is gone and you end up with an orphan LFN, which would be considered as a file system error. ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Please Help!! Boot Failure!!
    ... Is it safe to write to the HD? ... Evacuate data from HD, test HD, test file system, exclude malware ... Windows on the host PC until you know it is safe to do so - while the ... Make whatever non-HD boot disk you like; ...
    (microsoft.public.windowsxp.general)
  • Re: How to Add RAM File System
    ... to Windows Mobile 5.0, the application slows down, and eventually crashes ... or to get our PPC vendor to include a RAMDISK in their WM50 offering. ... RAM disk build as part of a Windows CE configuration. ... File System into my catalog, ...
    (microsoft.public.windowsce.embedded)