Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
FIX: ASP.NET does not work with the default ASPNET account on a domain controller
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.| Article ID | : | 315158 |
| Last Review | : | December 19, 2007 |
| Revision | : | 5.2 |
This article was previously published under Q315158
SYMPTOMS
After you install Microsoft Visual Studio .NET or the Microsoft .NET Framework on a domain controller or on a backup domain controller, if you try to run an ASP.NET application, the browser displays the following error message:
Server Application Unavailable
The web application you are attempting to access on this web server is currently unavailable.
Please hit the "Refresh" button in your web browser to retry your request.
Furthermore, the following event is logged in the system application event log:
aspnet_wp.exe could not be launched because the username and/or password supplied in the processModel section of the config file are invalid.
aspnet_wp.exe could not be started.
HRESULT for the failure: 80004005
This applies to Internet Information Services (IIS) version 5.0 or later.
Back to the top
CAUSE
By default, ASP.NET runs its worker process (Aspnet_wp.exe) with a weak account (the local machine account, which is named ASPNET) to provide a more secure environment. On a domain controller or on a backup domain controller, all user accounts are domain accounts and are not local machine accounts. Therefore, Aspnet_wp.exe fails to start because it cannot find a local account named "localmachinename\ASPNET". To provide a valid user account on the domain controller, you must specify an explicit account in the <processModel> section of the Machine.config file, or you must use the SYSTEM account.
Note If you try to debug (click the
Start button) before you try to browse to the page you can experience the exact same problem.
Back to the top
RESOLUTION
To work around this problem, use one of the following methods:
| • | Create a weak account that has the correct permissions, and then configure the <processModel> section of the Machine.config file to use that account. |
| • | Set the userName attribute to SYSTEM in the <processModel> section of the Machine.config file. |
| • | Configure the <processModel> section of the Machine.config file to use an administrator account. |
Note Allowing ASP.NET applications to run as SYSTEM or an administrator account has serious security implications. If you use either of these workarounds, code that is run in the Aspnet_wp.exe process will have access to the domain controller and the domain settings. Executable files that are started from the Aspnet_wp.exe process run in the same context and also have access to the domain controller.
Therefore, Microsoft recommends that you use the first workaround. To use the first workaround, follow these steps:
| 1. | Create a user account on the computer named ASPUSER, and then add this account to the Users group.
Note You can also use the ASPNET account that the .NET Framework created if you change the password on this account. You must know the password on this account because you add the password to the <processModel> section later in these steps. |
| 2. | Grant the ASPUSER or the ASPNET account the Log on as a batch job user right. Make sure that this change appears in the Local Security Policy settings.
Note To grant the Log on as a batch job user right on this account, you may have to grant this user right in each of the following security policies (From the Control Panel/Administrative Tools):
| • | Domain Controller Security Policy | | • | Domain Security Policy | | • | Local Security Policy |
Note You may have to reboot the server for these changes to take effect. |
| 3. | Make sure that the ASPUSER or the ASPNET account has permission to access all of the necessary directories and files to start the Aspnet_wp.exe process and to serve the ASP.NET pages.
For additional information about what permissions you must grant to this account, click the following article number to view the article in the Microsoft Knowledge Base:
317012 (http://kbalertz.com/Feedback.aspx?kbNumber=317012/)
Process and request identity in ASP.NET
|
| 4. | Open the Machine.config file. The path to the file is: %Systemroot%\Microsoft.NET\Framework\v1.0.3705\CONFIG. |
| 5. | In the <processModel> section of the Machine.config file, change the userName and the password attributes to the name and the password of the account that you created in step 1. For example:
userName="DomainName\ASPUSER" password="ASPUSERpassword" |
| 6. | Save the changes to the Machine.config file. |
Back to the top
STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.
This bug was corrected in ASP.NET (included with the .NET Framework) 1.1.
Back to the top
REFERENCES
For more information about ASP.NET security, click the following article number to view the article in the Microsoft Knowledge Base:
306590 (http://kbalertz.com/Feedback.aspx?kbNumber=306590/)
ASP.NET security overview
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
316989 (http://kbalertz.com/Feedback.aspx?kbNumber=316989/)
Error message when you create a trusted data connection from ASP.NET to SQL Server: "Login failed for user: 'AccountName'"
329290 (http://kbalertz.com/Feedback.aspx?kbNumber=329290/) How to use the ASP.NET utility to encrypt credentials and session state connection strings
317012 (http://kbalertz.com/Feedback.aspx?kbNumber=317012/) Process and request identity in ASP.NET
Back to the top
APPLIES TO
| • | Microsoft ASP.NET 1.0 |
| • | Microsoft Internet Information Services 5.0 |
| • | Microsoft Mobile Internet Toolkit 1.0 |
Back to the top
| kbproductlink kbfix kbbug kbconfig kbhttpruntime kbreadme kbsecurity KB315158 |
Back to the top
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
Be the first to leave feedback, to help others about this knowledge base
article.
(Optional) Name
(Optional)
Public URL Or Email
Comments
No
HTML -- Text Only Please
