Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

(842790) - Explains that a SecurityException exception may occur when you try to impersonate a user from a secondary thread in an ASP.NET Web application. Describes three workarounds to solve this problem.

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 842790 - Last Review: April 3, 2007 - Revision: 2.5

A System.Security.SecurityException exception occurs when you try to impersonate a user from a secondary thread in an ASP.NET Web application

View products that this article applies to.

On This Page

SYMPTOMS

In a Microsoft ASP.NET Web application, when you try to impersonate a user from a secondary thread, a System.Security.SecurityException exception may occur. When the System.Security.SecurityException exception occurs, you receive the following error message:
An unhandled exception of type 'System.Security.SecurityException' occurred in Unknown Module.
Additional information: Unable to impersonate user.
This behavior occurs if all the following conditions are true:
  • You enable impersonation in the Web.config file of your application.
  • In the <processModel> element of the Machine.config file, the value of the userName attribute is specified as Machine to run the ASP.NET worker process in the security context of the ASPNET local user account.
  • You use Integrated Windows authentication for your application.
This behavior does not occur in Microsoft Windows Server 2003 or in Microsoft Windows 2000 Service Pack 4 (SP4).
Back to the top

CAUSE

If you enable impersonation in the Web.config file of your ASP.NET Web application, only the primary thread of the application impersonates the user who you have specified. The secondary thread and the other threads that you start in your application use the security context of the ASPNET local user account. However, only the impersonated user account can access the Thread object for the secondary thread. Because the ASPNET user account lacks the rights to access this Thread object, you cannot impersonate a user from the secondary thread.
Back to the top

WORKAROUND

To work around this problem, use one of the following methods:
  • Call the RevertToSelf function before you start the secondary thread.
  • Assign the Act as part of the operating system user right to the ASPNET user account.
  • Change the value of the userName attribute of the <processModel> element in the Machine.config file.
Call the RevertToSelf function before you start the secondary thread
  1. Declare a reference to the RevertToSelf function in the Advapi32.dll DLL. To do this, locate the following code:
    public class <WebFormName> : System.Web.UI.Page
{
    Note <WebFormName> is a placeholder for the name of your Web form.
  2. Add the following code after the code that you just located:
    [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern bool RevertToSelf();
  3. Locate the following code:
    <ThreadObject>.Start()
    Note <ThreadObject> is a placeholder for the name of the secondary thread.
  4. Add the following code before the code that you just located:
    RevertToSelf();
Grant the Act as part of the operating system user right to the ASPNET user account
  1. Open the Local Security Policy snap-in.
  2. In the left pane of the Local Security Policy snap-in, expand Local Policies, and then click User Rights Assignment.
  3. Add the ASPNET user account.

    If you are using Microsoft Windows XP, follow these steps:
    1. In the right pane of the Local Security Settings snap-in, locate the Policy field, and then double-click Act as part of the operating system. The Act as part of the operating system Properties dialog box appears.
    2. Click Add User or Group. The Select Users or Groups dialog box appears.
    3. In the Enter the object names to select box, type ASPNET, and then click OK.
    4. Click OK, and then close the Local Security Settings snap-in.
    If you are using Microsoft Windows 2000, follow these steps:
    1. In the right pane of the Local Security Settings snap-in, locate the Policy field, and then double-click Act as part of the operating system. The Local Security Policy Setting dialog box appears.
    2. Click Add. The Select Users or Groups dialog box appears.
    3. In the Name field, click ASPNET.
    4. Click Add, and then click OK.
    5. Click OK, and then close the Local Security Settings snap-in.
Change the value of the userName attribute of the <processModel> element in the Machine.config file
  1. Use a text editor such as Notepad to open the Machine.config file. The Machine.config file is located in the %WINDIR%\Microsoft.NET\Framework\v1.1.4322\Config folder or in the %WINDIR%\Microsoft.NET\Framework\v1.1.3705\Config folder, depending upon the version of the Microsoft .NET Framework that you are using.
  2. Locate the following attribute of the <processModel> element:
    userName="Machine"
  3. Replace the attribute that you located in step 2 with the following attribute:
    userName="System"
Back to the top

