Impersonate Identity

[Jennifer]

I was given the task of moving a website from one server to another.
The author of this is no longer with our company. The site was written
in C#, which I am not familiar with, but I can read it enough to get an
idea of what is supposed to be going on. But, in the webconfig file,
there is a line:

<identity impersonate="true" userName="DOMAIN\XXX" password="XXX"/>

Quite frankly, I have no idea what it is used for or why it is there.
After publishing the site to the new server, I got an error message for
that line:

Parser Error Message: Could not create Windows user token from the
credentials specified in the config file. Error from the operating
system 'A required privilege is not held by the client. '

I've looked at the old server to try to figure out what is different
from the new server, and I really don't know what I should be looking
for.

Could someone please take the time to explain what the purpose of
impersonating is? What needs to be set up on a server to make it work?

Thanks,
Jennifer

 

[Chris Fulstow]

Hi Jennifer,

This means that the entire application will run as the user DOMAIN\XXX,
regardless of the identity of the request. Maybe your new server is in
a different domain and the user doesn't exist, or perhaps it has a
different password?

HTH,

Chris

 

[Jennifer]

Thanks for replying. At least now I know what that line of code is
for. But... the server is on the same domain. The user exists in
Active Directory and the password is the same - this still works on the
old server. Is there some IIS setting (or other kind of setting) that
needs to be in place for this to work?

Thanks again,
Jennifer

 

[Jeff Dillon]

Try removing it?

 

[Jennifer]

Actually, I did try that. I didn't get the error message any more, but
none of the links worked after that.

 

[Jeff Dillon]

Did you get an error?

Access Denied perhaps?

 

[Jeff Dillon]

You can change the user context also, via the IIS Admin tool. Change the
Anonymous user to the domain user you need.

Jeff

 

[Jennifer]

There wasn't an error per se...I just got redirected to a new page,
with this message:

The page you are looking for cannot be displayed because the page
address is incorrect.

I've also granted the user the ability to create tokens and I also
added the user to the "Impersonate a client after authentication"
setting, and this did not work either. Neither one of these are set up
on the old server anyway.

I'm not really sure what else to try. I know there's got to be
something set up on the old server that is not on the new server, but
darned if I know what it is.

 

[Jennifer]

Well...under the Default WebSite Properties on the Authentication
Methods tab, anonymous access is unchecked on the old server. If it
was checked, then the button to edit the anonymous user would be
enabled. I don't think that anonymous use should be enabled anyay -
it's a web site for the local intranet - no one other than a few
employees here will be accessing it. Any other ideas? (And thank you
for the suggestions so far, even if they didn't pan out!)

Jennifer

 

[Jeff Dillon]

What is the URL that it is TRYING to access? Perhaps the server name was
hard-coded in the redirecting URL? Bad bad

You have 2 separate issues going on. The "page address is incorrect" most
likely doesn't have anything to do with the web.config issue.

Jeff

 

[Jennifer]

No, nothing is hard-coded. The page names are saved in a database.
How the site works is this - the default page has a navigation bar.
The page names are loaded into a combo box on the navigation bar when
the default page opens up. The URL is created on the fly by getting
the server name and combining it with the page name when the name is
selected from the combo box. I can tell you the URL, but it's on the
local intranet here, so you couldn't see it anyway.

With respect, while there may possibly be 2 different issues, it is the
one with impersonation that I'd want to fix. I think that with that
fixed, the problem with the page address being incorrect may go away.
I think it would be fix the first, then both are fixed. Of course, I
could tell everyone to just use the old server where it all works
anyway. But that probalby won't fly.

 

[Jeff Dillon]

No, you didn't answer my question. WHAT is the URL that it is TRYING to go
to? Is it correct? Can you manually type that same address into your
browser?

Also, show the connection string that you are using to connect to your
database. It could be that since your don't have impersonation working, that
you can't connect to your database. In that case, you could have saved us
both some time by answering my question the first time.

And WHY do you want to fix impersonation? You said yourself you don't even
know why it's there?? The only reason I can see, is that it is the context
used to connect to the database. But then, you could just put a valid SQL
username and password in the connection string, and not use SQL/NT
Integrated Security.

So before replying, please answer these questions.

Jeff

 

[bruce barker \(sqlwork.com\)]

if you are on iis 6.0, remove the line, and set the identity in the app
pool.in order to impersonate, the asp.net account (or the app pool account),
must be given "act as part of os" permisison. this permmision is the one
that allows impersonation.

-- bruce (sqlwork.com)

 

[Jennifer]

Apologies for not answering correctly...

I'm not sure how to answer your URL question. And I only say that
because the address doesn't change in the address bar when picking from
the combo box list. Yes, the pages are there on the server in the
correct folder. And yes, on the old server, the navigation works
properly.

The connection to the database works fine. Otherwise the combo box
with the page URLs would not be filled.

The connectin string is:
conn = new SqlConnection("user id=pgm;password=xxx;initial
catalog=wbmain;data source=dbase01;connect timeout=30");

I want to fix the impersonation so the page will work! I only don't
know why it's there because I have never run across that before.
Unfortunately, the person who wrote it did not believe in commenting
his code.

Anyway, thank you for the time you have spent answering questions and
making suggestions. It is appreciated. Maybe I'm reading too much
into your last reply, but it seems quite snippy and I've had enough of
this whole mess for one. I'm going back to doing my real work for the
rest of the day.

 

[Jeff Dillon]

You mean you can't see the URL in the combo box? I guess I'm missing
something. What exactly IS in the combo box?

What is the first item in the combo box. Type it out exactly in your next
reply. Also, type it in, in your browser, the same way as it displays.

Unless you are saying that you see something like "Sales" in the combo box,
then the code-behind puts together the URL? What is the final URL in the
browser, when you are reading the error message? Nevfer mind that it is on
the intranet. I can read a proper URL regardless.

Do you have access to the source code? Do you have, and do you know how to
use, Visual Studio? You can open up the page.aspx.vb code in Notepad. Then
look for something that looks like "selectedindexchanged". The code that it
is trying to execute will be in that function, most likely. Post it here

Jeff

 

[Jeff Dillon]

And I assume you tried a different username and password, like yours,
instead of the one in the web.config

Jeff

 

[Jeff Dillon]

Also, that user may have been in the admin group on the other machine! Add
him to the admin group in this machine, or use an existed admin user

Just got that idea off of Google!

Jeff