LogonUser() Works Under NT4.0, Fails Under Win2K

[Mike]

Any help would be greatly appreciated.

Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
/IIS4.0, expressly to retrieve Office documents contained on the
server's DASD, but outside the "view" of the web site, which uses
home-grown ASP session security. Works great!

However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
function returns 0 (fails), and GetLastError() function also returns
0, making it impossible to debug!

More details available on request.

Mike

 

[Bob Barrows]

Any help would be greatly appreciated.

Based on MS KB article Q248187 (HOWTO: Impersonate a User from Active
Server Pages), I developed an ActiveX DLL (using VB6.0 Enterprise
SP5), and deployed to a corporate web site under NT Server 4.0 SP6a
/IIS4.0, expressly to retrieve Office documents contained on the
server's DASD, but outside the "view" of the web site, which uses
home-grown ASP session security. Works great!

However, migrating to Windows 2000 Server SP4/IIS5.1, the LogonUser()
function returns 0 (fails), and GetLastError() function also returns
0, making it impossible to debug!

More details available on request.

Mike

http://tinyurl.com/urqc
http://tinyurl.com/urqp

HTH,
Bob Barrows

 

[Mike]

http://tinyurl.com/urqc
http://tinyurl.com/urqp

HTH,
Bob Barrows

Bob, thanks for th input. I looked at both threads and granted TCB
authority (eventaully) to the "Everyone" group, and I'm still getting
a failure from LogonUser(), and still getting a return of 0 from
GetLastError. Any other resources to which you might point me?

TIA

Mike

 

[Ray at]

In addition to Bob's links, also see http://www.aspfaq.com/5003.

(Sorry Bob!)

Ray at home

 

[Mick]

In addition to Bob's links, also see http://www.aspfaq.com/5003.

(Sorry Bob!)

Ray at home

Should we get into a discussion about top-posting, too? Thanks for
your invaluable help.

 

[Ray at]

It is to help. By tip-toeing through the Internet and playing by all the
silly rules, you increase your chances of receiving help. The only reason I
inform you of the multi-posting is so that you are more likely to get future
help.

Ray at home

 

[Mike]

Problem Resolved.

To be /helpful/, I'm posting the extra couple of yards that were
necessary to resolve this issue, in case anyone else trudges down this
path, only to be frustrated by the same issues as I was (missing
information, trolls, etc.).

First, Bob's links to what were essentially threads from last March
from the microsoft.public.platformsdk.security NG (retention from
Google is far superior to MS's news server, so don't expect to find it
there), were a great starting point.

Bob's "tiny URL" links appear to have expired, so here are the full
URL's, with the obligatory warning to copy & paste the whole mess into
the browser's address window:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=eezxGrkvCHA.2380@TK2MSFTNGP12
http://groups.google.com/groups?hl=...&oe=UTF-8&q=win2k+LogonUser+fails&sa=N&tab=wg

Anyway, Yu Chen's explanation (in the second thread) did not go the
extra step of discussing which credentials needed to have the
SE_TCB_NAME privileges assigned, in a scenario where an object was
created using "classic" ASP under IIS 5.0 (Win2K Server,
sepcifically).

After some hours of assigning the privilege to various user ID's,
including IUSR_{machine_name} & the "Everyone" group (calm down, this
is a test server inside of a firewall), I was still not having any
success getting my object to successfully logon & impersonate. My
personal news server (UsenetServer.com) has fairly good retention in
the text groups, so I went back to
microsoft.public.platformsdk.security and read some additional threads
on the topic. One suggested reviewing the security event logs to find
the failed logons, which I did. Bingo, I found that IIS was creating
the process under the IWAM_{machine_name} ID. I applied the TCP
privileges per Yu Chen's instructions (using gpedit.msc) and it's now
working fine.

A couple of issues remain to be researched. One, an annoyance really,
was that the machine had to be rebooted to effect the logoff and logon
required to assert the new prvilege to the ID. Since I tried a number
of ID's before finding the right one, there were several reboots
required. A discussion with my corporate network group did not reveal
any other way to handle it. The other issue, again after conferring
with the network group, assignment of those privileges to that ID had
them concerned, as it gives admin authority to an anonymous ID. Anyone
have any thoughts or real information on this?

TIA
Mike