PRB: Access Denied error when you call LogonUser API (223334)


The information in this article applies to:

  • Microsoft Visual Basic Learning Edition for Windows 5.0
  • Microsoft Visual Basic Learning Edition for Windows 6.0
  • Microsoft Visual Basic Professional Edition for Windows 5.0
  • Microsoft Visual Basic Professional Edition for Windows 6.0
  • Microsoft Visual Basic Enterprise Edition for Windows 5.0
  • Microsoft Visual Basic Enterprise Edition for Windows 6.0
This article was previously published under Q223334

SYMPTOMS

When you try to call the LogonUser Win32 Application Programmer Interface (API) from within a Microsoft Visual Basic Component Object Model (COM) component with Active Server Pages (ASP), you receive one of the following error messages:
'5' - "Access Denied."

-or-

'1314' - "A required privilege is not held by the client."

CAUSE

The Microsoft Internet Information Server (IIS) authenticated user that is making the request to LogonUser does not have the correct privileges, which causes LogonUser to fail.

RESOLUTION

To resolve this behavior, use the following Win32 APIs:
  • RevertToSelf
  • LogonUser
  • ImpersonateLoggedOnUser
  1. Call RevertToSelf.

    Note The call to LogonUser will fail if the thread that makes the call does not have the correct security context. The SYSTEM account holds the correct permissions to successfully call LogonUser. The call to RevertToSelf will cause the thread to execute as the SYSTEM account if the following conditions are true:
    • The Web application is running in-process.
    • If the COM component is under MTS control, it is a library package.
  2. Call LogonUser and specify the Microsoft Windows NT account that you want the COM component to run as. LogonUser will return a handle to the security token.
  3. Call ImpersonateLoggedOnUser and pass the security token that LogonUser returns.

    Note The COM component is now impersonating the security context of the Windows NT account that you specified.
  4. After you finish the impersonation, you must call RevertToSelf again.

WORKAROUND

If the COM component is in-process, you can create a Microsoft Transaction Server (MTS) package to host the component. The MTS package will handle the security context switching for you. For more information on how to create an empty package and add components to it, click the following article number to view the article in the Microsoft Knowledge Base:

223406 How to create an empty MTS package to add components for ASP

STATUS

This behavior is by design.

MORE INFORMATION

For more information and sample code on impersonating a user from a Active Server Pages, click the following article number to view the article in the Microsoft Knowledge Base:

248187 HOWTO: Impersonate a User from Active Server Pages

Modification Type:MajorLast Reviewed:6/30/2006
Keywords:kbCodeSnippet kbprb kbSecurity KB223334
©2004 Microsoft Corporation. All rights reserved.