Microsoft KB Archive/810204

From BetaArchive Wiki

Article ID: 810204

Article Last Modified on 7/11/2005


APPLIES TO

  • Microsoft ASP.NET 1.0, when used with:
    • Microsoft Windows 2000 Standard Edition


SYMPTOMS

When an ASP.NET application impersonates a specific user by providing credentials as specified in the Web.config configuration file, you receive the following error message in Windows 2000:

Server Error in '/WebApplication2' Application
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'A required privilege is not held by the client.'
Source Error: 

Line 21:    <!--  Impersonating
Line 22:    -->
Line 23:     <identity impersonate="true" userName="username" password="password"/>
Line 24: 
Line 25:

Source File: c:\inetpub\wwwroot\WebApplication2\web.config Line: 23
Version Information: Microsoft .NET Framework Version:1.0.3705.0; ASP.NET Version:1.0.3705.0

CAUSE

This error occurs when you enable impersonation for a specific user identity. ASP.NET tries to generate an access token by calling the LogonUser Win32 API .To call LogonUser in Windows 2000, the process owner must have the SE_TCB_NAME (To Act as Part of the Operating System) user right. The ASPNET account has the least user rights and does not possess the SE_TCB_NAME user right.

STATUS

This behavior is by design.

MORE INFORMATION

You can still impersonate the Microsoft Internet Information Services (IIS) authenticated user identity without using the extended form of impersonation. The following code sets impersonation to either the IIS authenticated user or the anonymous Internet user account: 

<identity impersonate="true"/>

Note By default, Per Request impersonation in ASP.NET does not work with Windows 2000. Microsoft Windows XP contains enhancements that do not require the SE_TCB_NAME user right.

Microsoft recommends that you do not grant the SE_TCB_NAME user right to the ASPNET account because this violates the principle of running with the least user rights necessary. When an account has this user right, the user can perform activities such as create new accounts, add accounts to the Administrators group, and debug memory.

Steps to Reproduce the Behavior

  1. In Microsoft Visual Basic .NET or Microsoft Visual C# .NET, create a new ASP.NET Web Application project.
  2. In Solution Explorer, double-click the Web.config file.

  3. Paste the following code in the configuration file under the <system.web> section:

    <identity impersonate="true" userName="username" password="password"/>
  4. Build and run the application.


REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

329290 HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings


306158 INFO: Implementing Impersonation in an ASP.NET Application


Keywords: kbsecurity kbprb KB810204



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/810204&oldid=332952
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki