ASPNET and CreateProcessWithLogonW

Discussion in 'ASP .Net' started by Matthew Wieder, Aug 18, 2003.

  1. I have an ASPNET app that is running as the ASPNET machine user. It
    makes a call to the API CreateProcessWithLogonW. On Windows XP it
    executes without a problem, but on Windows 2000, I get an "Access is
    Denied" exception. I tried adding the ASPNET account to all the items
    in the "User Rights Assignment" list but to no avail. The only think
    that work was adding the ASPNET account to the local admin group; then
    it executed perfectly. Obviously, we don't want to be running with the
    ASPNET account having Admin rights on the box, so does anyone know what
    permissions must be given to the ASPNET account to be able to
    successfully call CreateProcessWithLogonW on Win2k?
    thanks!
    Matthew Wieder, Aug 18, 2003
    #1
    1. Advertising

  2. Hi Matthew,

    On Windows2000, to call the CreateProcessWithLogonW API, the caller should
    have the "Act as a part of the operation system" privilege. We can assign
    this privilege to the ASPNET account via the control panel->Administrative
    Tools->Local Security Policy.

    On Windows XP, this privilege has been assigned to the ASPNET account by
    default while ASP.NET was installed.

    Please try it on your side and tell me the result.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    <MCSD>
    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.
    Jacob Yang [MSFT], Aug 19, 2003
    #2
    1. Advertising

  3. Thanks for the reply.
    I actually already tried the act as part of the OS privilege, but I just
    tried it again anyway, rebooted and still get "Access is Denied." You
    are able to call CreateProcessWithLogonW on a 2000 machine from ASPNET
    user with giving only that privilege?
    thanks.

    Jacob Yang [MSFT] wrote:
    > Hi Matthew,
    >
    > On Windows2000, to call the CreateProcessWithLogonW API, the caller should
    > have the "Act as a part of the operation system" privilege. We can assign
    > this privilege to the ASPNET account via the control panel->Administrative
    > Tools->Local Security Policy.
    >
    > On Windows XP, this privilege has been assigned to the ASPNET account by
    > default while ASP.NET was installed.
    >
    > Please try it on your side and tell me the result.
    >
    > Best regards,
    >
    > Jacob Yang
    > Microsoft Online Partner Support
    > <MCSD>
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "as is" with no warranties and confers no rights.
    >
    Matthew Wieder, Aug 19, 2003
    #3
  4. Hi Matthew,

    Have you installed Windows 2000 SP4? This issue may occur when you install
    Microsoft Visual Studio .NET after you install Windows 2000 Service Pack 4
    (SP4) on the computer. In this situation, the ASPNET account is not
    assigned the "Impersonate a client after authentication" user right in the
    "Local Security Policy" settings. The "Impersonate a client after
    authentication" user right (also named SeImpersonatePrivilege) is a new
    Windows 2000 security setting that was first included in Windows 2000 SP4.
    Please refer to the following Knowledge Base article for this issue:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;821255

    I have not written a testing sample for this issue. I am trying to provide
    the possible resolution based on my experience and research. Thank you for
    your understanding.

    I am standing by for your results.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    <MCSD>
    Get Secure! ¨C www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.
    Jacob Yang [MSFT], Aug 20, 2003
    #4
  5. Hi - thanks again for the reply. We are using SP3 and I have added the
    ASPNET account to _ALL_ LSA policy rights (except for the ones that
    begin "Deny..."). There is some other piece missing here that only gets
    permissions when ASPNET is added to the Admin group, which is what I
    need to find.
    thanks,
    -Matthew

