Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASPNET and CreateProcessWithLogonW

Reply
Thread Tools

ASPNET and CreateProcessWithLogonW

 
 
Matthew Wieder
Guest
Posts: n/a
 
      08-18-2003
I have an ASPNET app that is running as the ASPNET machine user. It
makes a call to the API CreateProcessWithLogonW. On Windows XP it
executes without a problem, but on Windows 2000, I get an "Access is
Denied" exception. I tried adding the ASPNET account to all the items
in the "User Rights Assignment" list but to no avail. The only think
that work was adding the ASPNET account to the local admin group; then
it executed perfectly. Obviously, we don't want to be running with the
ASPNET account having Admin rights on the box, so does anyone know what
permissions must be given to the ASPNET account to be able to
successfully call CreateProcessWithLogonW on Win2k?
thanks!

 
Reply With Quote
 
 
 
 
Jacob Yang [MSFT]
Guest
Posts: n/a
 
      08-19-2003
Hi Matthew,

On Windows2000, to call the CreateProcessWithLogonW API, the caller should
have the "Act as a part of the operation system" privilege. We can assign
this privilege to the ASPNET account via the control panel->Administrative
Tools->Local Security Policy.

On Windows XP, this privilege has been assigned to the ASPNET account by
default while ASP.NET was installed.

Please try it on your side and tell me the result.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! 每 www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 
Reply With Quote
 
 
 
 
Matthew Wieder
Guest
Posts: n/a
 
      08-19-2003
Thanks for the reply.
I actually already tried the act as part of the OS privilege, but I just
tried it again anyway, rebooted and still get "Access is Denied." You
are able to call CreateProcessWithLogonW on a 2000 machine from ASPNET
user with giving only that privilege?
thanks.

Jacob Yang [MSFT] wrote:
> Hi Matthew,
>
> On Windows2000, to call the CreateProcessWithLogonW API, the caller should
> have the "Act as a part of the operation system" privilege. We can assign
> this privilege to the ASPNET account via the control panel->Administrative
> Tools->Local Security Policy.
>
> On Windows XP, this privilege has been assigned to the ASPNET account by
> default while ASP.NET was installed.
>
> Please try it on your side and tell me the result.
>
> Best regards,
>
> Jacob Yang
> Microsoft Online Partner Support
> <MCSD>
> Get Secure! 每 www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>


 
Reply With Quote
 
Jacob Yang [MSFT]
Guest
Posts: n/a
 
      08-20-2003
Hi Matthew,

Have you installed Windows 2000 SP4? This issue may occur when you install
Microsoft Visual Studio .NET after you install Windows 2000 Service Pack 4
(SP4) on the computer. In this situation, the ASPNET account is not
assigned the "Impersonate a client after authentication" user right in the
"Local Security Policy" settings. The "Impersonate a client after
authentication" user right (also named SeImpersonatePrivilege) is a new
Windows 2000 security setting that was first included in Windows 2000 SP4.
Please refer to the following Knowledge Base article for this issue:

http://support.microsoft.com/default...b;en-us;821255

I have not written a testing sample for this issue. I am trying to provide
the possible resolution based on my experience and research. Thank you for
your understanding.

I am standing by for your results.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! 每 www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 
Reply With Quote
 
Matthew Wieder
Guest
Posts: n/a
 
      08-20-2003
Hi - thanks again for the reply. We are using SP3 and I have added the
ASPNET account to _ALL_ LSA policy rights (except for the ones that
begin "Deny..."). There is some other piece missing here that only gets
permissions when ASPNET is added to the Admin group, which is what I
need to find.
thanks,
-Matthew

Jacob Yang [MSFT] wrote:
> Hi Matthew,
>
> Have you installed Windows 2000 SP4? This issue may occur when you install
> Microsoft Visual Studio .NET after you install Windows 2000 Service Pack 4
> (SP4) on the computer. In this situation, the ASPNET account is not
> assigned the "Impersonate a client after authentication" user right in the
> "Local Security Policy" settings. The "Impersonate a client after
> authentication" user right (also named SeImpersonatePrivilege) is a new
> Windows 2000 security setting that was first included in Windows 2000 SP4.
> Please refer to the following Knowledge Base article for this issue:
>
> http://support.microsoft.com/default...b;en-us;821255
>
> I have not written a testing sample for this issue. I am trying to provide
> the possible resolution based on my experience and research. Thank you for
> your understanding.
>
> I am standing by for your results.
>
> Best regards,
>
> Jacob Yang
> Microsoft Online Partner Support
> <MCSD>
> Get Secure! 每 www.microsoft.com/security
> This posting is provided "as is" with no warranties and confers no rights.
>


 
Reply With Quote
 
Matthew Wieder
Guest
Posts: n/a
 
      08-20-2003
So noone else has to waste a support incident with Microsoft on this,
here is the solution:

Issue is that in W2K, non-interactive users are denied the ability to
call CreateProcessWithLogonW. To fix this manually, got to Control
Panel->Administrative Tools->Local Security Settings->Local Policies->User
Rights Assignment and make the following changes:
1)Remove the ASPNET user from "Deny logon locally"
2)Remove the ASPNET user from "Log on as a batch job"
3)Remove the ASPNET user from "Log on as a service"
3)Add the ASPNET user to "Log on locally"

Additionally this will only work if impersonation is not used in the
ASP.NET application.

Matthew Wieder wrote:

> Hi - thanks again for the reply. We are using SP3 and I have added the
> ASPNET account to _ALL_ LSA policy rights (except for the ones that
> begin "Deny..."). There is some other piece missing here that only gets
> permissions when ASPNET is added to the Admin group, which is what I
> need to find.
> thanks,
> -Matthew
>
> Jacob Yang [MSFT] wrote:
>
>> Hi Matthew,
>>
>> Have you installed Windows 2000 SP4? This issue may occur when you
>> install Microsoft Visual Studio .NET after you install Windows 2000
>> Service Pack 4 (SP4) on the computer. In this situation, the ASPNET
>> account is not assigned the "Impersonate a client after
>> authentication" user right in the "Local Security Policy" settings.
>> The "Impersonate a client after authentication" user right (also named
>> SeImpersonatePrivilege) is a new Windows 2000 security setting that
>> was first included in Windows 2000 SP4. Please refer to the following
>> Knowledge Base article for this issue:
>>
>> http://support.microsoft.com/default...b;en-us;821255
>>
>> I have not written a testing sample for this issue. I am trying to
>> provide the possible resolution based on my experience and research.
>> Thank you for your understanding.
>>
>> I am standing by for your results.
>>
>> Best regards,
>>
>> Jacob Yang Microsoft Online Partner Support
>> <MCSD>
>> Get Secure! 每 www.microsoft.com/security
>> This posting is provided "as is" with no warranties and confers no
>> rights.
>>

>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is the aspnet account called "aspnet" for all non-English versions of Windows and IIS? torus@tpg.com.au ASP .Net 7 03-23-2007 04:00 AM
CreateProcessWithLogonW Todd B ASP .Net Security 1 08-01-2005 07:16 PM
CreateProcessWithLogonW =?Utf-8?B?VG9kZCBC?= ASP .Net 0 08-01-2005 03:28 PM
Calling CreateProcessWithLogonW Benjamin Bittner ASP .Net Security 18 07-16-2004 07:18 AM
Calling CreateProcessWithLogonW Benjamin Bittner ASP .Net 3 07-05-2004 07:11 AM



Advertisments