Problem running ASP.NET 2.0 on Win2K domain controller

[Rob Roberts]

I have developed an ASP.NET 2.0 application using localhost on my Windows XP
workstation, and it all works fine there. I tried to copy it to my test web
server, which is a domain controller running Windows 2000 Server SP4. I
can't get it to work on the server. For testing, I created a simple aspx
page with nothing on it except for a label. Even that simple page won't
even work on the server. This error message appears in the browser when I
try to access the page:

Either a required impersonation level was not provided, or the provided
impersonation level is invalid. (Exception from HRESULT: 0x80070542)

Here is the entire stack trace:

[COMException (0x80070542): Either a required impersonation level was not
provided, or the provided impersonation level is invalid. (Exception from
HRESULT: 0x80070542)]

[FileLoadException: Could not load file or assembly
'System.Web.RegularExpressions, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. Either a
required impersonation level was not provided, or the provided impersonation
level is invalid. (Exception from HRESULT: 0x80070542)]
System.Web.Handlers.AssemblyResourceLoader..cctor() +0

[TypeInitializationException: The type initializer for
'System.Web.Handlers.AssemblyResourceLoader' threw an exception.]
System.Web.Handlers.AssemblyResourceLoader.IsValidWebResourceRequest(HttpContext
context) +0
System.Web.Security.FormsAuthenticationModule.OnEnter(Object source,
EventArgs eventArgs) +3396668
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+92
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +64


It appears that since this is a domain controller, the ASPUSER account is
not created when the .NET framework is installed, and ASP.NET instead runs
under the IWAM_MachineName account. After hours of searching, I found this
Microsoft article: http://support.microsoft.com/?id=824308, with title "BUG:
IWAM Account Is Not Granted the Impersonate Privilege for ASP.NET 1.1 on a
Windows 2000 Domain Controller with SP4". It refers to ASP.NET 1.1 and not
2.0, but it still seemed like I was on the right track. This article states
that the fix is to give the IWAM user the "Impersonate a client after
authentication" right. I tried this but it had no effect. I also tried
granting the IWAM user "Act as part of the operating system" and "Log on as
a service" rights. Even after that I still got the same error when trying
to access the aspx page.

I found this article:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetht01.asp,
which tells how to configure ASP.NET to run under a different account. This
is done by adding a username and password to the <processModel> element in
machine.config. I set up a test user with administrative rights and edited
machine.config to cause ASP.NET to run under this administrator's account.
With this, I finally was able to successfully access my aspx page. But this
isn't an acceptable solution. I don't want to have an administrator's name
and password contained in machine.config in clear text.

It seems like there must be some way to get the IWAM_MachineName account to
work, but I haven't been able to figure it out. What do I need to do to get
ASP.NET 2.0 working right on a Windows 2000 domain controller?

Thanks in advance,
--Rob Roberts

 

[Luke Zhang [MSFT]]

Hello,

This problem may be caused that the account used by ASP.NET ('aspnet' or
'network service') hasn't been add to a policy, you may opened the Default
Domain Controllers policy and added system to the Impersonate a Client
After Authentication right and rebooted the box.

For more information on this issue:

821546 Overview of the "Impersonate a Client After Authentication" and the
http://support.microsoft.com/?id=821546

Hope this help,

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Rob Roberts]

Luke,

This problem may be caused that the account used by ASP.NET ('aspnet' or
'network service') hasn't been add to a policy, you may opened the Default
Domain Controllers policy and added system to the Impersonate a Client
After Authentication right and rebooted the box.

Thanks for the response, but as I mentioned in my initial post, I already
tried that and it didn't work.

The .NET 2.0 installation set ASP.NET up to run as the IWAM_MachineName
user. I gave this user the "Impersonate a client after authentication"
right, rebooted, and tried my test aspx page again. The same error still
occurred.

Are you saying that I need to give the SYSTEM account the "Impersonate a
client after authentication" right? That doesn't make much sense to me, but
I tried it anyway and it also had no effect. (I still get the same error
when trying to access an aspx page on the server.)

Any other ideas?

Thanks,
--Rob Roberts

 

[Henning Krause [MVP]]

Hello,

did you grant the "impersonate as a client" in the Domain Policy or in the
Domain Controller Policy? (The last one is the correct one).

Greetings,
Henning Krause

I have developed an ASP.NET 2.0 application using localhost on my Windows
XP workstation, and it all works fine there. I tried to copy it to my test
web server, which is a domain controller running Windows 2000 Server SP4.
I can't get it to work on the server. For testing, I created a simple aspx
page with nothing on it except for a label. Even that simple page won't
even work on the server. This error message appears in the browser when I
try to access the page:

Either a required impersonation level was not provided, or the provided
impersonation level is invalid. (Exception from HRESULT: 0x80070542)

Here is the entire stack trace:

[COMException (0x80070542): Either a required impersonation level was not
provided, or the provided impersonation level is invalid. (Exception from
HRESULT: 0x80070542)]

[FileLoadException: Could not load file or assembly
'System.Web.RegularExpressions, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. Either a
required impersonation level was not provided, or the provided
impersonation level is invalid. (Exception from HRESULT: 0x80070542)]
System.Web.Handlers.AssemblyResourceLoader..cctor() +0

[TypeInitializationException: The type initializer for
'System.Web.Handlers.AssemblyResourceLoader' threw an exception.]

System.Web.Handlers.AssemblyResourceLoader.IsValidWebResourceRequest(HttpContext
context) +0
System.Web.Security.FormsAuthenticationModule.OnEnter(Object source,
EventArgs eventArgs) +3396668

System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+92
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +64


It appears that since this is a domain controller, the ASPUSER account is
not created when the .NET framework is installed, and ASP.NET instead runs
under the IWAM_MachineName account. After hours of searching, I found
this Microsoft article: http://support.microsoft.com/?id=824308, with
title "BUG: IWAM Account Is Not Granted the Impersonate Privilege for
ASP.NET 1.1 on a Windows 2000 Domain Controller with SP4". It refers to
ASP.NET 1.1 and not 2.0, but it still seemed like I was on the right
track. This article states that the fix is to give the IWAM user the
"Impersonate a client after authentication" right. I tried this but it
had no effect. I also tried granting the IWAM user "Act as part of the
operating system" and "Log on as a service" rights. Even after that I
still got the same error when trying to access the aspx page.

I found this article:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetht01.asp,
which tells how to configure ASP.NET to run under a different account.
This is done by adding a username and password to the <processModel>
element in machine.config. I set up a test user with administrative
rights and edited machine.config to cause ASP.NET to run under this
administrator's account. With this, I finally was able to successfully
access my aspx page. But this isn't an acceptable solution. I don't want
to have an administrator's name and password contained in machine.config
in clear text.

It seems like there must be some way to get the IWAM_MachineName account
to work, but I haven't been able to figure it out. What do I need to do
to get ASP.NET 2.0 working right on a Windows 2000 domain controller?

Thanks in advance,
--Rob Roberts

 

[Rob Roberts]

Henning,

did you grant the "impersonate as a client" in the Domain Policy or in the
Domain Controller Policy? (The last one is the correct one).

It was in the Domain Controller Policy, not the Domain Policy. Just to
double-check, I looked at the Domain Policy settings, and all of them are
"Not Defined". It was definitely in the Domain Controller Policy that I
granted the "Impersonate a client after authentication" right.

--Rob Roberts

 

[Henning Krause [MVP]]

Hello Rob,

you can check whether the user running the IIS process has the impersonation
privilege enabled using the Process Explorer from SysInternals.

Just double-click on the IIS process and head over to the security tab. The
SeImpersonate Privilege should be visible and enabled.

Greetings,
Henning Krause

 

[Luke Zhang [MSFT]]

I didn't mentioned the account "System", I said another user "network
service". Have you tried to grant this user the policy?

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Rob Roberts]

Luke,

Well, the .NET 2.0 installation set the IWAM_MachineName account as the user
that ASP.NET runs under, and I did grant that user the "Impersonate a client
after authentication" right, but it still didn't work. I finally got it to
work by changing it so that ASP.NET runs under the SYSTEM account.
Microsoft recommends against that, but this is just a development web server
that is only accessible from our intranet, not from the internet.
Fortunately the production web server is not a domain controller, so ASP.NET
runs under the ASPUSER account on that machine, and I had no problems at all
getting it working there.

--Rob Roberts

 

[Luke Zhang [MSFT]]

Thank you for the update, Rob. Normally, we don't recommend use a DC as web
server, so it won't be a problem in your production environment as you
said.

Regards,

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Rob Roberts]

Luke,

Thank you for the update, Rob. Normally, we don't recommend use a DC as
web
server, so it won't be a problem in your production environment as you
said.

In a Windows/Active Directory network with a Windows 2003 Server domain
controller, is it possible to have another Windows 2003 Server or a Windows
2000 Server that is just a member server and not another domain controller?

Every time I've installed Active Directory on a Windows 2003 Server or
Windows 2000 Server and then joined a domain that has a Windows 2003 Server
as a domain controller, it always wants to make the new server another
domain controller. How can I install Active Directory and join the domain
without having the new server become a domain controller?

Thank you,
--Rob Roberts

 

[Luke Zhang [MSFT]]

Hello,

I think the answer is Yes. A Win 2003 server can be member and not a DC.
But I am not a preofessional on AD, you may post this question to a AD
related group, for example, microsoft.public.windows.activedirectory, you
may more help there on this issue.

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[spot-777]

you guys know what? i haven't even read the posts on this thread except
for the initial request... and i am a little tipsy, but f@#@$ all that.
just run your web server outside of active directory... after all, why
bother with all the BS when you don't need to have your web machine
inventoried for?!???

 

[spot-777]

you guys know what? i haven't even read the posts on this thread except
for the initial request... and i am a little tipsy, but f@#@$ all that.
just run your web server outside of active directory... after all, why
bother with all the BS when you don't need to have your web machine
inventoried for?!??? run under the old model??!!

 

[Rob Roberts]

you guys know what? i haven't even read the posts on this thread except
for the initial request... and i am a little tipsy, but f@#@$ all that.
just run your web server outside of active directory... after all, why
bother with all the BS when you don't need to have your web machine
inventoried for?!??? run under the old model??!!

Well, my web server needs to access my SQL server using Windows
authentication. Is there a way to do that without the web server being a
member of the domain? Or alternatively, is there a way to make the web
server a member of the domain without it having Active Directory installed?
(Obviously I'm not an Active Directory expert. )

--Rob Roberts

 

[Rob Roberts]

Thank you Luke. I'll ask about this on a more appropriate newsgroup.

--Rob Roberts

 

[Henning Krause [MVP]]

Hello,

the problem is not the domain, but the web server being a domain controller.

Just add the server to the domain like to join any workstation to the
domain.

The server is only being promoted to a DC if you call DCPromo.

Greetings,
Henning Krause

 

[Rob Roberts]

Henning,

Thank you. I'll give that a try.

--Rob Roberts