A System.Security.SecurityException exception occurs when you try to impersonate a user from a secondary thread in an ASP.NET Web application (842790)
The information in this article applies to:
- Microsoft ASP.NET (included with the .NET Framework 1.1), when used with:
- the operating system: Microsoft Windows XP SP1
- the operating system: Microsoft Windows XP
- the operating system: Microsoft Windows 2000 SP3
- the operating system: Microsoft Windows 2000 SP2
- the operating system: Microsoft Windows 2000 SP1
- the operating system: Microsoft Windows 2000
- Microsoft ASP.NET (included with the .NET Framework) 1.0, when used with:
- the operating system: Microsoft Windows XP SP1
- the operating system: Microsoft Windows XP
- the operating system: Microsoft Windows 2000 SP3
- the operating system: Microsoft Windows 2000 SP2
- the operating system: Microsoft Windows 2000 SP1
- the operating system: Microsoft Windows 2000
SYMPTOMSIn a Microsoft ASP.NET Web application, when you try to impersonate a user from a secondary thread, a System.Security.SecurityException exception may occur. When the System.Security.SecurityException exception occurs, you receive the following error message: An unhandled exception of type
'System.Security.SecurityException' occurred in Unknown Module. Additional
information: Unable to impersonate user. This behavior occurs if all the following conditions are
true:
- You enable impersonation in the Web.config file of your
application.
- In the <processModel> element of the Machine.config file, the value of the userName attribute is specified as Machine to run the ASP.NET worker process in the security context of the
ASPNET local user account.
- You use Integrated Windows authentication for your
application.
This behavior does not occur in Microsoft Windows Server
2003 or in Microsoft Windows 2000 Service Pack 4 (SP4). CAUSEIf you enable impersonation in the Web.config file of your
ASP.NET Web application, only the primary thread of the application
impersonates the user who you have specified. The secondary thread and the other threads that you start in your application use the security context
of the ASPNET local user account. However, only the impersonated user account
can access the Thread object for the secondary thread. Because the ASPNET user
account lacks the rights to access this Thread object, you cannot
impersonate a user from the secondary thread.WORKAROUNDTo work around this problem, use one of the following
methods:
- Call the RevertToSelf function before you start the
secondary thread.
- Assign the Act as part of the operating system user right to the ASPNET user account.
- Change the value of the userName attribute of the <processModel> element in the Machine.config file.
Call the RevertToSelf function before you start the secondary thread - Declare a reference to the RevertToSelf function in
the Advapi32.dll DLL. To do this, locate the following code:
public class <WebFormName> : System.Web.UI.Page
{ Note <WebFormName> is a placeholder for the
name of your Web form. - Add the following code after the code that you just located:
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern bool RevertToSelf(); - Locate the following code:
<ThreadObject>.Start() Note <ThreadObject> is a placeholder for the
name of the secondary thread. - Add the following code before the code that you just located:
RevertToSelf();
Grant the Act as part of the operating system user right to the ASPNET
user account - Open the Local Security Policy
snap-in.
- In the left pane of the Local Security
Policy snap-in, expand Local Policies, and then click
User Rights Assignment.
- Add the ASPNET user account.
If you are using Microsoft Windows XP, follow these steps:
- In the right pane of the Local Security
Settings snap-in, locate the Policy field, and then double-click
Act as part of the operating system. The Act as part
of the operating system Properties dialog box appears.
- Click Add User or Group. The
Select Users or Groups dialog box appears.
- In the Enter the object names to
select box, type ASPNET, and then click
OK.
- Click OK, and then close the
Local Security Settings snap-in.
If you are using Microsoft Windows 2000, follow these steps:
- In the right pane of the Local Security
Settings snap-in, locate the Policy field, and then double-click
Act as part of the operating system. The Local
Security Policy Setting dialog box appears.
- Click Add. The Select Users or
Groups dialog box appears.
- In the Name field, click
ASPNET.
- Click Add, and then click
OK.
- Click OK, and then close the
Local Security Settings snap-in.
Change the value of the userName attribute of the <processModel> element in the Machine.config file - Use a text editor such as Notepad to open the
Machine.config file. The Machine.config file is located in the
%WINDIR%\Microsoft.NET\Framework\v1.1.4322\Config folder or in the
%WINDIR%\Microsoft.NET\Framework\v1.1.3705\Config folder, depending upon the
version of the Microsoft .NET Framework that you are using.
- Locate the following attribute of the <processModel> element:
userName="Machine" - Replace the attribute that you located in step
2 with the following
attribute:
userName="System"
STATUS This
behavior is by design.REFERENCES
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
306158
Implementing impersonation in an ASP.NET application
319615 "Unable to impersonate user" error message when you use WindowsIdentity.Impersonate method
For more information, visit the following
Microsoft Developer Network (MSDN) Web sites:
Modification Type: | Major | Last Reviewed: | 12/15/2004 |
---|
Keywords: | kbinterop kbAuthentication kbConfig kbWebForms kbUser kbSecurity kbWebServer kbClient kberrmsg kbprb KB842790 kbAudDeveloper |
---|
|