locked
Impersonate via code using Domain account RRS feed

  • Question

  • User-807923774 posted

    While trying to migrate a website from iis6 to iis7, I ran into some issue with security settings for the Impersonation account.

    We are using a dll to create, modify and edit files on the web server using code generated impersonation.

    ImpersonateLoggedOnUser Lib "advapi32.dll"

    The code runs fine using a local account but unable to use a domain account.

    Is there new security that has been added to IIS7 locking down use of domain account?

    If there is new security what settings are needed to make domain account work.

    The webserver is a member of the domain and is not a stand-alone (or off-domain) .

    Thanks in advance for any help.

    Monday, July 13, 2009 7:04 PM

Answers

  • User511787461 posted

    That error code is STATUS_INVALID_WORKSTATION which probably means that you have some policies configured in your AD to only allow that account to login on certain machines.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, July 20, 2009 10:03 AM

All replies

  • User511787461 posted

    Does the domain account have impersonate privilege?  Also, what exactly is failing?

    Wednesday, July 15, 2009 6:53 PM
  • User-807923774 posted

    The domain account is in the Impersonate a client after authentication and Log on as batch job User Rights Assignment - Local Security Policy.

    The DLL calls the function LogonUserA in the advapi32.dll and fails in there.

    Private Declare Function LogonUser Lib "advapi32.dll" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken As Long) As Long

    Perhaps there are security missing for the account in the Domain.

    Again the configuration seems to work ok on Win2003 Server IIS6 but not on Win2008 Server IIS7.

    security Log:

    An account failed to log on.

    Subject:

    Security ID: NETWORK SERVICE

    Account Name: Removed

    Account Domain: Removed

    Logon ID: 0x3e4

    Logon Type: 4

    Account For Which Logon Failed:

    Security ID: NULL SID

    Account Name: Removed

    Account Domain: Removed

    Failure Information:

    Failure Reason: User not allowed to logon at this computer.

    Status: 0xc000006e

    Sub Status: 0xc0000070

    Process Information:

    Caller Process ID: 0xc54

    Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe

    Network Information:

    Workstation Name: Removed

    Source Network Address: -

    Source Port: -

    Detailed Authentication Information:

    Logon Process: Advapi

    Authentication Package: Negotiate

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.

    - Transited services indicate which intermediate services have participated in this logon request.

    - Package name indicates which sub-protocol was used among the NTLM protocols.

    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Friday, July 17, 2009 1:33 PM
  • User511787461 posted

    That error code is STATUS_INVALID_WORKSTATION which probably means that you have some policies configured in your AD to only allow that account to login on certain machines.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, July 20, 2009 10:03 AM