Microsoft KB Archive/163351

{|
 * width="100%"|

PRB: Required Privilege is Not Held ISAPI Debugging Error

 * }

Q163351

-

The information in this article applies to:


 * Microsoft Internet Information Server versions 1.0, 2.0, 3.0

-

SYMPTOMS
While attempting to debug an ISAPI extension, you may receive the following error message:

HTTP/1.0 500 Server Error ( A required privilege is not held by the client. )

If you are running any CGI applications while running IIS interactively, you will need to grant the following right to the logged on use in addition to the above:

"Replace a process level token."

CAUSE
This error occurs if the user context in which Internet Information Server (IIS) is running does not have the following privileges:


 * Act as a part of the operating system
 * Generate security audits

Normally Internet Information Server (IIS) runs as a service and has system permissions. Often when debugging ISAPI DLLs under IIS, users run IIS interactively, in the context of the logged on user.

If the logged on user does not have the above privileges on the local Windows NT Server or Workstation, IIS starts, but any attempts to access a page on the server results in the above error on the browser.

RESOLUTION
Perform the following steps on the IIS server to correct the problem. It is necessary to have administrative privileges on the IIS machine to perform these steps:


 * 1) From the Administrative Tools group, run User Manager or User Manager for domains. If you are not using User Manager for Domains, skip to step 5.
 * 2) From the User menu, choose Select Domain.
 * 3) If the IIS server is a domain controller, select the domain in which it resides.
 * 4) If the IIS server is a "stand alone" server or a workstation, enter the server name in the following form in the Domain text box and click OK:
 * 5) From the Policies menu, choose User Rights.
 * 6) Check the box labeled "Show Advanced User Rights."
 * 7) In the drop-down list labeled "Right:," select "Act as a part of the operating system."
 * 8) Choose the Add button.
 * 9) In the Add User and Groups dialog box, ensure that the box labeled "Show names from:" displays the correct domain or machine name for the account to be added.
 * 10) Click the Show Users button.
 * 11) In the Names list, select the user account to be added.
 * 12) Click the Add button. The user name now is listed in the Add Names box.
 * 13) Click OK.
 * 14) Repeat steps 7 through 13 and add the user to the "Generate security audit" right.
 * 15) Log off and log on to the system. The above changes do not take effect until a log on occurs.

If the IIS machine is a "stand-alone" server or a workstation that is also a member of a domain, steps 3 through 5 are required.

STATUS
This behavior is by design.