Using LogonUser API in ASP.net with an account other than ASPNet account

[nilapenn]

I am trying to use the LogonUser API function from ASP.Net. This works
fine on my machine which is Windows XP but fails with error code 1314
on windows 2000 server. I searched the web and found out that "Act as
part of operating system" is permission is needed for using LogonUser
API in windows 2000. When I give this permission to the asp.net account
it works fine. Since giving "Act as part of operating system" is a
security issue I created a local account with least privileges and gave
that "Act as part of operating system" permission to this account
and impersonated my asp.net application with this account. But still it
gives the same error. Any one has idea on how to user LogonUser by
giving "Act as part of operating system" to an account other than
ASP.Net?


Regards
Sriram.V

 

[Joe Kaplan \(MVP - ADSI\)]

How did you do the impersonation of the other account? If you used the
<identity impersonate="true" username="xxx" password="xxxx" /> thing, then
ASPNET still needs "act as part of OS" to do that in the first place.

Honestly, the best answer is to switch to Windows Server 2003. If that
isn't an option though, you might also consider either moving the LogonUser
code to a COM+ component that runs under the other user's identity or
changing the worker process account to use the new account. However,
granting any account other than SYSTEM this privilege is a serious security
hole and one you want to think a lot about before doing. Why do you need
LogonUser to begin with?

Joe K.

 

[nilapenn]

Hi

Thanks forthe reply. My requirement is to connect to Analysis server on
different remote machine through DSO from ASP.net code. For this I am
using the LogonUser API to connect to logon to the server and then
connect to the Analysis server.

Regards
Sriram.V

How did you do the impersonation of the other account? If you used the
<identity impersonate="true" username="xxx" password="xxxx" /> thing, then
ASPNET still needs "act as part of OS" to do that in the first place.

Honestly, the best answer is to switch to Windows Server 2003. If that
isn't an option though, you might also consider either moving the LogonUser
code to a COM+ component that runs under the other user's identity or

 

[Joe Kaplan \(MVP - ADSI\)]

Another thing you could do in your case is put the code that accesses
Analysis Services in a COM+ component and put that under a specific
identity. This will help avoid this problem for you. You could also run
your worker process as a domain account and disable impersonation.

HTH,

Joe K.