Article ID: 810204 - Last Review: July 11, 2005 - Revision: 3.5

PRB: Per Request Impersonation Does Not Work on Windows 2000 with ASP.NET

View products that this article applies to.

On This Page

Expand all | Collapse all

SYMPTOMS

When an ASP.NET application impersonates a specific user by providing credentials as specified in the Web.config configuration file, you receive the following error message in Windows 2000:
Server Error in '/WebApplication2' Application
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'A required privilege is not held by the client.'
Source Error:
Line 21:   	<!--  Impersonating
Line 22:   	-->
Line 23:     <identity impersonate="true" userName="username" password="password"/>
Line 24: 
Line 25:
Source File: c:\inetpub\wwwroot\WebApplication2\web.config Line: 23
Version Information: Microsoft .NET Framework Version:1.0.3705.0; ASP.NET Version:1.0.3705.0
Back to the top

CAUSE

This error occurs when you enable impersonation for a specific user identity. ASP.NET tries to generate an access token by calling the LogonUser Win32 API .To call LogonUser in Windows 2000, the process owner must have the SE_TCB_NAME (To Act as Part of the Operating System) user right. The ASPNET account has the least user rights and does not possess the SE_TCB_NAME user right.
Back to the top

STATUS

This behavior is by design.
Back to the top

MORE INFORMATION

You can still impersonate the Microsoft Internet Information Services (IIS) authenticated user identity without using the extended form of impersonation. The following code sets impersonation to either the IIS authenticated user or the anonymous Internet user account:
<identity impersonate="true"/>
Note By default, Per Request impersonation in ASP.NET does not work with Windows 2000. Microsoft Windows XP contains enhancements that do not require the SE_TCB_NAME user right.

Microsoft recommends that you do not grant the SE_TCB_NAME user right to the ASPNET account because this violates the principle of running with the least user rights necessary. When an account has this user right, the user can perform activities such as create new accounts, add accounts to the Administrators group, and debug memory.
Back to the top

Steps to Reproduce the Behavior

  1. In Microsoft Visual Basic .NET or Microsoft Visual C# .NET, create a new ASP.NET Web Application project.
  2. In Solution Explorer, double-click the Web.config file.
  3. Paste the following code in the configuration file under the <system.web> section:
    <identity impersonate="true" userName="username" password="password"/>
  4. Build and run the application.
Back to the top

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
329290  (http://support.microsoft.com/kb/329290/EN-US/ ) HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings
306158  (http://support.microsoft.com/kb/306158/EN-US/ ) INFO: Implementing Impersonation in an ASP.NET Application
Back to the top
APPLIES TO
  • Microsoft ASP.NET 1.0, when used with:
    • the operating system: Microsoft Windows 2000
Back to the top
Keywords: 
kbsecurity kbprb KB810204
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations