Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 824308 - Last Review: April 19, 2007 - Revision: 3.9
BUG: IWAM Account Is Not Granted the Impersonate Privilege for ASP.NET 1.1 on a Windows 2000 Domain Controller with SP4
When you install ASP.NET 1.1 on a computer running on a
Windows 2000 Server domain controller with Service Pack 4 (SP4) installed, the IWAM
account is not granted impersonate user rights for ASP.NET 1.1. When you
request an ASP.NET 1.1 page, you may receive the following error
message:
Server Error in '/iwamtest' Application.
Access is
denied.
Description An unhandled exception occurred during the execution of the
current Web request. Please review the stack trace for more information about
the error and where it originated in the code.
Exception Details System.ApplicationException: Access is denied.
Source ErrorAn unhandled exception was generated during the execution of
the current Web request. Information regarding the origin and location of the
exception can be identified using the exception stack trace below.
Stack Trace [ApplicationException: Access is denied. ]
System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr
userToken) +0 System.Security.Principal.WindowsIdentity.get_Name() +71
System.Web.Configuration.AuthorizationConfigRule.IsUserAllowed(IPrincipal user,
String verb) +100
System.Web.Configuration.AuthorizationConfig.IsUserAllowed(IPrincipal user,
String verb) +81 System.Web.Security.UrlAuthorizationModule.OnEnter(Object
source, EventArgs eventArgs) +178
System.Web.SyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
+60 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +87
You may experience the behavior when the user account
that you use to run the program does not have the
Impersonate a client
after authentication user right (the
SeImpersonatePrivilege function). When you
upgrade Windows 2000 Server Domain Controller to SP4, the user account (IWAM)
is not granted
SeImpersonatePrivilege, and then programs that use
impersonation may not work correctly.
To work around the problem, manually assign
Impersonate a client after authentication to the IWAM account.
To do so, follow these steps:
- Click Start, point to
Programs, point to Administrative Tools, and
then click Domain Controller Security Policy.
- Click Security Settings.
- Click Local Policies, and then click
User Rights Assignment.
- In the right pane, double-click Impersonate a
client after authentication.
- In the Security Policy Setting window,
click Define these policy settings.
- Click Add, and then click
Browse.
- In the Select Users or Groups window, select
the IWAM account name, click Add, and then click
OK.
- Click OK, and then click
OK again.
- To enforce an update of computer policy, type the following
command:
secedit /refreshpolicy machine_policy
/enforce - At a command prompt, type
iisreset.
Microsoft has confirmed that this is a bug in the Microsoft products that are
listed at the beginning of this article.
Steps to Reproduce the Behavior
- Install Windows 2000 Server Service Pack 3 (SP3).
To download SP3, visit the following Microsoft Web
site:
http://technet.microsoft.com/en-us/library/bb742589.aspx
(http://technet.microsoft.com/en-us/library/bb742589.aspx)
- In Microsoft Visual Studio .NET, use Microsoft Visual
Basic .NET or Microsoft Visual C# to create a new ASP.NET Web Application
project. Name the project IWAMtest. By default,
WebForm1.aspx is created.
- In Design view, right-click
WebForm1, and then click View HTML
Source.
- Replace the existing code with the following code:
<%@ Page %>
<html>
<head>
<title>WebForm1</title>
</head>
<body MS_POSITIONING="GridLayout">
<form id="WebForm1" method="post" runat="server">
GetCurrent().Name= <%=System.Security.Principal.WindowsIdentity.GetCurrent().Name%> <br>
</form>
</body>
</html> - Use Microsoft Notepad.exe to edit the Web.config file, and
then set the impersonate right to true as follows:
<configuration>
<system.web>
<identity impersonate="true" />
</system.web>
</configuration>
- Promote the Windows 2000 Server to a domain controller.
- At a command prompt in Visual Studio, type the following:
cd
%windir%\Microsoft.NET\Framework\v1.0.3705. - To restore the access control lists (ACLs) for the process account, type the following command at a command prompt in Visual Studio:
Aspnet_regiis -i. - Upgrade the Windows 2000 Server with Service Pack 4
(SP4).
To download SP4, visit the following Microsoft Web
site:
http://technet.microsoft.com/en-us/windowsserver/2000/bb735341.aspx
(http://technet.microsoft.com/en-us/windowsserver/2000/bb735341.aspx)
- Install .NET Framework version 1.1 on the Windows 2000
Server.
- To test the application, type
http://localhost/IWAMtest/WebForm1.aspx in the
browser.
- You can see that the IWAM account does not have
administrator credentials, and then you may receive the error message in the
"Symptoms" section.
For additional
information, click the following article numbers to view the articles in the
Microsoft Knowledge Base:
821546Â
(http://kbalertz.com/Feedback.aspx?kbNumber=821546/EN-US/
)
Overview of the "Impersonate a Client After Authentication" and the "Create Global Objects" Security Settings
238369Â
(http://kbalertz.com/Feedback.aspx?kbNumber=238369/
)
HOW TO: Promote and Demote Domain Controllers in Windows 2000
315158Â
(http://kbalertz.com/Feedback.aspx?kbNumber=315158/
)
FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller
813432Â
(http://kbalertz.com/Feedback.aspx?kbNumber=813432/
)
Release Notes for Windows 2000 Service Pack 4
316989Â
(http://kbalertz.com/Feedback.aspx?kbNumber=316989/
)
PRB: "Login Failed" Error Message When You Create a Trusted Data Connection from ASP.NET to SQL Server
For more information about ASP.NET
Impersonation, visit the following Microsoft Developer Network Web site:
http://msdn.microsoft.com/en-us/library/xh507fc5(vs.71).aspx
(http://msdn.microsoft.com/en-us/library/xh507fc5(vs.71).aspx)
APPLIES TO
- Microsoft ASP.NET 1.1
- Microsoft Windows 2000 Server SP4
| kbdomain kbsecurity kbconfig kbbug KB824308 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
Be the first to leave feedback, to help others about this knowledge base
article.
(Optional) Name
(Optional)
Public URL Or Email
Comments
No
HTML -- Text Only Please