Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 810204 - Last Review: July 11, 2005 - Revision: 3.5
PRB: Per Request Impersonation Does Not Work on Windows 2000 with ASP.NET
When an ASP.NET application impersonates a specific user by
providing credentials as specified in the Web.config configuration file, you
receive the following error message in Windows 2000:
Server Error in '/WebApplication2' Application
Configuration
Error
Description: An error occurred during the processing of a
configuration file required to service this request. Please review the specific
error details below and modify your configuration file
appropriately.
Parser Error Message: Could not create Windows user
token from the credentials specified in the config file. Error from the
operating system 'A required privilege is not held by the client.'
Source
Error:
Line 21: <!-- Impersonating
Line 22: -->
Line 23: <identity impersonate="true" userName="username" password="password"/>
Line 24:
Line 25:
Source File: c:\inetpub\wwwroot\WebApplication2\web.config Line:
23
Version Information: Microsoft .NET Framework Version:1.0.3705.0;
ASP.NET Version:1.0.3705.0
This error occurs when you enable impersonation for a
specific user identity. ASP.NET tries to generate an access token by calling
the
LogonUser Win32 API .To call
LogonUser in Windows 2000, the process owner must have the SE_TCB_NAME (To
Act as Part of the Operating System) user right. The ASPNET account has the
least user rights and does not possess the SE_TCB_NAME user right.
This
behavior is by design.
You can still impersonate the Microsoft Internet Information
Services (IIS) authenticated user identity without using the extended form of
impersonation. The following code sets impersonation to either the IIS
authenticated user or the anonymous Internet user account:
<identity impersonate="true"/>
By default, Per Request impersonation in ASP.NET does not work
with Windows 2000. Microsoft Windows XP contains enhancements that do not
require the SE_TCB_NAME user right.
Microsoft recommends that you do
not grant the SE_TCB_NAME user right to the ASPNET account because this
violates the principle of running with the least user rights necessary. When an
account has this user right, the user can perform activities such as create new
accounts, add accounts to the Administrators group, and debug memory.
Steps to Reproduce the
Behavior
- In Microsoft Visual Basic .NET or Microsoft Visual C# .NET,
create a new ASP.NET Web Application project.
- In Solution Explorer, double-click the Web.config file.
- Paste the following code in the configuration file under
the <system.web> section:
<identity impersonate="true" userName="username" password="password"/>
- Build and run the application.
For additional information, click the
following article numbers to view the articles in the Microsoft Knowledge Base:
329290Â
(http://kbalertz.com/Feedback.aspx?kbNumber=329290/EN-US/
)
HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings
306158Â
(http://kbalertz.com/Feedback.aspx?kbNumber=306158/EN-US/
)
INFO:
Implementing Impersonation in an ASP.NET Application
APPLIES TO
- Microsoft ASP.NET 1.0, when used with:
- the operating system: Microsoft Windows 2000
| kbsecurity kbprb KB810204 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate