Microsoft KB Archive/810204

= PRB: Per Request Impersonation Does Not Work on Windows 2000 with ASP.NET =

Article ID: 810204

Article Last Modified on 7/11/2005

-

APPLIES TO


 * Microsoft ASP.NET 1.0, when used with:
 * Microsoft Windows 2000 Standard Edition

-



SYMPTOMS
When an ASP.NET application impersonates a specific user by providing credentials as specified in the Web.config configuration file, you receive the following error message in Windows 2000:

Server Error in '/WebApplication2' Application

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'A required privilege is not held by the client.'

Source Error: Line 21: Line 23:     Line 24: Line 25: Source File: c:\inetpub\wwwroot\WebApplication2\web.config Line: 23

Version Information: Microsoft .NET Framework Version:1.0.3705.0; ASP.NET Version:1.0.3705.0



CAUSE
This error occurs when you enable impersonation for a specific user identity. ASP.NET tries to generate an access token by calling the LogonUser Win32 API .To call LogonUser in Windows 2000, the process owner must have the SE_TCB_NAME (To Act as Part of the Operating System) user right. The ASPNET account has the least user rights and does not possess the SE_TCB_NAME user right.



STATUS
This behavior is by design.



MORE INFORMATION
You can still impersonate the Microsoft Internet Information Services (IIS) authenticated user identity without using the extended form of impersonation. The following code sets impersonation to either the IIS authenticated user or the anonymous Internet user account:  Note By default, Per Request impersonation in ASP.NET does not work with Windows 2000. Microsoft Windows XP contains enhancements that do not require the SE_TCB_NAME user right.

Microsoft recommends that you do not grant the SE_TCB_NAME user right to the ASPNET account because this violates the principle of running with the least user rights necessary. When an account has this user right, the user can perform activities such as create new accounts, add accounts to the Administrators group, and debug memory.

Steps to Reproduce the Behavior
 In Microsoft Visual Basic .NET or Microsoft Visual C# .NET, create a new ASP.NET Web Application project. In Solution Explorer, double-click the Web.config file.  Paste the following code in the configuration file under the  section:   Build and run the application.</li></ol>

<div class="references_section">