STATUS

This behavior is by design.
Back to the top

MORE INFORMATION

Steps to reproduce the behavior

  1. Start Microsoft Visual Studio .NET.
  2. Use Microsoft Visual C# .NET to create an ASP.NET Web Application project that is named MyApp. By default, a Web form that is named WebForm1 is created.
  3. In Solution Explorer, double-click Web.config to open the Web.config file.
  4. Locate the following element in the Web.config file:
    <authentication mode="Windows"
				/>
  5. Add the following element after the element that you located in step 4:
    <identity
				impersonate="true" userName="UserName"
				password="Password" />
    Note Replace UserName and Password with the credentials of the user who you want to impersonate.
  6. In Solution Explorer, right-click WebForm1.aspx, and then click View Code to open the code view of the WebForm1 Web form.
  7. Add the following code at the top of the code window to import the required namespaces:
    using System.Web.Security;
using System.Security.Principal;
using System.Runtime.InteropServices;
using System.Threading;
  8. Locate the following code:
    public class WebForm1 : System.Web.UI.Page
{
  9. Add the following code after the code that you located in step 8:
    // Declare a WindowsImpersonationContext object.
WindowsImpersonationContext ImpersonationContext;
  10. Locate the following code:
    // Put user code to initialize the page here.
  11. Replace the code that you located in step 10 with the following code:
    Response.Write("In the primary thread<br>");
Thread oThread = new Thread(new ThreadStart(ThreadMethod));
// Start the secondary thread.
oThread.Start();
Thread.Sleep(10000);
  12. Add the following code before the Web Form Designer generated code region:
    public void ThreadMethod()
{
    try
    {
        Response.Write("In the secondary thread<br>");
        // Try to impersonate a user.
        ImpersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
        Response.Write("Successfully impersonated from a secondary thread");
        ImpersonationContext.Undo(); 
    }
    catch(Exception e)
    {
        Response.Write("Exception : " + e.Message.ToString());
    }
}
  13. Make sure that your application uses Integrated Windows authentication.
  14. Build and then run your application. The behavior that is mentioned in the "Symptoms" section may occur.
Back to the top

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
306158  (http://kbalertz.com/Feedback.aspx?kbNumber=306158/ ) Implementing impersonation in an ASP.NET application
319615   (http://kbalertz.com/Feedback.aspx?kbNumber=319615/ ) "Unable to impersonate user" error message when you use WindowsIdentity.Impersonate method
For more information, visit the following Microsoft Developer Network (MSDN) Web sites:
Application Architecture for .NET: Designing Applications and Services
http://msdn2.microsoft.com/en-us/library/ms954595.aspx (http://msdn2.microsoft.com/en-us/library/ms954595.aspx)

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
http://msdn2.microsoft.com/en-us/library/aa302415.aspx (http://msdn2.microsoft.com/en-us/library/aa302415.aspx)
Back to the top
APPLIES TO
  • Microsoft ASP.NET 1.1, when used with:
    • the operating system: Microsoft Windows XP SP1
    • the operating system: Microsoft Windows XP
    • Microsoft Windows 2000 Service Pack 3
    • Microsoft Windows 2000 Service Pack 2
    • Microsoft Windows 2000 Service Pack 1
    • the operating system: Microsoft Windows 2000
  • Microsoft ASP.NET 1.0, when used with:
    • the operating system: Microsoft Windows XP SP1
    • the operating system: Microsoft Windows XP
    • Microsoft Windows 2000 Service Pack 3
    • Microsoft Windows 2000 Service Pack 2
    • Microsoft Windows 2000 Service Pack 1
    • the operating system: Microsoft Windows 2000
Back to the top
Keywords: 
kbinterop kbauthentication kbconfig kbwebforms kbuser kbsecurity kbwebserver kbclient kberrmsg kbprb KB842790
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

manish Reported as Irrelevant  
Written: 1/5/2006 2:20 PM
wonderful and matching what I am facing.. thanks a lot...



Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting