Hello,
As the article is suggesting:
"To work around this problem, use one of the following methods:
- Create a weak account that has the correct permissions, and then
configure the <processModel> section of the Machine.config file to use
that account.
- Set the userName attribute to SYSTEM in the <processModel> section of
the Machine.config file.
- Configure the <processModel> section of the Machine.config file to
use an administrator account.
NOTE: Allowing ASP.NET applications to run as SYSTEM or an administrator
account has serious
security implications. If you use either of these workarounds, code that is
run in the Aspnet_wp.exe
process will have access to the domain controller and the domain settings.
Executable files that are
started from the Aspnet_wp.exe process run in the same context and also
have access to the domain
controller.
Did you try any of these workarounds?
For .Net Framework 1.1 the ASPNET account is not supposed to be created on
a
Win2K server promoted to a DC. In this case, ASP.NET is supposed to run as
the IWAM
account
There are 3 options when you install this version of the framework on a
Windows
2000 DC:
1. Give IWAM the correct permission to run the app <"machine" now maps to
this
user">
2. Create a new account and grant the correct permissions
3. Run the process as SYSTEM
Please let me know if you have more questions on this.
Thanks,
Bassel Tabbara
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
| From: <.>
| Subject: Is it safe to use IWAM_<machine name> account for aspnet_wp.exe?
| Date: Tue, 1 Jul 2003 10:41:06 -0400
| Lines: 43
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <uM**************@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: d150-83-130.home.cgocable.net 24.150.83.130
| Path: cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
| Xref: cpmsftngxa09.phx.gbl microsoft.public.dotnet.framework.aspnet:31390
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| This question references to KB articles:
|
http://support.microsoft.com/default...b;EN-US;315158
|
http://support.microsoft.com/default...b;EN-US;317012
|
| I'm running Advanced Server 2000 as a domain controller with IIS 5 (I
know I
| shouldn't be doing this - just a test machine). I am using the default
| ASP.NET (v1.1) machine.config file.....
|
| <processModel..... userName="machine" password="AutoGenerate"..... />
|
| According to KB317012....."The machine and the AutoGenerate values
instruct
| ASP.NET to use the built-in ASPNET account and to use a cryptographically
| strong, random password that is stored in the Local Security Authority
(LSA)
| for that account."
|
| On my machine this causes the worker process (Aspnet_wp.exe) to run under
| the IWAM_<machine name> account instead.
| Is this safe? (I've disabled the ASPNET account as it dosn't seam to be
| needed). In order to get the SDK samples to work with my SQL Server, I've
| added IWAM_<machine name> as a login and database user. Is this safe?
|
| Also, it seams I have to add IWAM_<machine name> to any virtual directory
| that uses ASP.NET. I get two error messages from source USERENV in the
| Application Log every time Aspnet_wp.exe starts up.....
|
| Event ID: 1000
| Windows cannot log you on because the profile cannot be loaded. Contact
your
| network administrator.
| DETAIL - Cannot create a file when that file already exists.
|
| Event ID: 1000
| Windows cannot copy file <Document and Settings\ Default
| User\Favourites\Links> to location <Document and Settings\My
| Domain\IWAM_<machine name>\Favourites\Links>. Contact your network
| administrator.
| DETAIL - Cannot create a file when that file already exists.
|
| ..... and a <My Domain Name> folder is created in the Document and
Settings
| folder (if it dosn't already exist - it remains empty).
|
| Thanks
|
|
|
