By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,320 Members | 2,205 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,320 IT Pros & Developers. It's quick & easy.

Identity Impersonate - help!

P: n/a
I have a website running on Windows 2000 Server, that should be able to
retrieve data from a datawarehouse on another machine running Windows 2000
Server, SQL Server 2000 and SQL Server 2000 Analysis Services. It seems
impossible to make the impersonation work. Every path I try seems to be
blocked.

Path number one: set <identity impersonate=false/> in web.config
OK. The Website is up, but it cannot access the datawarehouse because the
ASPNET user has no rights on the other machine.

Path number two: set <identity impersonate="true"/> in web.config
Now I cannot access anything at all, because I get the following error:
"Cryptographic service provider (CSP) could not be found for this
algorithm." Have tried to find out why I get this message, searching MSDN
and Google, but I can't find any answers.

Path number three: set <identity impersonate="true" userName="username"
password="xxx" /> in web.config
This gives the following error:

Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating system 'A
required privilege is not held by the client. '

I found an article
(http://support.microsoft.com/default...b;en-us;810204) on MSDN
stating that the ASPNET user needs to have the privilege to "Act as part of
the operating system" to be able to impersonate another user. Microsoft does
not recommend giving this privelege to the ASPNET user. "This is by design"
they say. So it's another path blocked.

I have also tried using <identity impersonate="true" userName="" password=""
/>
This should somehow force the use of the IUSR_machine account, I think I
read somewhere... But now this also gives the Cryptographic Service Provider
error mentioned earlier.

Found a post with some solutions, but som of them seem to compromise
security, while the last one seems a lot of effort:

1. assign ASPNET account used by asp.net with Administrator right
- I bet Microsoft does not recommend this!

2. run the aspnet_wp under the system account
- again compromising security

3. Change the userName attribute of the <processModel> tag in your
machine.config file to SYSTEM rather than its default which is MACHINE.
- well this has the same smell as number 1 and 2, but perhaps this is the
best one so far

4. Impersonate programatically which is demonstrated in this KB article:
http://support.microsoft.com/default...;en-us;Q306158
- a lot of effort

So what should I do?
Seems to me that I have to do something that is not recommended by Microsoft
to get their products to work.

Sincerely
Svein Terje Gaup

Nov 18 '05 #1
Share this Question
Share on Google+
1 Reply


P: n/a
Hi Svein,

Path number 2 is the recommended route. However, I'm not sure why you are
getting CSP problems. Here's some information about CSPs from MSDN:

http://msdn.microsoft.com/library/de..._providers.asp

IIS may want to use a certain CSP that you don't have installed or
configured? Either that, or perhaps your ASPNET user doesn't have the
necessary permissions to access the CSPs. Also, just to make sure, with path
number 2, on your website you need to have Windows Authentication turned on
and anonymous access disabled.

HTH,
Mark Jen [MSFT]
--
Please reply in newsgroup.
This posting is provided "AS IS" with no warranties, and confers no rights.

"Svein Terje Gaup" <ga****@yahoo.com> wrote in message
news:u9**************@TK2MSFTNGP10.phx.gbl...
I have a website running on Windows 2000 Server, that should be able to
retrieve data from a datawarehouse on another machine running Windows 2000
Server, SQL Server 2000 and SQL Server 2000 Analysis Services. It seems
impossible to make the impersonation work. Every path I try seems to be
blocked.

Path number one: set <identity impersonate=false/> in web.config
OK. The Website is up, but it cannot access the datawarehouse because the
ASPNET user has no rights on the other machine.

Path number two: set <identity impersonate="true"/> in web.config
Now I cannot access anything at all, because I get the following error:
"Cryptographic service provider (CSP) could not be found for this
algorithm." Have tried to find out why I get this message, searching MSDN
and Google, but I can't find any answers.

Path number three: set <identity impersonate="true" userName="username"
password="xxx" /> in web.config
This gives the following error:

Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating system 'A required privilege is not held by the client. '

I found an article
(http://support.microsoft.com/default...b;en-us;810204) on MSDN
stating that the ASPNET user needs to have the privilege to "Act as part of the operating system" to be able to impersonate another user. Microsoft does not recommend giving this privelege to the ASPNET user. "This is by design" they say. So it's another path blocked.

I have also tried using <identity impersonate="true" userName="" password="" />
This should somehow force the use of the IUSR_machine account, I think I
read somewhere... But now this also gives the Cryptographic Service Provider error mentioned earlier.

Found a post with some solutions, but som of them seem to compromise
security, while the last one seems a lot of effort:

1. assign ASPNET account used by asp.net with Administrator right
- I bet Microsoft does not recommend this!

2. run the aspnet_wp under the system account
- again compromising security

3. Change the userName attribute of the <processModel> tag in your
machine.config file to SYSTEM rather than its default which is MACHINE.
- well this has the same smell as number 1 and 2, but perhaps this is the
best one so far

4. Impersonate programatically which is demonstrated in this KB article:
http://support.microsoft.com/default...;en-us;Q306158
- a lot of effort

So what should I do?
Seems to me that I have to do something that is not recommended by Microsoft to get their products to work.

Sincerely
Svein Terje Gaup

Nov 18 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.