custom account for ASP.NET worker process

G

Guest

Hi
I have created a least privileged a/c by following what the ASP.NET security
doc, secmod15, suggested. Then I tried to load the login.aspx page again,
and this time I get
HTTP 401.1 - Unauthorized: Logon Failed

I have checked the event logs. Under System Log I found the related error,
it says
The server was unable to logon the Window NT account <the_custom_a/c> due to
the following error: Logon failure: the user has not been granted the
requested logon type at this computer. The data is the error code.
Data (if Words is selected) : 00000569.

I have double checked and could not figure out yet! Can anyone advise on
this please?!

TIA
--
 
D

Dominick Baier [DevelopMentor]

Hello dl,

have you put the account into IIS_WPG?? i assume the "logon as a service"
priv is missing - but you normally get this by adding the account to this
group.

also - an undocumented fact is : IIS caches the token for the WP - if you
change settings of the account (groups, privs) after you configured the AppPool
you have to "iisreset".
 
G

Guest

Hi Dominick
What is IIS_WPG, I couldn't find it anywhere, by the way I am using win2000
server. But I did assign logon as a service to the custom account.
How to do an iisreset? Do you mean to redefine the application again?

TIA
 
D

Dominick Baier [DevelopMentor]

Hello dl,

ah - IIS5 - well - that's too long ago :))

no honestly - i really recommend upgrading to IIS6.

In IIS5 you are limited to a single worker process account which is a security
nightmare.

Have you tried enabling auditing for logon events to see what the reason
could be?

how does your <processModel> element look like?

iisreset is a command line too which restart w3svc.
 
G

Guest

Hi Dominick
I have no choice, as my user would not want to go for Windows Server 2003
just yet! For now, there will only be one application running under this
server so, I guess IIS5 is sufficient for now.
Also, I am running on a domain controller, I guess the auditing need to be
enabled using the "domain controller security policy" module, and after that
do I just read it from event viewer or is there any log file I need to open?
Thanks
 
D

Dominick Baier [DevelopMentor]

Hello dl,

generally - i wouldn't recommend running on a DC - but technically it is
possible of course.

Yes - it is in the security log - use Event Viewer for that.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Dominick
I have no choice, as my user would not want to go for Windows Server
2003
just yet! For now, there will only be one application running under
this
server so, I guess IIS5 is sufficient for now.
Also, I am running on a domain controller, I guess the auditing need
to be
enabled using the "domain controller security policy" module, and
after that
do I just read it from event viewer or is there any log file I need to
open?
Thanks
Hello dl,

ah - IIS5 - well - that's too long ago :))

no honestly - i really recommend upgrading to IIS6.

In IIS5 you are limited to a single worker process account which is a
security

nightmare.

Have you tried enabling auditing for logon events to see what the
reason could be?

how does your <processModel> element look like?

iisreset is a command line too which restart w3svc.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Dominick
What is IIS_WPG, I couldn't find it anywhere, by the way I am using
win2000
server. But I did assign logon as a service to the custom account.
How to do an iisreset? Do you mean to redefine the application
again?
TIA
"Dominick Baier [DevelopMentor]"

Hello dl,

have you put the account into IIS_WPG?? i assume the "logon as a
service" priv is missing - but you normally get this by adding the
account to this group.

also - an undocumented fact is : IIS caches the token for the WP -
if you change settings of the account (groups, privs) after you
configured the

AppPool

you have to "iisreset".

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi
I have created a least privileged a/c by following what the
ASP.NET
security
doc, secmod15, suggested. Then I tried to load the login.aspx page
again,
and this time I get
HTTP 401.1 - Unauthorized: Logon Failed
I have checked the event logs. Under System Log I found the
related
error,
it says
The server was unable to logon the Window NT account
<the_custom_a/c>
due to
the following error: Logon failure: the user has not been granted
the
requested logon type at this computer. The data is the error code.
Data (if Words is selected) : 00000569.
I have double checked and could not figure out yet! Can anyone
advise
on this please?!
TIA
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top