469,964 Members | 1,678 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,964 developers. It's quick & easy.

ASPNET and CreateProcessWithLogonW

I have an ASPNET app that is running as the ASPNET machine user. It
makes a call to the API CreateProcessWithLogonW. On Windows XP it
executes without a problem, but on Windows 2000, I get an "Access is
Denied" exception. I tried adding the ASPNET account to all the items
in the "User Rights Assignment" list but to no avail. The only think
that work was adding the ASPNET account to the local admin group; then
it executed perfectly. Obviously, we don't want to be running with the
ASPNET account having Admin rights on the box, so does anyone know what
permissions must be given to the ASPNET account to be able to
successfully call CreateProcessWithLogonW on Win2k?
thanks!

Nov 17 '05 #1
6 1787
Hi Matthew,

On Windows2000, to call the CreateProcessWithLogonW API, the caller should
have the "Act as a part of the operation system" privilege. We can assign
this privilege to the ASPNET account via the control panel->Administrative
Tools->Local Security Policy.

On Windows XP, this privilege has been assigned to the ASPNET account by
default while ASP.NET was installed.

Please try it on your side and tell me the result.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! 每 www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 17 '05 #2
Hi Matthew,

On Windows2000, to call the CreateProcessWithLogonW API, the caller should
have the "Act as a part of the operation system" privilege. We can assign
this privilege to the ASPNET account via the control panel->Administrative
Tools->Local Security Policy.

On Windows XP, this privilege has been assigned to the ASPNET account by
default while ASP.NET was installed.

Please try it on your side and tell me the result.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! 每 www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 17 '05 #3
Thanks for the reply.
I actually already tried the act as part of the OS privilege, but I just
tried it again anyway, rebooted and still get "Access is Denied." You
are able to call CreateProcessWithLogonW on a 2000 machine from ASPNET
user with giving only that privilege?
thanks.

Jacob Yang [MSFT] wrote:
Hi Matthew,

On Windows2000, to call the CreateProcessWithLogonW API, the caller should
have the "Act as a part of the operation system" privilege. We can assign
this privilege to the ASPNET account via the control panel->Administrative
Tools->Local Security Policy.

On Windows XP, this privilege has been assigned to the ASPNET account by
default while ASP.NET was installed.

Please try it on your side and tell me the result.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! 每 www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.


Nov 17 '05 #4
Hi Matthew,

Have you installed Windows 2000 SP4? This issue may occur when you install
Microsoft Visual Studio .NET after you install Windows 2000 Service Pack 4
(SP4) on the computer. In this situation, the ASPNET account is not
assigned the "Impersonate a client after authentication" user right in the
"Local Security Policy" settings. The "Impersonate a client after
authentication" user right (also named SeImpersonatePrivilege) is a new
Windows 2000 security setting that was first included in Windows 2000 SP4.
Please refer to the following Knowledge Base article for this issue:

http://support.microsoft.com/default...b;en-us;821255

I have not written a testing sample for this issue. I am trying to provide
the possible resolution based on my experience and research. Thank you for
your understanding.

I am standing by for your results.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! 每 www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 17 '05 #5
Hi - thanks again for the reply. We are using SP3 and I have added the
ASPNET account to _ALL_ LSA policy rights (except for the ones that
begin "Deny..."). There is some other piece missing here that only gets
permissions when ASPNET is added to the Admin group, which is what I
need to find.
thanks,
-Matthew

Jacob Yang [MSFT] wrote:
Hi Matthew,

Have you installed Windows 2000 SP4? This issue may occur when you install
Microsoft Visual Studio .NET after you install Windows 2000 Service Pack 4
(SP4) on the computer. In this situation, the ASPNET account is not
assigned the "Impersonate a client after authentication" user right in the
"Local Security Policy" settings. The "Impersonate a client after
authentication" user right (also named SeImpersonatePrivilege) is a new
Windows 2000 security setting that was first included in Windows 2000 SP4.
Please refer to the following Knowledge Base article for this issue:

http://support.microsoft.com/default...b;en-us;821255

I have not written a testing sample for this issue. I am trying to provide
the possible resolution based on my experience and research. Thank you for
your understanding.

I am standing by for your results.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! 每 www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.


Nov 17 '05 #6
So noone else has to waste a support incident with Microsoft on this,
here is the solution:

Issue is that in W2K, non-interactive users are denied the ability to
call CreateProcessWithLogonW. To fix this manually, got to Control
Panel->Administrative Tools->Local Security Settings->Local Policies->User
Rights Assignment and make the following changes:
1)Remove the ASPNET user from "Deny logon locally"
2)Remove the ASPNET user from "Log on as a batch job"
3)Remove the ASPNET user from "Log on as a service"
3)Add the ASPNET user to "Log on locally"

Additionally this will only work if impersonation is not used in the
ASP.NET application.

Matthew Wieder wrote:
Hi - thanks again for the reply. We are using SP3 and I have added the
ASPNET account to _ALL_ LSA policy rights (except for the ones that
begin "Deny..."). There is some other piece missing here that only gets
permissions when ASPNET is added to the Admin group, which is what I
need to find.
thanks,
-Matthew

Jacob Yang [MSFT] wrote:
Hi Matthew,

Have you installed Windows 2000 SP4? This issue may occur when you
install Microsoft Visual Studio .NET after you install Windows 2000
Service Pack 4 (SP4) on the computer. In this situation, the ASPNET
account is not assigned the "Impersonate a client after
authentication" user right in the "Local Security Policy" settings.
The "Impersonate a client after authentication" user right (also named
SeImpersonatePrivilege) is a new Windows 2000 security setting that
was first included in Windows 2000 SP4. Please refer to the following
Knowledge Base article for this issue:

http://support.microsoft.com/default...b;en-us;821255

I have not written a testing sample for this issue. I am trying to
provide the possible resolution based on my experience and research.
Thank you for your understanding.

I am standing by for your results.

Best regards,

Jacob Yang Microsoft Online Partner Support
<MCSD>
Get Secure! 每 www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no
rights.


Nov 17 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

10 posts views Thread by David Davidson | last post: by
reply views Thread by Matthew Wieder | last post: by
5 posts views Thread by Dave Kolb | last post: by
3 posts views Thread by Benjamin Bittner | last post: by
reply views Thread by Todd B | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.