S
Svein Terje Gaup
I have a website running on Windows 2000 Server, that should be able to
retrieve data from a datawarehouse on another machine running Windows 2000
Server, SQL Server 2000 and SQL Server 2000 Analysis Services. It seems
impossible to make the impersonation work. Every path I try seems to be
blocked.
Path number one: set <identity impersonate=false/> in web.config
OK. The Website is up, but it cannot access the datawarehouse because the
ASPNET user has no rights on the other machine.
Path number two: set <identity impersonate="true"/> in web.config
Now I cannot access anything at all, because I get the following error:
"Cryptographic service provider (CSP) could not be found for this
algorithm." Have tried to find out why I get this message, searching MSDN
and Google, but I can't find any answers.
Path number three: set <identity impersonate="true" userName="username"
password="xxx" /> in web.config
This gives the following error:
Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating system 'A
required privilege is not held by the client. '
I found an article
(http://support.microsoft.com/default.aspx?scid=kb;en-us;810204) on MSDN
stating that the ASPNET user needs to have the privilege to "Act as part of
the operating system" to be able to impersonate another user. Microsoft does
not recommend giving this privelege to the ASPNET user. "This is by design"
they say. So it's another path blocked.
I have also tried using <identity impersonate="true" userName="" password=""
/>
This should somehow force the use of the IUSR_machine account, I think I
read somewhere... But now this also gives the Cryptographic Service Provider
error mentioned earlier.
Found a post with some solutions, but som of them seem to compromise
security, while the last one seems a lot of effort:
1. assign ASPNET account used by asp.net with Administrator right
- I bet Microsoft does not recommend this!
2. run the aspnet_wp under the system account
- again compromising security
3. Change the userName attribute of the <processModel> tag in your
machine.config file to SYSTEM rather than its default which is MACHINE.
- well this has the same smell as number 1 and 2, but perhaps this is the
best one so far
4. Impersonate programatically which is demonstrated in this KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
- a lot of effort
So what should I do?
Seems to me that I have to do something that is not recommended by Microsoft
to get their products to work.
Sincerely
Svein Terje Gaup
retrieve data from a datawarehouse on another machine running Windows 2000
Server, SQL Server 2000 and SQL Server 2000 Analysis Services. It seems
impossible to make the impersonation work. Every path I try seems to be
blocked.
Path number one: set <identity impersonate=false/> in web.config
OK. The Website is up, but it cannot access the datawarehouse because the
ASPNET user has no rights on the other machine.
Path number two: set <identity impersonate="true"/> in web.config
Now I cannot access anything at all, because I get the following error:
"Cryptographic service provider (CSP) could not be found for this
algorithm." Have tried to find out why I get this message, searching MSDN
and Google, but I can't find any answers.
Path number three: set <identity impersonate="true" userName="username"
password="xxx" /> in web.config
This gives the following error:
Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating system 'A
required privilege is not held by the client. '
I found an article
(http://support.microsoft.com/default.aspx?scid=kb;en-us;810204) on MSDN
stating that the ASPNET user needs to have the privilege to "Act as part of
the operating system" to be able to impersonate another user. Microsoft does
not recommend giving this privelege to the ASPNET user. "This is by design"
they say. So it's another path blocked.
I have also tried using <identity impersonate="true" userName="" password=""
/>
This should somehow force the use of the IUSR_machine account, I think I
read somewhere... But now this also gives the Cryptographic Service Provider
error mentioned earlier.
Found a post with some solutions, but som of them seem to compromise
security, while the last one seems a lot of effort:
1. assign ASPNET account used by asp.net with Administrator right
- I bet Microsoft does not recommend this!
2. run the aspnet_wp under the system account
- again compromising security
3. Change the userName attribute of the <processModel> tag in your
machine.config file to SYSTEM rather than its default which is MACHINE.
- well this has the same smell as number 1 and 2, but perhaps this is the
best one so far
4. Impersonate programatically which is demonstrated in this KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q306158
- a lot of effort
So what should I do?
Seems to me that I have to do something that is not recommended by Microsoft
to get their products to work.
Sincerely
Svein Terje Gaup