impersonation issue

i have a client and we are not able to get the app installed over at his location. A location where I am not at right now so I am trying to help them by email. I have this working on my app and they have run the necessary commands to set this up.

The only thing I can think of, is that the user they are trying to impersonate does not have the right permissions. Do they need to impersonate an adminstrator account?



Error:
Parser Error Message: Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password. '


Source Error:
<identity impersonate="true"
userName="registry:HKLM\Software\AspNetIdentity,Name"
password="registry:HKLM\Software\AspNetIdentity,Password"/>

Urgent!! thanks
jrmcdonaAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ryerrasCommented:
registry:HKLM\Software\AspNetIdentity,Name --> does this return a valid username?
0
 
jrmcdonaAuthor Commented:
How would i check that from the web.config?

thanks

0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
ihenryCommented:
Windows 2000 or 2003?
0
 
jrmcdonaAuthor Commented:
2003?
0
 
ihenryCommented:
How does the command file look like?
0
 
jrmcdonaAuthor Commented:
The command file?

we are setting the permissions with aspnet_reg.

I am not sure if that is what you mean?

0
 
ihenryCommented:
:o) Sorry, misuderstood. I thought your was when executing the aspnet_reg.

A couple things to check:
1. Have you assigned the custom account under IIS_WPG local group?
2. Have you enabled the custom account necessary rights to :User Rights Assignment" in "Local Security Settings" Console?
   and also deny some other policy?
3. Have you created an application pool for the custom account name and move the web app from default pool to the pool?
0
 
jrmcdonaAuthor Commented:
So, after i enter the commands using the aspnet_setreg, I then open up regedit and set the permissions to the folder with the username/password. The permissions I set for "HKLM\Software\AspNetIdentity" are Read permissions IIS_WPG and the ASPNETaccounts.  
0
 
jrmcdonaAuthor Commented:
Sorry, I accidentally submitted.  That is what  I  have done so far and that has not worked.

My aspnet_setreg commands are executing just fine for domain\username. Is there something else i need to do with IIS_WPG and/or ASPNET other than set the read permissions in the regedit32????

Thanks so much!
0
 
ihenryCommented:
IIS 6 has a Windows Group called IIS_WPG. Your custom account needs to be a member of this group or or manually give the permissions ot the IIS_WPG to the custom account.

And also you need to create a new application pool and run it under your new account context (Identity tab->click configurable->enter the custom account user name and password, make sure the password is correct or iis won't start). Then move the web app from default pool to the new created pool.

All mentioned here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx

and download IIS 6 resource guide here
http://www.microsoft.com/downloads/details.aspx?FamilyID=80a1b6e6-829e-49b7-8c02-333d9c148e69&displaylang=en
0
 
jrmcdonaAuthor Commented:
what is the custom account?
0
 
ihenryCommented:
the asp.net custom user account? you are impersonating aspnet user to another new account, arent you?
0
 
jrmcdonaAuthor Commented:
yes, so the app pool needs to be running under the account i am impersonating, for instance the domain\username that i ran the command on?
0
 
ihenryCommented:
Yes, exactly.

Did you get the exception when first time running the web app or after it's accessing something?

When you tested it during development, you were using Win2000 or Win2003?
0
 
jrmcdonaAuthor Commented:
we were doing it locally on XP machines. this machine has 2003/IIS 6 and this IIS_WPG is not needed for XP

we get the exception on the customers test machine

0
 
ihenryCommented:
Sorry, don't really get it. You were using XP with virtual pc (or vmware) running on 2003?
0
 
ihenryCommented:
got it, xp is running with iis 5.1 and aspnet user.
0
 
ihenryCommented:
ok, you haven't answered my questions from previous post.
0
 
ihenryCommented:
2003 has more strict security settings. even if you login with administrator, executing an exe file not always with full permission rights especially when you're updating hklm registry. you might need to use runas command when executing the aspnet_setreg.exe.
0
 
jrmcdonaAuthor Commented:
is the IIS_WPG account on the local server or use the domain account?
thansk a lot
0
 
ihenryCommented:
IIS_WPG is local server group.
0
 
jrmcdonaAuthor Commented:
well i just noticed another thing. they user i am impersonating is not a domain user, could that be a problem???

I have done about everything else.
0
 
ihenryCommented:
How many web server do they have? any database server reside on different box?
0
 
jrmcdonaAuthor Commented:
right now we are demoing the app. just one webserver/sqlserver on the same machine...
0
 
ihenryCommented:
mm..should be a problem then..

one thing to test, make the custom user account as local administrator's member. let see if they missed out any permission settings.
0
 
jrmcdonaAuthor Commented:
How annoying!!

I am getting this error now, which is a bit different that the first one.

Parser Error Message: Error reading the password from the registry.

Line 18:   <system.web>
Line 19:
Line 20:     <identity impersonate="true"
Line 21:     userName="registry:HKLM\Software\AspNetIdentity,Name"
Line 22:     password="registry:HKLM\Software\AspNetIdentity,Password"/>
 
0
 
ihenryCommented:
And hows the identity tag in the web.config looks like?
0
 
jrmcdonaAuthor Commented:
It looks like the tag just above. I wonder if this is a sql server problem. THough the user has access to this as well.

0
 
jrmcdonaAuthor Commented:
I think i need to start clean here.  

In the aspnet_setreg, do i want to use the credentials for the domain user or the custom user on the server?
0
 
jrmcdonaAuthor Commented:
Ok, i got around this for now. Of course, after got the site up. None of their .css extensions work and various other extensions.

If you know this one, i opened up another issues.
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21212148.html

Thanks for all the help!
0
All Courses

From novice to tech pro — start learning today.