LogonUser() Works Under NT4.0, Fails Under Win2K

Discussion in 'ASP General' started by Mike, Nov 12, 2003.

  1. Mike

    Mike Guest

    Any help would be greatly appreciated.

    Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
    Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
    SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
    /IIS4.0, expressly to retrieve Office documents contained on the
    server's DASD, but outside the "view" of the web site, which uses
    home-grown ASP session security. Works great!

    However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
    function returns 0 (fails), and GetLastError() function also returns
    0, making it impossible to debug!

    More details available on request.

    Mike
     
    Mike, Nov 12, 2003
    #1
    1. Advertising

  2. Mike

    Bob Barrows Guest

    Mike wrote:
    > Any help would be greatly appreciated.
    >
    > Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
    > Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
    > SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
    > /IIS4.0, expressly to retrieve Office documents contained on the
    > server's DASD, but outside the "view" of the web site, which uses
    > home-grown ASP session security. Works great!
    >
    > However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
    > function returns 0 (fails), and GetLastError() function also returns
    > 0, making it impossible to debug!
    >
    > More details available on request.
    >
    > Mike


    http://tinyurl.com/urqc
    http://tinyurl.com/urqp

    HTH,
    Bob Barrows

    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows, Nov 12, 2003
    #2
    1. Advertising

  3. Mike

    Mike Guest

    On Wed, 12 Nov 2003 17:36:45 -0500, "Bob Barrows"
    <> wrote:

    >Mike wrote:
    >> Any help would be greatly appreciated.
    >>
    >> Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
    >> Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
    >> SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
    >> /IIS4.0, expressly to retrieve Office documents contained on the
    >> server's DASD, but outside the "view" of the web site, which uses
    >> home-grown ASP session security. Works great!
    >>
    >> However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
    >> function returns 0 (fails), and GetLastError() function also returns
    >> 0, making it impossible to debug!
    >>
    >> More details available on request.
    >>
    >> Mike

    >
    >http://tinyurl.com/urqc
    >http://tinyurl.com/urqp
    >
    >HTH,
    >Bob Barrows


    Bob, thanks for th input. I looked at both threads and granted TCB
    authority (eventaully) to the "Everyone" group, and I'm still getting
    a failure from LogonUser(), and still getting a return of 0 from
    GetLastError. Any other resources to which you might point me?

    TIA

    Mike
     
    Mike, Nov 12, 2003
    #3
  4. Mike

    Ray at Guest

    In addition to Bob's links, also see http://www.aspfaq.com/5003.

    (Sorry Bob!)

    Ray at home

    "Mike" <> wrote in message
    news:...
    > Any help would be greatly appreciated.
    >
    > Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
    > Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
    > SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
    > /IIS4.0, expressly to retrieve Office documents contained on the
    > server's DASD, but outside the "view" of the web site, which uses
    > home-grown ASP session security. Works great!
    >
    > However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
    > function returns 0 (fails), and GetLastError() function also returns
    > 0, making it impossible to debug!
    >
    > More details available on request.
    >
    > Mike
     
    Ray at, Nov 12, 2003
    #4
  5. Mike

    Mick Guest

    On Wed, 12 Nov 2003 18:16:44 -0500, "Ray at <%=sLocation%>"
    <myfirstname at lane 34 . komm> wrote:

    >In addition to Bob's links, also see http://www.aspfaq.com/5003.
    >
    >(Sorry Bob!)
    >
    >Ray at home
    >
    >"Mike" <> wrote in message
    >news:...
    >> Any help would be greatly appreciated.
    >>
    >> Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
    >> Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
    >> SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
    >> /IIS4.0, expressly to retrieve Office documents contained on the
    >> server's DASD, but outside the "view" of the web site, which uses
    >> home-grown ASP session security. Works great!
    >>
    >> However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
    >> function returns 0 (fails), and GetLastError() function also returns
    >> 0, making it impossible to debug!
    >>
    >> More details available on request.
    >>
    >> Mike

    >


    Should we get into a discussion about top-posting, too? Thanks for
    your invaluable help.
     
