ASPNET and CreateProcessWithLogonW

[Matthew Wieder]

I have an ASPNET app that is running as the ASPNET machine user. It
makes a call to the API CreateProcessWithLogonW. On Windows XP it
executes without a problem, but on Windows 2000, I get an "Access is
Denied" exception. I tried adding the ASPNET account to all the items
in the "User Rights Assignment" list but to no avail. The only think
that work was adding the ASPNET account to the local admin group; then
it executed perfectly. Obviously, we don't want to be running with the
ASPNET account having Admin rights on the box, so does anyone know what
permissions must be given to the ASPNET account to be able to
successfully call CreateProcessWithLogonW on Win2k?
thanks!

 

[Jacob Yang [MSFT]]

Hi Matthew,

On Windows2000, to call the CreateProcessWithLogonW API, the caller should
have the "Act as a part of the operation system" privilege. We can assign
this privilege to the ASPNET account via the control panel->Administrative
Tools->Local Security Policy.

On Windows XP, this privilege has been assigned to the ASPNET account by
default while ASP.NET was installed.

Please try it on your side and tell me the result.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Matthew Wieder]

Thanks for the reply.
I actually already tried the act as part of the OS privilege, but I just
tried it again anyway, rebooted and still get "Access is Denied." You
are able to call CreateProcessWithLogonW on a 2000 machine from ASPNET
user with giving only that privilege?
thanks.

 

[Jacob Yang [MSFT]]

Hi Matthew,

Have you installed Windows 2000 SP4? This issue may occur when you install
Microsoft Visual Studio .NET after you install Windows 2000 Service Pack 4
(SP4) on the computer. In this situation, the ASPNET account is not
assigned the "Impersonate a client after authentication" user right in the
"Local Security Policy" settings. The "Impersonate a client after
authentication" user right (also named SeImpersonatePrivilege) is a new
Windows 2000 security setting that was first included in Windows 2000 SP4.
Please refer to the following Knowledge Base article for this issue:

http://support.microsoft.com/default.aspx?scid=kb;en-us;821255

I have not written a testing sample for this issue. I am trying to provide
the possible resolution based on my experience and research. Thank you for
your understanding.

I am standing by for your results.

Best regards,

Jacob Yang
Microsoft Online Partner Support
<MCSD>
Get Secure! ¨C www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Matthew Wieder]

Hi - thanks again for the reply. We are using SP3 and I have added the
ASPNET account to _ALL_ LSA policy rights (except for the ones that
begin "Deny..."). There is some other piece missing here that only gets
permissions when ASPNET is added to the Admin group, which is what I
need to find.
thanks,
-Matthew

 

[Matthew Wieder]

So noone else has to waste a support incident with Microsoft on this,
here is the solution:

Issue is that in W2K, non-interactive users are denied the ability to
call CreateProcessWithLogonW. To fix this manually, got to Control
Panel->Administrative Tools->Local Security Settings->Local Policies->User
Rights Assignment and make the following changes:
1)Remove the ASPNET user from "Deny logon locally"
2)Remove the ASPNET user from "Log on as a batch job"
3)Remove the ASPNET user from "Log on as a service"
3)Add the ASPNET user to "Log on locally"

Additionally this will only work if impersonation is not used in the
ASP.NET application.