How to allow authenticated user to impersonate

[Hernan de Lahitte]

If you are running under W2000, you must add the "Act as part of the
operating system" privilege to the account that will try to impersonate. On
XP or W2003 this is not necessary.

--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://weblogs.asp.net/hernandl[/url]


This posting is provided "AS IS" with no warranties, and confers no rights.

"Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
news:5BDE7623-986B-483D-873D-7F866A736021@microsoft.com...

> Hey all, I have a web application that I have secured by making use of

this:

> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329290[/url]
>
> Basically, this allows me to create an account (call it "account A") on

the

> machine that has restricted privileges. This is the account ("account A")
> that the web application will always impersonate.
>
> However, I have created a few other accounts on the machine that I intend
> others to use to authenticate themselves. However, when I get those users

to

> use their respective accounts to authenticate themselves they don't seem

to

> be able to get the privileges of the of the "account A" unless I add them

to

> the "Administrators" group.
>
> Can anyone tell me what privileges I need to add to their user accounts so
> that they can access the web application such that it will perform the
> impersonation for them after which the web application will use the
> privileges of "account A".
>
> Thanks,
> Novice

[Novice]

I'm using Windows 2003 - do I need to add file access to any directories for
these users? Like do I need to give these users access to that ASP.NET
temporary directory? Do the users need full control of the directory that
the web application is contained in?

Thanks,
Novice

"Hernan de Lahitte" wrote:

> If you are running under W2000, you must add the "Act as part of the
> operating system" privilege to the account that will try to impersonate. On
> XP or W2003 this is not necessary.
>
> --
> Hernan de Lahitte
> Lagash Systems S.A.
> [url]http://weblogs.asp.net/hernandl[/url]
>
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
> news:5BDE7623-986B-483D-873D-7F866A736021@microsoft.com...

> > Hey all, I have a web application that I have secured by making use of

> this:

> > [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329290[/url]
> >
> > Basically, this allows me to create an account (call it "account A") on

> the

> > machine that has restricted privileges. This is the account ("account A")
> > that the web application will always impersonate.
> >
> > However, I have created a few other accounts on the machine that I intend
> > others to use to authenticate themselves. However, when I get those users

> to

> > use their respective accounts to authenticate themselves they don't seem

> to

> > be able to get the privileges of the of the "account A" unless I add them

> to

> > the "Administrators" group.
> >
> > Can anyone tell me what privileges I need to add to their user accounts so
> > that they can access the web application such that it will perform the
> > impersonation for them after which the web application will use the
> > privileges of "account A".
> >
> > Thanks,
> > Novice

>
>
>

[Hernan de Lahitte]

If you want to replace the ASPNET account with your own account, you should
follow this guideline:

How To: Create a Custom Account to Run ASP.NET
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT01.asp?frame=true[/url]

For those accounts that will impersonate over your worker process account
(ex ASPNET), you only need to update the ACL of the resources that these
accounts will access (i.e. read access to the folders where it lives your
web application).

--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://weblogs.asp.net/hernandl[/url]


This posting is provided "AS IS" with no warranties, and confers no rights.

"Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
news:A97274C2-0E00-42D4-8107-F78B55B99102@microsoft.com...

> I'm using Windows 2003 - do I need to add file access to any directories

for

> these users? Like do I need to give these users access to that ASP.NET
> temporary directory? Do the users need full control of the directory that
> the web application is contained in?
>
> Thanks,
> Novice
>
> "Hernan de Lahitte" wrote:
>

> > If you are running under W2000, you must add the "Act as part of the
> > operating system" privilege to the account that will try to impersonate.

On

> > XP or W2003 this is not necessary.
> >
> > --
> > Hernan de Lahitte
> > Lagash Systems S.A.
> > [url]http://weblogs.asp.net/hernandl[/url]
> >
> >
> > This posting is provided "AS IS" with no warranties, and confers no

rights.

> >
> > "Novice" <6tc1ATqlinkDOTqueensuDOTca> wrote in message
> > news:5BDE7623-986B-483D-873D-7F866A736021@microsoft.com...

> > > Hey all, I have a web application that I have secured by making use of

> > this:

> > > [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329290[/url]
> > >
> > > Basically, this allows me to create an account (call it "account A")

on

> > the

> > > machine that has restricted privileges. This is the account ("account

A")

> > > that the web application will always impersonate.
> > >
> > > However, I have created a few other accounts on the machine that I

intend

> > > others to use to authenticate themselves. However, when I get those

users

> > to

> > > use their respective accounts to authenticate themselves they don't

seem

> > to

> > > be able to get the privileges of the of the "account A" unless I add

them

> > to

> > > the "Administrators" group.
> > >
> > > Can anyone tell me what privileges I need to add to their user

accounts so

> > > that they can access the web application such that it will perform the
> > > impersonation for them after which the web application will use the
> > > privileges of "account A".
> > >
> > > Thanks,
> > > Novice

> >
> >
> >