impersonation fails on 2K server

  • Thread starter Thread starter Seth Darr
  • Start date Start date
S

Seth Darr

I've got an ASP.NET web app that generates dynamic excel spreadsheets
via COM. It
does this work in a seperate subdirectory called "reports" and uses
impersonation of the ReportWriter account in its own Web.config file in
that directory.

ReportWriter is an account on the machine in the Administrator group,
yet I get the following error when I try and even visit the first page
in that directory (NOT when I try to first create a spreadsheet):

Server Error in '/subsurv' Application.
--------------------------------------------------------------------------------

Configuration Error
Description: An error occurred during the processing of a configuration
file required to service this request. Please review the specific error
details below and modify your configuration file appropriately.

Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating
system 'A required privilege is not held by the client. '

Source Error:


Line 4: <system.web>
Line 5:
Line 6: <identity impersonate="true" userName="ReportWriter"
password="blahblahblah" />
Line 7: <customErrors mode="Off" />
Line 8: </system.web>


Source File: C:\Inetpub\wwwroot\subsurv\reports\web.config Line: 6


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.0.3705.6018;
ASP.NET Version:1.0.3705.6018



The most aggrevating part is that it works just great on my development
machine. I have tried matching all IIS and user/group settings as
closely as possible. I have the same version of the .NET Framework on
both machines (1.0 SP3). I have tried uninstalling and reinstalling the
..NET Framework,
deleting and recreating the ReportWriter account. It doesn't seem to
want to impersonate ANY account, actually, it gets the same error. I
have added shares up the wazoo and probably a million
other stabs in the dark, to no effect.

Does anyone have any suggestions?! I'm relatively new to the .NET world,
but I think I've run out of ideas. Upgrading to the 1.1 Framework is
not an option at this point as I am still presently using VS Studio .NET
2002 and some initially testing on the 1.1 exposed some new bugs that I
don't want to address until I upgrade to VS .NET 2003.

HEEEELLPPP!!! Thanks in advance. If anyone needs to see any code or
whatnot I'll post it, but it doesn't seem to me to be a issue with my
code. My development machine is XP Pro, target machine is 2000 Server.

-Seth
 
On W2K you need "Act as part of the Operating System" privilege to call
LogonUser. This requirement has been lifted on XP and higher.
Note that granting this level of privilege to a webserver identity is
something you should consider with great care as it gives the account
unlimitted security privileges.

Willy.
 
Back
Top