Article ID: 810204
Article Last Modified on 7/11/2005
APPLIES TO
- Microsoft ASP.NET 1.0, when used with:
- Microsoft Windows 2000 Standard Edition
SYMPTOMS
When an ASP.NET application impersonates a specific user by providing credentials as specified in the Web.config configuration file, you receive the following error message in Windows 2000:
CAUSE
This error occurs when you enable impersonation for a specific user identity. ASP.NET tries to generate an access token by calling the LogonUser Win32 API .To call LogonUser in Windows 2000, the process owner must have the SE_TCB_NAME (To Act as Part of the Operating System) user right. The ASPNET account has the least user rights and does not possess the SE_TCB_NAME user right.
STATUS
This behavior is by design.
MORE INFORMATION
You can still impersonate the Microsoft Internet Information Services (IIS) authenticated user identity without using the extended form of impersonation. The following code sets impersonation to either the IIS authenticated user or the anonymous Internet user account:
<identity impersonate="true"/>
Note By default, Per Request impersonation in ASP.NET does not work with Windows 2000. Microsoft Windows XP contains enhancements that do not require the SE_TCB_NAME user right.
Microsoft recommends that you do not grant the SE_TCB_NAME user right to the ASPNET account because this violates the principle of running with the least user rights necessary. When an account has this user right, the user can perform activities such as create new accounts, add accounts to the Administrators group, and debug memory.
Steps to Reproduce the Behavior
- In Microsoft Visual Basic .NET or Microsoft Visual C# .NET, create a new ASP.NET Web Application project.
- In Solution Explorer, double-click the Web.config file.
Paste the following code in the configuration file under the <system.web> section:
<identity impersonate="true" userName="username" password="password"/>
- Build and run the application.
REFERENCES
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
329290 HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings
306158 INFO: Implementing Impersonation in an ASP.NET Application
Keywords: kbsecurity kbprb KB810204