Using LogonUser API in ASP.net with an account other than ASPNet account

Discussion in 'ASP .Net Security' started by nilapenn, Feb 11, 2005.

  1. nilapenn

    nilapenn Guest

    I am trying to use the LogonUser API function from ASP.Net. This works
    fine on my machine which is Windows XP but fails with error code 1314
    on windows 2000 server. I searched the web and found out that "Act as
    part of operating system" is permission is needed for using LogonUser
    API in windows 2000. When I give this permission to the asp.net account
    it works fine. Since giving "Act as part of operating system" is a
    security issue I created a local account with least privileges and gave
    that "Act as part of operating system" permission to this account
    and impersonated my asp.net application with this account. But still it
    gives the same error. Any one has idea on how to user LogonUser by
    giving "Act as part of operating system" to an account other than
    ASP.Net?


    Regards
    Sriram.V
     
    nilapenn, Feb 11, 2005
    #1
    1. Advertising

  2. How did you do the impersonation of the other account? If you used the
    <identity impersonate="true" username="xxx" password="xxxx" /> thing, then
    ASPNET still needs "act as part of OS" to do that in the first place.

    Honestly, the best answer is to switch to Windows Server 2003. If that
    isn't an option though, you might also consider either moving the LogonUser
    code to a COM+ component that runs under the other user's identity or
    changing the worker process account to use the new account. However,
    granting any account other than SYSTEM this privilege is a serious security
    hole and one you want to think a lot about before doing. Why do you need
    LogonUser to begin with?

    Joe K.

    "nilapenn" <> wrote in message
    news:...
    >I am trying to use the LogonUser API function from ASP.Net. This works
    > fine on my machine which is Windows XP but fails with error code 1314
    > on windows 2000 server. I searched the web and found out that "Act as
    > part of operating system" is permission is needed for using LogonUser
    > API in windows 2000. When I give this permission to the asp.net account
    > it works fine. Since giving "Act as part of operating system" is a
    > security issue I created a local account with least privileges and gave
    > that "Act as part of operating system" permission to this account
    > and impersonated my asp.net application with this account. But still it
    > gives the same error. Any one has idea on how to user LogonUser by
    > giving "Act as part of operating system" to an account other than
    > ASP.Net?
    >
    >
    > Regards
    > Sriram.V
    >
     
    Joe Kaplan \(MVP - ADSI\), Feb 11, 2005
    #2
    1. Advertising

  3. nilapenn

    nilapenn Guest

    Hi

    Thanks forthe reply. My requirement is to connect to Analysis server on
    different remote machine through DSO from ASP.net code. For this I am
    using the LogonUser API to connect to logon to the server and then
    connect to the Analysis server.

    Regards
    Sriram.V
    Joe Kaplan (MVP - ADSI) wrote:
    > How did you do the impersonation of the other account? If you used

    the
    > <identity impersonate="true" username="xxx" password="xxxx" /> thing,

    then
    > ASPNET still needs "act as part of OS" to do that in the first place.
    >
    > Honestly, the best answer is to switch to Windows Server 2003. If

    that
    > isn't an option though, you might also consider either moving the

    LogonUser
    > code to a COM+ component that runs under the other user's identity or


    > changing the worker process account to use the new account. However,


    > granting any account other than SYSTEM this privilege is a serious

    security
    > hole and one you want to think a lot about before doing. Why do you

    need
    > LogonUser to begin with?
    >
    > Joe K.
    >
    > "nilapenn" <> wrote in message
    > news:...
    > >I am trying to use the LogonUser API function from ASP.Net. This

    works
    > > fine on my machine which is Windows XP but fails with error code

    1314
    > > on windows 2000 server. I searched the web and found out that "Act

    as
    > > part of operating system" is permission is needed for using

    LogonUser
    > > API in windows 2000. When I give this permission to the asp.net

    account
    > > it works fine. Since giving "Act as part of operating system" is a
    > > security issue I created a local account with least privileges and

    gave
    > > that "Act as part of operating system" permission to this account
    > > and impersonated my asp.net application with this account. But

    still it
    > > gives the same error. Any one has idea on how to user LogonUser by
    > > giving "Act as part of operating system" to an account other than
    > > ASP.Net?
    > >
    > >
    > > Regards
    > > Sriram.V
    > >
     
    nilapenn, Feb 14, 2005
    #3
  4. Another thing you could do in your case is put the code that accesses
    Analysis Services in a COM+ component and put that under a specific
    identity. This will help avoid this problem for you. You could also run
    your worker process as a domain account and disable impersonation.

    HTH,

    Joe K.

    "nilapenn" <> wrote in message
    news:...
    > Hi
    >
    > Thanks forthe reply. My requirement is to connect to Analysis server on
    > different remote machine through DSO from ASP.net code. For this I am
    > using the LogonUser API to connect to logon to the server and then
    > connect to the Analysis server.
    >
    > Regards
    > Sriram.V
    > Joe Kaplan (MVP - ADSI) wrote:
    >> How did you do the impersonation of the other account? If you used

    > the
    >> <identity impersonate="true" username="xxx" password="xxxx" /> thing,

    > then
    >> ASPNET still needs "act as part of OS" to do that in the first place.
    >>
    >> Honestly, the best answer is to switch to Windows Server 2003. If

    > that
    >> isn't an option though, you might also consider either moving the

    > LogonUser
    >> code to a COM+ component that runs under the other user's identity or

    >
    >> changing the worker process account to use the new account. However,

    >
    >> granting any account other than SYSTEM this privilege is a serious

    > security
    >> hole and one you want to think a lot about before doing. Why do you

    > need
    >> LogonUser to begin with?
    >>
    >> Joe K.
    >>
    >> "nilapenn" <> wrote in message
    >> news:...
    >> >I am trying to use the LogonUser API function from ASP.Net. This

    > works
    >> > fine on my machine which is Windows XP but fails with error code

    > 1314
    >> > on windows 2000 server. I searched the web and found out that "Act

    > as
    >> > part of operating system" is permission is needed for using

    > LogonUser
    >> > API in windows 2000. When I give this permission to the asp.net

    > account
    >> > it works fine. Since giving "Act as part of operating system" is a
    >> > security issue I created a local account with least privileges and

    > gave
    >> > that "Act as part of operating system" permission to this account
    >> > and impersonated my asp.net application with this account. But

    > still it
    >> > gives the same error. Any one has idea on how to user LogonUser by
    >> > giving "Act as part of operating system" to an account other than
    >> > ASP.Net?
    >> >
    >> >
    >> > Regards
    >> > Sriram.V
    >> >

    >
     
    Joe Kaplan \(MVP - ADSI\), Feb 14, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mary Chipman

    Re: Impersonation in ASPNET and LogonUser

    Mary Chipman, Sep 3, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    466
    Mary Chipman
    Sep 3, 2003
  2. Rich
    Replies:
    1
    Views:
    8,105
    Scott Allen
    Nov 2, 2004
  3. Replies:
    7
    Views:
    673
    Juan T. Llibre
    Mar 23, 2007
  4. Rich

    ASP.net & Win32 API (LogonUser) question...

    Rich, Nov 2, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    404
  5. Replies:
    4
    Views:
    658
    Paul Clement
    Sep 15, 2005
Loading...

Share This Page