    Mick, Nov 12, 2003
    #5
  6. Mike

    Ray at Guest

    It is to help. By tip-toeing through the Internet and playing by all the
    silly rules, you increase your chances of receiving help. The only reason I
    inform you of the multi-posting is so that you are more likely to get future
    help.

    Ray at home

    "Mick" <> wrote in message
    news:...

    > >

    >
    > Should we get into a discussion about top-posting, too? Thanks for
    > your invaluable help.
     
    Ray at, Nov 13, 2003
    #6
  7. Mike

    Mike Guest

    Problem Resolved.

    To be /helpful/, I'm posting the extra couple of yards that were
    necessary to resolve this issue, in case anyone else trudges down this
    path, only to be frustrated by the same issues as I was (missing
    information, trolls, etc.).

    First, Bob's links to what were essentially threads from last March
    from the microsoft.public.platformsdk.security NG (retention from
    Google is far superior to MS's news server, so don't expect to find it
    there), were a great starting point.

    Bob's "tiny URL" links appear to have expired, so here are the full
    URL's, with the obligatory warning to copy & paste the whole mess into
    the browser's address window:

    http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=eezxGrkvCHA.2380@TK2MSFTNGP12
    http://groups.google.com/groups?hl=...&oe=UTF-8&q=win2k+LogonUser+fails&sa=N&tab=wg

    Anyway, Yu Chen's explanation (in the second thread) did not go the
    extra step of discussing which credentials needed to have the
    SE_TCB_NAME privileges assigned, in a scenario where an object was
    created using "classic" ASP under IIS 5.0 (Win2K Server,
    sepcifically).

    After some hours of assigning the privilege to various user ID's,
    including IUSR_{machine_name} & the "Everyone" group (calm down, this
    is a test server inside of a firewall), I was still not having any
    success getting my object to successfully logon & impersonate. My
    personal news server (UsenetServer.com) has fairly good retention in
    the text groups, so I went back to
    microsoft.public.platformsdk.security and read some additional threads
    on the topic. One suggested reviewing the security event logs to find
    the failed logons, which I did. Bingo, I found that IIS was creating
    the process under the IWAM_{machine_name} ID. I applied the TCP
    privileges per Yu Chen's instructions (using gpedit.msc) and it's now
    working fine.

    A couple of issues remain to be researched. One, an annoyance really,
    was that the machine had to be rebooted to effect the logoff and logon
    required to assert the new prvilege to the ID. Since I tried a number
    of ID's before finding the right one, there were several reboots
    required. A discussion with my corporate network group did not reveal
    any other way to handle it. The other issue, again after conferring
    with the network group, assignment of those privileges to that ID had
    them concerned, as it gives admin authority to an anonymous ID. Anyone
    have any thoughts or real information on this?

    TIA
    Mike

    On Wed, 12 Nov 2003 17:26:06 -0500, Mike
    <> wrote:

    >Any help would be greatly appreciated.
    >
    >Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
    >Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
    >SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
    >/IIS4.0, expressly to retrieve Office documents contained on the
    >server's DASD, but outside the "view" of the web site, which uses
    >home-grown ASP session security. Works great!
    >
    >However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
    >function returns 0 (fails), and GetLastError() function also returns
    >0, making it impossible to debug!
    >
    >More details available on request.
    >
    >Mike
     
    Mike, Nov 13, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ronaldo
    Replies:
    1
    Views:
    380
    Peter Rilling
    May 5, 2004
  2. =?Utf-8?B?QW5keQ==?=

    asp.net on NT4?

    =?Utf-8?B?QW5keQ==?=, Jun 17, 2004, in forum: ASP .Net
    Replies:
    7
    Views:
    1,200
  3. Jason James
    Replies:
    4
    Views:
    349
    Jason L James
    Jul 29, 2005
  4. Michel Szybist
    Replies:
    0
    Views:
    400
    Michel Szybist
    Jul 21, 2003
  5. eagleeye

    LogonUser() fails on same domain

    eagleeye, Apr 18, 2008, in forum: ASP .Net Security
    Replies:
    0
    Views:
    151
    eagleeye
    Apr 18, 2008
Loading...

Share This Page