Article ID: 824308 - View products that this article applies to.
When you install ASP.NET 1.1 on a computer running on a Windows 2000 Server domain controller with Service Pack 4 (SP4) installed, the IWAM account is not granted impersonate user rights for ASP.NET 1.1. When you request an ASP.NET 1.1 page, you may receive the following error message:
Server Error in '/iwamtest' Application.
Access is denied.
Description An unhandled exception occurred during the execution of the current Web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details System.ApplicationException: Access is denied.
An unhandled exception was generated during the execution of the current Web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[ApplicationException: Access is denied. ]
System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr userToken) +0 System.Security.Principal.WindowsIdentity.get_Name() +71 System.Web.Configuration.AuthorizationConfigRule.IsUserAllowed(IPrincipal user, String verb) +100 System.Web.Configuration.AuthorizationConfig.IsUserAllowed(IPrincipal user, String verb) +81 System.Web.Security.UrlAuthorizationModule.OnEnter(Object source, EventArgs eventArgs) +178 System.Web.SyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +60 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87
You may experience the behavior when the user account that you use to run the program does not have the Impersonate a client after authentication user right (the SeImpersonatePrivilege function). When you upgrade Windows 2000 Server Domain Controller to SP4, the user account (IWAM) is not granted SeImpersonatePrivilege, and then programs that use impersonation may not work correctly.
To work around the problem, manually assign Impersonate a client after authentication to the IWAM account. To do so, follow these steps:
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.
Steps to Reproduce the Behavior
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/821546/EN-US/ )Overview of the "Impersonate a Client After Authentication" and the "Create Global Objects" Security Settings
(http://support.microsoft.com/kb/238369/ )HOW TO: Promote and Demote Domain Controllers in Windows 2000
(http://support.microsoft.com/kb/315158/ )FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller
(http://support.microsoft.com/kb/813432/ )Release Notes for Windows 2000 Service Pack 4
316989For more information about ASP.NET Impersonation, visit the following Microsoft Developer Network Web site:
(http://support.microsoft.com/kb/316989/ )PRB: "Login Failed" Error Message When You Create a Trusted Data Connection from ASP.NET to SQL Server