473,387 Members | 1,483 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > identity impersonate - help!

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Identity Impersonate - help!

I have a website running on Windows 2000 Server, that should be able to
retrieve data from a datawarehouse on another machine running Windows 2000
Server, SQL Server 2000 and SQL Server 2000 Analysis Services. It seems
impossible to make the impersonation work. Every path I try seems to be
blocked.

Path number one: set <identity impersonate=false/> in web.config
OK. The Website is up, but it cannot access the datawarehouse because the
ASPNET user has no rights on the other machine.

Path number two: set <identity impersonate="true"/> in web.config
Now I cannot access anything at all, because I get the following error:
"Cryptographic service provider (CSP) could not be found for this
algorithm." Have tried to find out why I get this message, searching MSDN
and Google, but I can't find any answers.

Path number three: set <identity impersonate="true" userName="username"
password="xxx" /> in web.config
This gives the following error:

Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating system 'A
required privilege is not held by the client. '

I found an article
(http://support.microsoft.com/default...b;en-us;810204) on MSDN
stating that the ASPNET user needs to have the privilege to "Act as part of
the operating system" to be able to impersonate another user. Microsoft does
not recommend giving this privelege to the ASPNET user. "This is by design"
they say. So it's another path blocked.

I have also tried using <identity impersonate="true" userName="" password=""
/>
This should somehow force the use of the IUSR_machine account, I think I
read somewhere... But now this also gives the Cryptographic Service Provider
error mentioned earlier.

Found a post with some solutions, but som of them seem to compromise
security, while the last one seems a lot of effort:

1. assign ASPNET account used by asp.net with Administrator right
- I bet Microsoft does not recommend this!

2. run the aspnet_wp under the system account
- again compromising security

3. Change the userName attribute of the <processModel> tag in your
machine.config file to SYSTEM rather than its default which is MACHINE.
- well this has the same smell as number 1 and 2, but perhaps this is the
best one so far

4. Impersonate programatically which is demonstrated in this KB article:
http://support.microsoft.com/default...;en-us;Q306158
- a lot of effort

So what should I do?
Seems to me that I have to do something that is not recommended by Microsoft
to get their products to work.

Sincerely
Svein Terje Gaup

Nov 18 '05 #1
1 6272
Hi Svein,

Path number 2 is the recommended route. However, I'm not sure why you are
getting CSP problems. Here's some information about CSPs from MSDN:

http://msdn.microsoft.com/library/de..._providers.asp

IIS may want to use a certain CSP that you don't have installed or
configured? Either that, or perhaps your ASPNET user doesn't have the
necessary permissions to access the CSPs. Also, just to make sure, with path
number 2, on your website you need to have Windows Authentication turned on
and anonymous access disabled.

HTH,
Mark Jen [MSFT]
--
Please reply in newsgroup.
This posting is provided "AS IS" with no warranties, and confers no rights.

"Svein Terje Gaup" <ga****@yahoo.com> wrote in message
news:u9**************@TK2MSFTNGP10.phx.gbl...
I have a website running on Windows 2000 Server, that should be able to
retrieve data from a datawarehouse on another machine running Windows 2000
Server, SQL Server 2000 and SQL Server 2000 Analysis Services. It seems
impossible to make the impersonation work. Every path I try seems to be
blocked.

Path number one: set <identity impersonate=false/> in web.config
OK. The Website is up, but it cannot access the datawarehouse because the
ASPNET user has no rights on the other machine.

Path number two: set <identity impersonate="true"/> in web.config
Now I cannot access anything at all, because I get the following error:
"Cryptographic service provider (CSP) could not be found for this
algorithm." Have tried to find out why I get this message, searching MSDN
and Google, but I can't find any answers.

Path number three: set <identity impersonate="true" userName="username"
password="xxx" /> in web.config
This gives the following error:

Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating system 'A required privilege is not held by the client. '

I found an article
(http://support.microsoft.com/default...b;en-us;810204) on MSDN
stating that the ASPNET user needs to have the privilege to "Act as part of the operating system" to be able to impersonate another user. Microsoft does not recommend giving this privelege to the ASPNET user. "This is by design" they say. So it's another path blocked.

I have also tried using <identity impersonate="true" userName="" password="" />
This should somehow force the use of the IUSR_machine account, I think I
read somewhere... But now this also gives the Cryptographic Service Provider error mentioned earlier.

Found a post with some solutions, but som of them seem to compromise
security, while the last one seems a lot of effort:

1. assign ASPNET account used by asp.net with Administrator right
- I bet Microsoft does not recommend this!

2. run the aspnet_wp under the system account
- again compromising security

3. Change the userName attribute of the <processModel> tag in your
machine.config file to SYSTEM rather than its default which is MACHINE.
- well this has the same smell as number 1 and 2, but perhaps this is the
best one so far

4. Impersonate programatically which is demonstrated in this KB article:
http://support.microsoft.com/default...;en-us;Q306158
- a lot of effort

So what should I do?
Seems to me that I have to do something that is not recommended by Microsoft to get their products to work.

Sincerely
Svein Terje Gaup

Nov 18 '05 #2
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
Issue with ASP.NET client, COM Interop, and Identity impersonation
by: Anil Krishnamurthy | last post by:
We have an ASP.NET application that uses COM objects through Interop. The web application requires access to network and database resources and hence, needs to impersonate a domain account. The...
.NET Framework
1
Identity impersonate
by: Sorin Sandu | last post by:
How can I override Identity Impersonate setting from machine.config on a site on the same server ? I am using impersonate on most web sites but on one I need to use Windows Identity.
ASP.NET
8
Error casting User.Identity to WindowsIdentity
by: Razak | last post by:
Hi, I have a class which basically do Impersonation in my web application. From MS KB sample:- ++++++++++++++++++++code starts Dim impersonationContext As...
ASP.NET
2
Accessing resources fails with <identity impersonate="true"/>
by: franzhe | last post by:
Hi all, in a simple ASP.Net application with resources in satellite assemblies I have the following problem: If I set <identity impersonate="true"/>, accessing a culture specific resource...
ASP.NET
0
ResourceManager behavior different when using identity impersonate="true"
by: steven | last post by:
I have an asp.net webapp running on W2K server with .net framework 1.1 The intranet-app supports 2 languages: dutch (fallback language) and french. The choice is made with 'Request.UserLanguages'...
ASP.NET
3
URGENT: Strange Prob With Web.config <<identity> section.
by: Sonal | last post by:
I am trying to impersonate user with windows account. If I write following lines in web.config it show error <identity impersonate="true" userName="contoso\Jane" password="pass"/> ERROR:...
ASP.NET
0
identity element on DC not allowed
by: martin | last post by:
Hi, I am having trouble using impersonation -- with integrated security - on a domain controller. The authentication on IIS is set to integrated security only --- (NO annoymosy access allowed)...
ASP.NET
4
ASP.NET 1.1 Application Pool Identity and user authentication problem with AD (Active Directory)
by: pjdouillard | last post by:
Hello all, Here is the context of my problem: We have an ASP.NET 1.1 application that has its own application pool setup and that runs under the identity of a NT Domain service account (this...
ASP.NET
8
Global.asax not allowing identity impersonation?
by: Doug | last post by:
Visual Studio 2005, SQL Server 2000, ASP.NET/VB.NET Not allowed to use the ASPNET machine account in SQL Server (very strict environment). Need to use Windows authentication, so we use...
ASP.NET
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!