469,950 Members | 2,061 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,950 developers. It's quick & easy.

LogonUser() Works Under NT4.0, Fails Under Win2K

Any help would be greatly appreciated.

Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
/IIS4.0, expressly to retrieve Office documents contained on the
server's DASD, but outside the "view" of the web site, which uses
home-grown ASP session security. Works great!

However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
function returns 0 (fails), and GetLastError() function also returns
0, making it impossible to debug!

More details available on request.

Mike
Jul 19 '05 #1
6 3872
Mike wrote:
Any help would be greatly appreciated.

Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
/IIS4.0, expressly to retrieve Office documents contained on the
server's DASD, but outside the "view" of the web site, which uses
home-grown ASP session security. Works great!

However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
function returns 0 (fails), and GetLastError() function also returns
0, making it impossible to debug!

More details available on request.

Mike


http://tinyurl.com/urqc
http://tinyurl.com/urqp

HTH,
Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Jul 19 '05 #2
On Wed, 12 Nov 2003 17:36:45 -0500, "Bob Barrows"
<re******@NOyahoo.SPAMcom> wrote:
Mike wrote:
Any help would be greatly appreciated.

Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
/IIS4.0, expressly to retrieve Office documents contained on the
server's DASD, but outside the "view" of the web site, which uses
home-grown ASP session security. Works great!

However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
function returns 0 (fails), and GetLastError() function also returns
0, making it impossible to debug!

More details available on request.

Mike


http://tinyurl.com/urqc
http://tinyurl.com/urqp

HTH,
Bob Barrows


Bob, thanks for th input. I looked at both threads and granted TCB
authority (eventaully) to the "Everyone" group, and I'm still getting
a failure from LogonUser(), and still getting a return of 0 from
GetLastError. Any other resources to which you might point me?

TIA

Mike
Jul 19 '05 #3
In addition to Bob's links, also see http://www.aspfaq.com/5003.

(Sorry Bob!)

Ray at home

"Mike" <em************@for.spam.relief> wrote in message
news:rc********************************@4ax.com...
Any help would be greatly appreciated.

Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
/IIS4.0, expressly to retrieve Office documents contained on the
server's DASD, but outside the "view" of the web site, which uses
home-grown ASP session security. Works great!

However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
function returns 0 (fails), and GetLastError() function also returns
0, making it impossible to debug!

More details available on request.

Mike

Jul 19 '05 #4
On Wed, 12 Nov 2003 18:16:44 -0500, "Ray at <%=sLocation%>"
<myfirstname at lane 34 . komm> wrote:
In addition to Bob's links, also see http://www.aspfaq.com/5003.

(Sorry Bob!)

Ray at home

"Mike" <em************@for.spam.relief> wrote in message
news:rc********************************@4ax.com.. .
Any help would be greatly appreciated.

Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
/IIS4.0, expressly to retrieve Office documents contained on the
server's DASD, but outside the "view" of the web site, which uses
home-grown ASP session security. Works great!

However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
function returns 0 (fails), and GetLastError() function also returns
0, making it impossible to debug!

More details available on request.

Mike


Should we get into a discussion about top-posting, too? Thanks for
your invaluable help.
Jul 19 '05 #5
It is to help. By tip-toeing through the Internet and playing by all the
silly rules, you increase your chances of receiving help. The only reason I
inform you of the multi-posting is so that you are more likely to get future
help.

Ray at home

"Mick" <em************@for.spam.relief> wrote in message
news:l9********************************@4ax.com...


Should we get into a discussion about top-posting, too? Thanks for
your invaluable help.

Jul 19 '05 #6
Problem Resolved.

To be /helpful/, I'm posting the extra couple of yards that were
necessary to resolve this issue, in case anyone else trudges down this
path, only to be frustrated by the same issues as I was (missing
information, trolls, etc.).

First, Bob's links to what were essentially threads from last March
from the microsoft.public.platformsdk.security NG (retention from
Google is far superior to MS's news server, so don't expect to find it
there), were a great starting point.

Bob's "tiny URL" links appear to have expired, so here are the full
URL's, with the obligatory warning to copy & paste the whole mess into
the browser's address window:

http://groups.google.com/groups?hl=e...40TK2MSFTNGP12
http://groups.google.com/groups?hl=e...3DN%26tab%3Dwg

Anyway, Yu Chen's explanation (in the second thread) did not go the
extra step of discussing which credentials needed to have the
SE_TCB_NAME privileges assigned, in a scenario where an object was
created using "classic" ASP under IIS 5.0 (Win2K Server,
sepcifically).

After some hours of assigning the privilege to various user ID's,
including IUSR_{machine_name} & the "Everyone" group (calm down, this
is a test server inside of a firewall), I was still not having any
success getting my object to successfully logon & impersonate. My
personal news server (UsenetServer.com) has fairly good retention in
the text groups, so I went back to
microsoft.public.platformsdk.security and read some additional threads
on the topic. One suggested reviewing the security event logs to find
the failed logons, which I did. Bingo, I found that IIS was creating
the process under the IWAM_{machine_name} ID. I applied the TCP
privileges per Yu Chen's instructions (using gpedit.msc) and it's now
working fine.

A couple of issues remain to be researched. One, an annoyance really,
was that the machine had to be rebooted to effect the logoff and logon
required to assert the new prvilege to the ID. Since I tried a number
of ID's before finding the right one, there were several reboots
required. A discussion with my corporate network group did not reveal
any other way to handle it. The other issue, again after conferring
with the network group, assignment of those privileges to that ID had
them concerned, as it gives admin authority to an anonymous ID. Anyone
have any thoughts or real information on this?

TIA
Mike

On Wed, 12 Nov 2003 17:26:06 -0500, Mike
<em************@for.spam.relief> wrote:
Any help would be greatly appreciated.

Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
/IIS4.0, expressly to retrieve Office documents contained on the
server's DASD, but outside the "view" of the web site, which uses
home-grown ASP session security. Works great!

However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
function returns 0 (fails), and GetLastError() function also returns
0, making it impossible to debug!

More details available on request.

Mike


Jul 19 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Nimi | last post: by
2 posts views Thread by BLiTZWiNG | last post: by
7 posts views Thread by Jason | last post: by
1 post views Thread by Andy Todd | last post: by
4 posts views Thread by ECathell | last post: by
9 posts views Thread by schaf | last post: by
1 post views Thread by Sajid | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.