You receive a "logon failure: unknown user name or bad" error message while accessing remote security-enhanced resources from an ASP.NET application (842789)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft ASP.NET (included with the .NET Framework) 1.0

SUMMARY

This article discusses the behavior of accessing a remote security-enhanced resource from a Microsoft ASP.NET application. The article contains the following workarounds for this behavior:

  • In the Machine.config file, change the userName attribute and the password attribute of the processModel element.

  • Run the application under the identity of a user who has permissions to the remote security-enhanced resource by using the impersonation element in the Web.config file.

  • Change the password of the ASPNET user account to some known value, and then create the same ASPNET user account that uses the same password on the remote computer.

  • Access the remote security-enhanced resource by using a COM component that is running under the security context of a user account that has permissions to the remote security-enhanced resource.

  • Run the part of the code that is accessing the remote security-enhanced resource under the identity of a user who has permissions to the remote security-enhanced resource.

  • Call the WNetAddConnection2 function to open the connection to the remote security-enhanced resource, and then map the local drive to the remote security-enhanced resource in the code.

This article also includes detailed steps to reproduce the behavior.

SYMPTOMS

When you access remote security-enhanced resources from an ASP.NET application, you may receive the following error message:
Logon failure: unknown user name or bad password.

CAUSE

By default, an ASP.NET application runs under the security context of an ASPNET user account. The ASP.NET application accesses the remote security-enhanced resource by using the ASPNET user account when the following conditions are true:
  • When the impersonation feature is not turned on for the ASP.NET application
  • When the authentication method in Microsoft Internet Information Services (IIS) is set to anonymous access
However, the ASPNET user account may not have permissions to access the remote security-enhanced resource.

WORKAROUND

To work around this behavior, use one of the following methods:

Use the Machine.config file

Change the userName attribute and the password attribute in the processModel element of the Machine.config file to the credentials of a user who has access to the remote security-enhanced resource. After you make this change, restart the computer.
<processModel enable="true" 
      userName="<UserName>"
      password="<Password>"  . . ./>
Note <UserName> and <Password> are placeholders for the credentials of a user who has access to the remote security-enhanced resource.

Important Do not to store clear-text passwords in the Machine.config file. Instead, use the Aspnet_setreg.exe utility to store encrypted passwords in the registry. For additional information about how to use the Aspnet_setreg utility, click the following article number to view the article in the Microsoft Knowledge Base:

329290 How to use the ASP.NET utility to encrypt credentials and session state connection strings

When you use this method, the change is global. This is a drawback because other Web applications and other Web services that are running on the computer where you make the change will also run in this new security context.

However, this is not the case for Microsoft Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003 because IIS uses application pools for Web applications and for Web services. Each application can run in its own application pool. Each application pool can be configured for the user name field and the password field. You can set this configuration under the security context of the worker process in the application pool where the application runs.

If you change the user account under the security context that the ASP.NET worker process is running in, you may also have to grant the correct permissions to that user account on some folders on the Web server to make the worker process run successfully.

For more information about how to create a custom account to run ASP.NET applications, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/library/en-us/secmod/html/secmod15.asp

back to the top

Use the impersonation feature in the Web.config file

You can set fixed identities that have access to the remote security-enhanced resource for specific virtual directories by using the following setting in the Web.config file for your application.
<identity impersonate="true"
          userName="<UserName>"
          password="<Password>"/>
Note <UserName> and <Password> are placeholders for the credentials of a user who has access to the remote security-enhanced resource.

Important Do not to store clear-text passwords in the Machine.config file. Instead, use the Aspnet_setreg.exe utility to store encrypted passwords in the registry. For additional information about how to use the Aspnet_setreg utility, click the following article number to view the article in the Microsoft Knowledge Base:

329290 How to use the ASP.NET utility to encrypt credentials and session state connection strings

You can use one of the following accounts for impersonation:
  • A domain account
  • A "mirrored" local account
A "mirrored" local account has a matching user name and a matching password on two computers. You must use this account if the computers are in separate domains and do not have a trust relationship.

back to the top

Change the password of the ASPNET user account

By default, the ASP.NET worker process (Aspnet_wp.exe) runs under the ASPNET user account. The ASPNET user account is located under Local Users and Groups. This account has a strong password that is secured in the Local System Authority (LSA).

To use this method, follow these steps:
  1. In Local Users and Groups on the Web server, change the ASPNET account password to a known value.
  2. Replace the credentials in the processModel element in the Machine.config file with the following. 
    <processModel enable="true" 
      userName="ASPNET"
      password="<Password>"  . . ./>
    Note <Password> is the placeholder for the password that you have assigned to the ASPNET user account.
  3. On the remote computer, create an account that is named ASPNET and that has the same password as the ASPNET user account on the Web server.
  4. Add the ASPNET account on the remote computer to the Access Control List (ACL) of the security-enhanced resource.
back to the top

Use a COM component to access the remote security-enhanced resource

  1. Create an ActiveX component:
    1. Start Microsoft Visual Basic 6.0.
    2. Create an ActiveX Dll project.
    3. On the Project menu, click References. The References dialog box appears.
    4. Click to select the Microsoft Scripting Runtime check box in the Available References list box to add the reference in your project.
    5. Click OK.
    6. Press CTRL+R to open Project Explorer, click Project1, and then press F4 to access the properties for the project.
    7. Change the Name property to remoteAccess.
    8. In Project Explorer, click Class1.cls, and then change the Name property to clsRemoteAccess.
    9. On the File menu, click Save Project. The Save File As dialog box appears.
    10. Save the class file as clsRemoteAccess.cls.
    11. Save the project file as remoteAccess.vbp.
    12. Paste the following code in the code window of the clsRemoteAccess class:
      Public fs As New FileSystemObject
Public txtStream As TextStream
'
Public Function WriteToFile() As Boolean
On Error GoTo Erro
Set txtStream = fs.OpenTextFile("\\<ServerName>\<ShareName>\<TextFileName>", ForAppending, False)
'
txtStream.WriteLine ("Hi i am able to write")
txtStream.Close
WriteToFile = True
Exit Function
Erro:
    WriteToFile = False
End Function
      Note <ServerName>, <ShareName>, and <TextFileName> are placeholders for these values in your environment.
    13. On the File menu, click Make remoteAccess.dll. The Make Project dialog box appears.
    14. Click OK.
    15. On the File menu, click Exit. The Microsoft Visual Basic dialog box appears.
    16. Click Yes.
  2. Create a COM+ application:
    1. On a computer that is running the Microsoft Windows 2000 Advance Server operating system, click Start, point to Programs, point to Administrative Tools, and then click Component Services. The Component Services dialog box appears.
    2. Expand Component Services, expand Computers, expand My Computer, and then click COM+ Applications.
    3. Right-click COM+ Applications, click New, and then click Application. The Welcome to the COM Application Install Wizard wizard appears.
    4. Click Next.
    5. Click Create an empty application.
    6. In the Enter a name for the new application box, type remoteComponent, and then click Next.
    7. Click This user.
    8. In the User box, type the name of a user who has access to the remote security-enhanced resource.
    9. In the Password box, type the password for the user account.
    10. In the Confirm password box, type the password again.
    11. Click Next, and then click Finish.
  3. Add the ActiveX component to the COM+ application:
    1. In the left pane of the Component Services dialog box, expand COM+ Applications, expand remoteComponent, and then click Components.
    2. Right-click Components, point to New, and then click Component. The Welcome to the COM Component Install Wizard wizard appears.
    3. Click Next.
    4. Click Install new component(s).
    5. Locate the remoteAccess.dll file that you created in step 1.
    6. Click Open, click Next, and then click Finish. This step installs the dynamic link library (DLL) in the COM+ application.
  4. Use the COM component in the ASP.NET application:
    1. Start Microsoft Visual Studio .NET.
    2. On the File menu, point to New, and then click Project. The New Project dialog box appears.
    3. Under Project Types, click Visual Basic Projects.
    4. Under Templates, click ASP.NET Web Application, and then click OK.
    5. In Solution Explorer, right-click References, and then click Add Reference. The Add Reference dialog box appears.
    6. Click the COM tab.
    7. In the Component Name column, click remoteAccess.
    8. Click Select, and then click OK.
    9. In Solution Explorer, right-click the WebForm1.aspx file, and then click View Code.
    10. Paste the following code at the top of the WebForm1.aspx.vb file.
      Imports remoteAccess
    11. Locate the Page_Load method.
    12. Paste the following code in the Page_Load method.
              Dim objRemoteAccess As New clsRemoteAccessClass
        Dim blnWriteResult As Boolean
        '
        blnWriteResult = objRemoteAccess.WriteToFile()
        '
        If (blnWriteResult) Then
            Response.Write("Success")
        Else
            Response.Write("Failed")
        End If
    13. On the Build menu, click Build Solution.
    14. On the Debug menu, click Start. You receive the success message in the browser.
back to the top

Use the code impersonation feature

By default, the ASP.NET worker process (Aspnet_wp.exe) runs under the security context of the ASPNET user account. To use this method, the user account under the security context that the ASP.NET worker process (Aspnet_wp.exe) runs in must be part of the "Act as part of the operating system" policy. You can use Local Security Policy in the Windows Administrative Tools to add the ASPNET user account to the "Act as part of the operating system" policy.

