Microsoft KB Archive/223334

= PRB: Access Denied error when you call LogonUser API =

Article ID: 223334

Article Last Modified on 6/30/2006

-

APPLIES TO


 * Microsoft Visual Basic 5.0 Learning Edition
 * Microsoft Visual Basic 6.0 Learning Edition
 * Microsoft Visual Basic 5.0 Professional Edition
 * Microsoft Visual Basic 6.0 Professional Edition
 * Microsoft Visual Basic 5.0 Enterprise Edition
 * Microsoft Visual Basic 6.0 Enterprise Edition

-



This article was previously published under Q223334



SYMPTOMS
When you try to call the LogonUser Win32 Application Programmer Interface (API) from within a Microsoft Visual Basic Component Object Model (COM) component with Active Server Pages (ASP), you receive one of the following error messages:

'5' - "Access Denied."

-or-

'1314' - "A required privilege is not held by the client."



CAUSE
The Microsoft Internet Information Server (IIS) authenticated user that is making the request to LogonUser does not have the correct privileges, which causes LogonUser to fail.



RESOLUTION
To resolve this behavior, use the following Win32 APIs:
 * RevertToSelf
 * LogonUser
 * ImpersonateLoggedOnUser


 * 1) Call RevertToSelf.

Note The call to LogonUser will fail if the thread that makes the call does not have the correct security context. The SYSTEM account holds the correct permissions to successfully call LogonUser. The call to RevertToSelf will cause the thread to execute as the SYSTEM account if the following conditions are true:
 * 1) * The Web application is running in-process.
 * 2) * If the COM component is under MTS control, it is a library package.
 * 3) Call LogonUser and specify the Microsoft Windows NT account that you want the COM component to run as. LogonUser will return a handle to the security token.
 * 4) Call ImpersonateLoggedOnUser and pass the security token that LogonUser returns.

Note The COM component is now impersonating the security context of the Windows NT account that you specified.
 * 1) After you finish the impersonation, you must call RevertToSelf again.



WORKAROUND
If the COM component is in-process, you can create a Microsoft Transaction Server (MTS) package to host the component. The MTS package will handle the security context switching for you. For more information on how to create an empty package and add components to it, click the following article number to view the article in the Microsoft Knowledge Base:

223406 How to create an empty MTS package to add components for ASP



STATUS
This behavior is by design.



MORE INFORMATION
For more information and sample code on impersonating a user from a Active Server Pages, click the following article number to view the article in the Microsoft Knowledge Base:

248187 HOWTO: Impersonate a User from Active Server Pages

Keywords: kbcodesnippet kbsecurity kbprb KB223334

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.