Re: impersonation fails on 2K server

From: Willy Denoyette [MVP] (willy.denoyette_at_pandora.be)
Date: 10/08/04 

Date: Sat, 9 Oct 2004 00:36:00 +0200

On W2K you need "Act as part of the Operating System" privilege to call
LogonUser. This requirement has been lifted on XP and higher.
Note that granting this level of privilege to a webserver identity is
something you should consider with great care as it gives the account
unlimitted security privileges.

Willy.

"Seth Darr" <seth_darr@fishgame.state.ak.us> wrote in message
news:10mb2i5s79v3tbd@corp.supernews.com...
> I've got an ASP.NET web app that generates dynamic excel spreadsheets via
> COM. It
> does this work in a seperate subdirectory called "reports" and uses
> impersonation of the ReportWriter account in its own Web.config file in
> that directory.
>
> ReportWriter is an account on the machine in the Administrator group,
> yet I get the following error when I try and even visit the first page
> in that directory (NOT when I try to first create a spread***):
>
> Server Error in '/subsurv' Application.
> --------------------------------------------------------------------------------
>
> Configuration Error
> Description: An error occurred during the processing of a configuration
> file required to service this request. Please review the specific error
> details below and modify your configuration file appropriately.
>
> Parser Error Message: Could not create Windows user token from the
> credentials specified in the config file. Error from the operating system
> 'A required privilege is not held by the client. '
>
> Source Error:
>
>
> Line 4: <system.web>
> Line 5:
> Line 6: <identity impersonate="true" userName="ReportWriter"
> password="blahblahblah" />
> Line 7: <customErrors mode="Off" />
> Line 8: </system.web>
>
>
> Source File: C:\Inetpub\wwwroot\subsurv\reports\web.config Line: 6
>
>
> --------------------------------------------------------------------------------
> Version Information: Microsoft .NET Framework Version:1.0.3705.6018;
> ASP.NET Version:1.0.3705.6018
>
>
>
> The most aggrevating part is that it works just great on my development
> machine. I have tried matching all IIS and user/group settings as closely
> as possible. I have the same version of the .NET Framework on both
> machines (1.0 SP3). I have tried uninstalling and reinstalling the .NET
> Framework,
> deleting and recreating the ReportWriter account. It doesn't seem to
> want to impersonate ANY account, actually, it gets the same error. I have
> added shares up the wazoo and probably a million
> other stabs in the dark, to no effect.
>
> Does anyone have any suggestions?! I'm relatively new to the .NET world,
> but I think I've run out of ideas. Upgrading to the 1.1 Framework is not
> an option at this point as I am still presently using VS Studio .NET 2002
> and some initially testing on the 1.1 exposed some new bugs that I
> don't want to address until I upgrade to VS .NET 2003.
>
> HEEEELLPPP!!! Thanks in advance. If anyone needs to see any code or
> whatnot I'll post it, but it doesn't seem to me to be a issue with my
> code. My development machine is XP Pro, target machine is 2000 Server.
>
> -Seth