Note To use this method, you must maintain a list of user names and their corresponding passwords in your application. Because you are using those user names and passwords to connect to the remote security-enhanced resources from the code, you must make changes in your application when these user names or their corresponding passwords change.
  1. Start Microsoft Visual Studio .NET
  2. On the File menu, point to New, and then click Project. The New Project dialog box appears.
  3. Select Visual Basic Projects under Project Types.
  4. Select ASP.NET Web Application under Templates.
  5. Click OK.
  6. Right-click the WebForm1.aspx file in the solution explorer window, and then click View Code.
  7. Add the following code at the top of the WebForm1.aspx.vb file.
    Imports System.IO
Imports System.Security
Imports System.Security.Principal
  8. Locate the Public Class WebForm1 Inherits System.Web.UI.Page statement and then add the following code after the Public Class WebForm1 Inherits System.Web.UI.Page statement.
        Dim LOGON32_LOGON_INTERACTIVE As Integer = 2
    Dim LOGON32_PROVIDER_DEFAULT As Integer = 0
    '
    Declare Function LogonUserA Lib "advapi32.dll" (ByVal lpxzUsername As String, _
                                            ByVal lpszDomain As String, _
                                            ByVal lpszpassword As String, _
                                            ByVal dwLogonType As Integer, _
                                            ByVal dwLogonProvider As Integer, _
                                            ByRef phToken As IntPtr) As Integer
    Declare Auto Function DuplicateToken Lib "advapi32.dll" ( _
                                            ByVal ExistingTokenHandle As IntPtr, _
                                            ByVal ImpersonationLevel As Integer, _
                                            ByRef DuplicateTokenHandle As IntPtr) As Integer
    Declare Auto Function RevertToSelf Lib "advapi32.dll" () As Long
    '
    Declare Auto Function CloseHandle Lib "Kernel32.dll" (ByVal handle As IntPtr) As Long
    '
    Dim impersonationContext As WindowsImpersonationContext
  9. Locate the Page_Load method, and then paste the following code in the Page_Load method.
            Try
            If impersonateValidUser("<UserName>", "", "<Password>") Then

                Dim fs As New FileStream("\\<ServerName>\<ShareName>\<TextFileName>", FileMode.Append)
                Dim w As New StreamWriter(fs)
                Try
                    w.Write(w.NewLine)
                    w.WriteLine("Hi how are you")
                    w.Close()
                    fs.Close()
                Catch
                    w.Close()
                    fs.Close()
                End Try
                '
                undoImpersonation()
                Response.Write("Success")
            Else
                Response.Write("Failure")

            End If
        Catch ex As Exception
            Response.Write(ex.Message)
            Response.Write(vbNewLine & User.Identity.Name)
            Response.Write(vbNewLine)
            Response.Write(vbNewLine & Principal.WindowsIdentity.GetCurrent.Name)
        End Try
    Note <ServerName>, <ShareName>, <UserName>, <Password>, and <TextFileName> are placeholders for these values in your environment. <Password> and <UserName> are the values for the credential of the user who has access to the <TextFileName> file on the remote computer.
  10. Locate the End Sub statement and then paste the following code after the End Sub statement.
    '
    Private Function impersonateValidUser(ByVal userName As String, _
        ByVal domain As String, ByVal password As String) As Boolean
        Dim tempWindowsIdentity As WindowsIdentity
        Dim token As IntPtr = IntPtr.Zero
        Dim tokenDuplicate As IntPtr = IntPtr.Zero
        impersonateValidUser = False
        '
        If RevertToSelf() Then
            If LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE, _
                LOGON32_PROVIDER_DEFAULT, token) <> 0 Then
                If DuplicateToken(token, 2, tokenDuplicate) <> 0 Then
                    tempWindowsIdentity = New WindowsIdentity(tokenDuplicate)
                    impersonationContext = tempWindowsIdentity.Impersonate()
                    If Not impersonationContext Is Nothing Then
                        impersonateValidUser = True
                    End If
                End If
            End If
        End If
        '
        If Not tokenDuplicate.Equals(IntPtr.Zero) Then
            CloseHandle(tokenDuplicate)
        End If
        '
        If Not token.Equals(IntPtr.Zero) Then
            CloseHandle(token)
        End If
        '
    End Function
    '
    Private Sub undoImpersonation()
        impersonationContext.Undo()
    End Sub
  11. On the Build menu, click Build Solution.
  12. On the Debug menu, click Start. You receive the success message in the browser.
Note To use this method, you must maintain a list of user names and their corresponding passwords in your application. Because you are using those user names and passwords to connect to the remote security-enhanced resources from the code, you must make changes in your application when these user names or their corresponding passwords change.