    Jacob Yang [MSFT] wrote:
    > Hi Matthew,
    >
    > Have you installed Windows 2000 SP4? This issue may occur when you install
    > Microsoft Visual Studio .NET after you install Windows 2000 Service Pack 4
    > (SP4) on the computer. In this situation, the ASPNET account is not
    > assigned the "Impersonate a client after authentication" user right in the
    > "Local Security Policy" settings. The "Impersonate a client after
    > authentication" user right (also named SeImpersonatePrivilege) is a new
    > Windows 2000 security setting that was first included in Windows 2000 SP4.
    > Please refer to the following Knowledge Base article for this issue:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;821255
    >
    > I have not written a testing sample for this issue. I am trying to provide
    > the possible resolution based on my experience and research. Thank you for
    > your understanding.
    >
    > I am standing by for your results.
    >
    > Best regards,
    >
    > Jacob Yang
    > Microsoft Online Partner Support
    > <MCSD>
    > Get Secure! ¨C www.microsoft.com/security
    > This posting is provided "as is" with no warranties and confers no rights.
    >
    Matthew Wieder, Aug 20, 2003
    #5
  6. So noone else has to waste a support incident with Microsoft on this,
    here is the solution:

    Issue is that in W2K, non-interactive users are denied the ability to
    call CreateProcessWithLogonW. To fix this manually, got to Control
    Panel->Administrative Tools->Local Security Settings->Local Policies->User
    Rights Assignment and make the following changes:
    1)Remove the ASPNET user from "Deny logon locally"
    2)Remove the ASPNET user from "Log on as a batch job"
    3)Remove the ASPNET user from "Log on as a service"
    3)Add the ASPNET user to "Log on locally"

    Additionally this will only work if impersonation is not used in the
    ASP.NET application.

    Matthew Wieder wrote:

    > Hi - thanks again for the reply. We are using SP3 and I have added the
    > ASPNET account to _ALL_ LSA policy rights (except for the ones that
    > begin "Deny..."). There is some other piece missing here that only gets
    > permissions when ASPNET is added to the Admin group, which is what I
    > need to find.
    > thanks,
    > -Matthew
    >
    > Jacob Yang [MSFT] wrote:
    >
    >> Hi Matthew,
    >>
    >> Have you installed Windows 2000 SP4? This issue may occur when you
    >> install Microsoft Visual Studio .NET after you install Windows 2000
    >> Service Pack 4 (SP4) on the computer. In this situation, the ASPNET
    >> account is not assigned the "Impersonate a client after
    >> authentication" user right in the "Local Security Policy" settings.
    >> The "Impersonate a client after authentication" user right (also named
    >> SeImpersonatePrivilege) is a new Windows 2000 security setting that
    >> was first included in Windows 2000 SP4. Please refer to the following
    >> Knowledge Base article for this issue:
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;821255
    >>
    >> I have not written a testing sample for this issue. I am trying to
    >> provide the possible resolution based on my experience and research.
    >> Thank you for your understanding.
    >>
    >> I am standing by for your results.
    >>
    >> Best regards,
    >>
    >> Jacob Yang Microsoft Online Partner Support
    >> <MCSD>
    >> Get Secure! ¨C www.microsoft.com/security
    >> This posting is provided "as is" with no warranties and confers no
    >> rights.
    >>

    >
    Matthew Wieder, Aug 20, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Benjamin Bittner

    Calling CreateProcessWithLogonW

    Benjamin Bittner, Jul 1, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    3,268
    =?Utf-8?B?QWxzdGVyc2pv?=
    Jul 5, 2004
  2. =?Utf-8?B?VG9kZCBC?=

    CreateProcessWithLogonW

    =?Utf-8?B?VG9kZCBC?=, Aug 1, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    661
    =?Utf-8?B?VG9kZCBC?=
    Aug 1, 2005
  3. Replies:
    7
    Views:
    642
    Juan T. Llibre
    Mar 23, 2007
  4. Benjamin Bittner

    Calling CreateProcessWithLogonW

    Benjamin Bittner, Jul 2, 2004, in forum: ASP .Net Security
    Replies:
    18
    Views:
    734
    Alstersjo
    Jul 16, 2004
  5. Todd B

    CreateProcessWithLogonW

    Todd B, Jul 26, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    422
    Todd B
    Aug 1, 2005
Loading...

Share This Page