Article ID: 824308 - Last Review: April 19, 2007 - Revision: 3.9

BUG: IWAM Account Is Not Granted the Impersonate Privilege for ASP.NET 1.1 on a Windows 2000 Domain Controller with SP4

View products that this article applies to.

On This Page

Expand all | Collapse all

SYMPTOMS

When you install ASP.NET 1.1 on a computer running on a Windows 2000 Server domain controller with Service Pack 4 (SP4) installed, the IWAM account is not granted impersonate user rights for ASP.NET 1.1. When you request an ASP.NET 1.1 page, you may receive the following error message:
Server Error in '/iwamtest' Application.

Access is denied.
Description An unhandled exception occurred during the execution of the current Web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details System.ApplicationException: Access is denied.

Source Error
An unhandled exception was generated during the execution of the current Web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace
[ApplicationException: Access is denied. ] 

System.Security.Principal.WindowsIdentity._ResolveIdentity(IntPtr
		  userToken) +0 System.Security.Principal.WindowsIdentity.get_Name() +71
		  System.Web.Configuration.AuthorizationConfigRule.IsUserAllowed(IPrincipal user,
		  String verb) +100
		  System.Web.Configuration.AuthorizationConfig.IsUserAllowed(IPrincipal user,
		  String verb) +81 System.Web.Security.UrlAuthorizationModule.OnEnter(Object
		  source, EventArgs eventArgs) +178
		  System.Web.SyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
		  +60 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
		  completedSynchronously) +87
Back to the top

CAUSE

You may experience the behavior when the user account that you use to run the program does not have the Impersonate a client after authentication user right (the SeImpersonatePrivilege function). When you upgrade Windows 2000 Server Domain Controller to SP4, the user account (IWAM) is not granted SeImpersonatePrivilege, and then programs that use impersonation may not work correctly.
Back to the top

WORKAROUND

To work around the problem, manually assign Impersonate a client after authentication to the IWAM account. To do so, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy.
  2. Click Security Settings.
  3. Click Local Policies, and then click User Rights Assignment.
  4. In the right pane, double-click Impersonate a client after authentication.
  5. In the Security Policy Setting window, click Define these policy settings.
  6. Click Add, and then click Browse.
  7. In the Select Users or Groups window, select the IWAM account name, click Add, and then click OK.
  8. Click OK, and then click OK again.
  9. To enforce an update of computer policy, type the following command:
    secedit /refreshpolicy machine_policy /enforce
  10. At a command prompt, type iisreset.
Back to the top

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.
Back to the top

MORE INFORMATION


Back to the top

Steps to Reproduce the Behavior


  1. Install Windows 2000 Server Service Pack 3 (SP3).

    To download SP3, visit the following Microsoft Web site:
    http://technet.microsoft.com/en-us/library/bb742589.aspx (http://technet.microsoft.com/en-us/library/bb742589.aspx)
  2. In Microsoft Visual Studio .NET, use Microsoft Visual Basic .NET or Microsoft Visual C# to create a new ASP.NET Web Application project. Name the project IWAMtest. By default, WebForm1.aspx is created.
  3. In Design view, right-click WebForm1, and then click View HTML Source.
  4. Replace the existing code with the following code:
    <%@ Page %>
<html>
   <head>
        <title>WebForm1</title>      
   </head>
   <body MS_POSITIONING="GridLayout">
      <form id="WebForm1" method="post" runat="server">
       GetCurrent().Name= <%=System.Security.Principal.WindowsIdentity.GetCurrent().Name%> <br>
      </form>
   </body>
</html>
  5. Use Microsoft Notepad.exe to edit the Web.config file, and then set the impersonate right to true as follows: 
    <configuration>
  <system.web>
	<identity impersonate="true" />
  </system.web>
</configuration>
  6. Promote the Windows 2000 Server to a domain controller.
  7. At a command prompt in Visual Studio, type the following:
    cd %windir%\Microsoft.NET\Framework\v1.0.3705.
  8. To restore the access control lists (ACLs) for the process account, type the following command at a command prompt in Visual Studio:
    Aspnet_regiis -i.
  9. Upgrade the Windows 2000 Server with Service Pack 4 (SP4).

    To download SP4, visit the following Microsoft Web site:
    http://technet.microsoft.com/en-us/windowsserver/2000/bb735341.aspx (http://technet.microsoft.com/en-us/windowsserver/2000/bb735341.aspx)
  10. Install .NET Framework version 1.1 on the Windows 2000 Server.
  11. To test the application, type http://localhost/IWAMtest/WebForm1.aspx in the browser.
  12. You can see that the IWAM account does not have administrator credentials, and then you may receive the error message in the "Symptoms" section.
Back to the top

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
821546  (http://support.microsoft.com/kb/821546/EN-US/ ) Overview of the "Impersonate a Client After Authentication" and the "Create Global Objects" Security Settings
238369  (http://support.microsoft.com/kb/238369/ ) HOW TO: Promote and Demote Domain Controllers in Windows 2000
315158  (http://support.microsoft.com/kb/315158/ ) FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller
813432  (http://support.microsoft.com/kb/813432/ ) Release Notes for Windows 2000 Service Pack 4
316989  (http://support.microsoft.com/kb/316989/ ) PRB: "Login Failed" Error Message When You Create a Trusted Data Connection from ASP.NET to SQL Server
For more information about ASP.NET Impersonation, visit the following Microsoft Developer Network Web site:
http://msdn.microsoft.com/en-us/library/xh507fc5(vs.71).aspx (http://msdn.microsoft.com/en-us/library/xh507fc5(vs.71).aspx)
Back to the top
APPLIES TO
  • Microsoft ASP.NET 1.1
  • Microsoft Windows 2000 Server SP4
Back to the top
Keywords: 
kbdomain kbsecurity kbconfig kbbug KB824308
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations