Professional Web Applications Themes

ASPNET and CreateProcessWithLogonW - ASP.NET General

I have an ASPNET app that is running as the ASPNET machine user. It makes a call to the API CreateProcessWithLogonW. On Windows XP it executes without a problem, but on Windows 2000, I get an "Access is Denied" exception. I tried adding the ASPNET account to all the items in the "User Rights Assignment" list but to no avail. The only think that work was adding the ASPNET account to the local admin group; then it executed perfectly. Obviously, we don't want to be running with the ASPNET account having Admin rights on the box, so does anyone know ...

  1. #1

    Default ASPNET and CreateProcessWithLogonW

    I have an ASPNET app that is running as the ASPNET machine user. It
    makes a call to the API CreateProcessWithLogonW. On Windows XP it
    executes without a problem, but on Windows 2000, I get an "Access is
    Denied" exception. I tried adding the ASPNET account to all the items
    in the "User Rights Assignment" list but to no avail. The only think
    that work was adding the ASPNET account to the local admin group; then
    it executed perfectly. Obviously, we don't want to be running with the
    ASPNET account having Admin rights on the box, so does anyone know what
    permissions must be given to the ASPNET account to be able to
    successfully call CreateProcessWithLogonW on Win2k?
    thanks!

    Matthew Guest

  2. #2

    Default RE: ASPNET and CreateProcessWithLogonW

    Hi Matthew,

    On Windows2000, to call the CreateProcessWithLogonW API, the caller should
    have the "Act as a part of the operation system" privilege. We can assign
    this privilege to the ASPNET account via the control panel->Administrative
    Tools->Local Security Policy.

    On Windows XP, this privilege has been assigned to the ASPNET account by
    default while ASP.NET was installed.

    Please try it on your side and tell me the result.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    <MCSD>
    Get Secure! 每 www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.

    Jacob Guest

  3. #3

    Default Re: ASPNET and CreateProcessWithLogonW

    Thanks for the reply.
    I actually already tried the act as part of the OS privilege, but I just
    tried it again anyway, rebooted and still get "Access is Denied." You
    are able to call CreateProcessWithLogonW on a 2000 machine from ASPNET
    user with giving only that privilege?
    thanks.

    Jacob Yang [MSFT] wrote: 

    Matthew Guest

  4. #4

    Default Re: ASPNET and CreateProcessWithLogonW

    Hi Matthew,

    Have you installed Windows 2000 SP4? This issue may occur when you install
    Microsoft Visual Studio .NET after you install Windows 2000 Service Pack 4
    (SP4) on the computer. In this situation, the ASPNET account is not
    assigned the "Impersonate a client after authentication" user right in the
    "Local Security Policy" settings. The "Impersonate a client after
    authentication" user right (also named SeImpersonatePrivilege) is a new
    Windows 2000 security setting that was first included in Windows 2000 SP4.
    Please refer to the following Knowledge Base article for this issue:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;821255

    I have not written a testing sample for this issue. I am trying to provide
    the possible resolution based on my experience and research. Thank you for
    your understanding.

    I am standing by for your results.

    Best regards,

    Jacob Yang
    Microsoft Online Partner Support
    <MCSD>
    Get Secure! 每 www.microsoft.com/security
    This posting is provided "as is" with no warranties and confers no rights.

    Jacob Guest

  5. #5

    Default Re: ASPNET and CreateProcessWithLogonW

    Hi - thanks again for the reply. We are using SP3 and I have added the
    ASPNET account to _ALL_ LSA policy rights (except for the ones that
    begin "Deny..."). There is some other piece missing here that only gets
    permissions when ASPNET is added to the Admin group, which is what I
    need to find.
    thanks,
    -Matthew

    Jacob Yang [MSFT] wrote: 

    Matthew Guest

  6. #6

    Default Re: ASPNET and CreateProcessWithLogonW

    So noone else has to waste a support incident with Microsoft on this,
    here is the solution:

    Issue is that in W2K, non-interactive users are denied the ability to
    call CreateProcessWithLogonW. To fix this manually, got to Control
    Panel->Administrative Tools->Local Security Settings->Local Policies->User
    Rights Assignment and make the following changes:
    1)Remove the ASPNET user from "Deny logon locally"
    2)Remove the ASPNET user from "Log on as a batch job"
    3)Remove the ASPNET user from "Log on as a service"
    3)Add the ASPNET user to "Log on locally"

    Additionally this will only work if impersonation is not used in the
    ASP.NET application.

    Matthew Wieder wrote:
     
    >[/ref]

    Matthew Guest

Similar Threads

  1. HELP! CreateProcessWithLogonW issue
    By charlie@nunya.com in forum ASP.NET Web Services
    Replies: 25
    Last Post: September 10th, 12:15 AM
  2. Calling CreateProcessWithLogonW
    By Benjamin Bittner in forum ASP.NET Security
    Replies: 18
    Last Post: July 16th, 07:18 AM
  3. Restricting ASPNET ACLs without breaking ASPNET (newbie-ish)
    By Brian Schuth in forum ASP.NET Security
    Replies: 0
    Last Post: September 8th, 06:09 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139