R
Rob Roberts
I have developed an ASP.NET 2.0 application using localhost on my Windows XP
workstation, and it all works fine there. I tried to copy it to my test web
server, which is a domain controller running Windows 2000 Server SP4. I
can't get it to work on the server. For testing, I created a simple aspx
page with nothing on it except for a label. Even that simple page won't
work on the server. This error message appears in the browser when I try to
access the page:
Either a required impersonation level was not provided, or the provided
impersonation level is invalid. (Exception from HRESULT: 0x80070542)
Here is the entire stack trace:
COMException (0x80070542): Either a required impersonation level was not
provided, or the provided impersonation level is invalid. (Exception from
HRESULT: 0x80070542)]
[FileLoadException: Could not load file or assembly
'System.Web.RegularExpressions, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. Either a
required impersonation level was not provided, or the provided impersonation
level is invalid. (Exception from HRESULT: 0x80070542)]
System.Web.Handlers.AssemblyResourceLoader..cctor() +0
[TypeInitializationException: The type initializer for
'System.Web.Handlers.AssemblyResourceLoader' threw an exception.]
System.Web.Handlers.AssemblyResourceLoader.IsValidWebResourceRequest(HttpContext
context) +0
System.Web.Security.FormsAuthenticationModule.OnEnter(Object source,
EventArgs eventArgs) +3396668
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+92
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +64
It appears that since this is a domain controller, the ASPUSER account is
not created when the .NET framework is installed, and ASP.NET instead runs
under the IWAM_MachineName account. After hours of searching, I found this
Microsoft article: http://support.microsoft.com/?id=824308, with title "BUG:
IWAM Account Is Not Granted the Impersonate Privilege for ASP.NET 1.1 on a
Windows 2000 Domain Controller with SP4". It refers to ASP.NET 1.1 and not
2.0, but it still seemed like I was on the right track. This article states
that the fix is to give the IWAM user the "Impersonate a client after
authentication" right. I tried this but it had no effect. I also tried
granting the IWAM user "Act as part of the operating system" and "Log on as
a service" rights. Even after that I still got the same error when trying
to access the aspx page.
I found this article:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetht01.asp,
which tells how to configure ASP.NET to run under a different account. This
is done by adding a username and password to the <processModel> element in
machine.config. I set up a test user with administrative rights and edited
machine.config to cause ASP.NET to run under this administrator's account.
With this, I finally was able to successfully access my aspx page. But this
isn't an acceptable solution. I don't want to have an administrator's name
and password contained in machine.config in clear text.
It seems like there must be some way to get the IWAM_MachineName account to
work, but I haven't been able to figure it out. What do I need to do to get
ASP.NET 2.0 working right on a Windows 2000 domain controller?
Thanks in advance,
--Rob Roberts
workstation, and it all works fine there. I tried to copy it to my test web
server, which is a domain controller running Windows 2000 Server SP4. I
can't get it to work on the server. For testing, I created a simple aspx
page with nothing on it except for a label. Even that simple page won't
work on the server. This error message appears in the browser when I try to
access the page:
Either a required impersonation level was not provided, or the provided
impersonation level is invalid. (Exception from HRESULT: 0x80070542)
Here is the entire stack trace:
COMException (0x80070542): Either a required impersonation level was not
provided, or the provided impersonation level is invalid. (Exception from
HRESULT: 0x80070542)]
[FileLoadException: Could not load file or assembly
'System.Web.RegularExpressions, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. Either a
required impersonation level was not provided, or the provided impersonation
level is invalid. (Exception from HRESULT: 0x80070542)]
System.Web.Handlers.AssemblyResourceLoader..cctor() +0
[TypeInitializationException: The type initializer for
'System.Web.Handlers.AssemblyResourceLoader' threw an exception.]
System.Web.Handlers.AssemblyResourceLoader.IsValidWebResourceRequest(HttpContext
context) +0
System.Web.Security.FormsAuthenticationModule.OnEnter(Object source,
EventArgs eventArgs) +3396668
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+92
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +64
It appears that since this is a domain controller, the ASPUSER account is
not created when the .NET framework is installed, and ASP.NET instead runs
under the IWAM_MachineName account. After hours of searching, I found this
Microsoft article: http://support.microsoft.com/?id=824308, with title "BUG:
IWAM Account Is Not Granted the Impersonate Privilege for ASP.NET 1.1 on a
Windows 2000 Domain Controller with SP4". It refers to ASP.NET 1.1 and not
2.0, but it still seemed like I was on the right track. This article states
that the fix is to give the IWAM user the "Impersonate a client after
authentication" right. I tried this but it had no effect. I also tried
granting the IWAM user "Act as part of the operating system" and "Log on as
a service" rights. Even after that I still got the same error when trying
to access the aspx page.
I found this article:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetht01.asp,
which tells how to configure ASP.NET to run under a different account. This
is done by adding a username and password to the <processModel> element in
machine.config. I set up a test user with administrative rights and edited
machine.config to cause ASP.NET to run under this administrator's account.
With this, I finally was able to successfully access my aspx page. But this
isn't an acceptable solution. I don't want to have an administrator's name
and password contained in machine.config in clear text.
It seems like there must be some way to get the IWAM_MachineName account to
work, but I haven't been able to figure it out. What do I need to do to get
ASP.NET 2.0 working right on a Windows 2000 domain controller?
Thanks in advance,
--Rob Roberts