back to the top

Call the WNetAddConnection2 function in your code

To use this method, you must call the WNetAddConnection2 function. The WNetAddConnection2 function makes a connection to a network resource. The function can redirect a local device to the network resource.

Note To use this method, you must maintain a list of user names and their corresponding passwords in your application. Because you are using those user names and passwords to connect to the remote security-enhanced resources from the code, you must make changes in your application when these user names or their corresponding passwords change.
  1. Start Microsoft Visual Studio .NET
  2. On the File menu, point to New, and then click Project. The New Project dialog box appears.
  3. Under Project Types, click Visual Basic Projects.
  4. Under Templates, click ASP.NET Web Application, and then click OK.
  5. In Solution Explorer, right-click the WebForm1.aspx file, and then click View Code.
  6. Add the following code at the top of the WebForm1.aspx.vb file.
    Imports System.IO
Imports System.Runtime.InteropServices
  7. Add the following code after the Public Class WebForm1 Inherits System.Web.UI.Page statement.
        '
    Structure NETRESOURCE
        Public dwScope As Int32
        Public dwType As Int32
        Public dwDisplayType As Int32
        Public dwUsage As Int32
        Public lpLocalName As String
        Public lpRemoteName As String
        Public lpComment As String
        Public lpProvider As String
    End Structure
    '
    Public Const NO_ERROR As Int32 = 0
    Public Const CONNECT_UPDATE_PROFILE As Int32 = &H1
    Public Const RESOURCETYPE_DISK As Int32 = &H1
    '
    Declare Function WNetAddConnection2 Lib "mpr.dll" Alias _
      "WNetAddConnection2A" (ByRef lpNetResource As NETRESOURCE, _
      <MarshalAs(UnmanagedType.LPStr)> ByVal lpPassword As String, <MarshalAs(UnmanagedType.LPStr)> ByVal lpUserName As String, _
      ByVal dwFlags As Int32) As Int32
    '
    Declare Function WNetCancelConnection2 Lib "mpr.dll" Alias _
    "WNetCancelConnection2A" (ByVal lpName As String, _
    ByVal dwFlags As Long, ByVal fForce As Long) As Long
  8. Locate the Page_Load method.
  9. Paste the following code in the Page_Load method.
            Try
            '
            Dim Result As Long
            Dim theNetResource As NETRESOURCE
            theNetResource.dwType = RESOURCETYPE_DISK
            theNetResource.lpRemoteName = "\\<ServerName>\<ShareName>"
            theNetResource.lpLocalName = "X:"
            '
            Result = WNetAddConnection2(theNetResource, "<Password>", "<Domain\UserName>", CONNECT_UPDATE_PROFILE)
            '
            If (Result = NO_ERROR) Then
                '
                Dim fs As New FileStream("X:\<TextFileName>", FileMode.Append)
                Dim w As New StreamWriter(fs)
                '
                Try
                    w.Write(w.NewLine)
                    w.WriteLine("Hi how are you")
                    w.Close()
                    fs.Close()
                    Response.Write("Success")
                Catch
                    Response.Write("Failed")
                    w.Close()
                    fs.Close()
                End Try
                '
            Else
                Response.Write("Failed")
            End If            '
            Result = WNetCancelConnection2(theNetResource.lpLocalName, 0, 0)
            '
        Catch
            '
        End Try
        '
    Note <ServerName>, <ShareName>, <Password>, <Domain\UserName>, and <TextFileName> are placeholders for these values in your environment. <Password> and <Domain\UserName> are the values for the credential of the user who has access to the <TextFileName> file on the remote computer.
  10. On the Build menu, click Build Solution.
  11. On the Debug menu, click Start. You receive the success message in the browser.
back to the top

STATUS

This behavior is by design.

MORE INFORMATION

Steps to reproduce the behavior

In these steps, you write to a text file that is located on another computer in the same network. This text file is secured from being accessed through other computers in the network.
  1. Start Microsoft Visual Studio .NET
  2. On the File menu, point to New, and then click Project. The New Project dialog box appears.
  3. Under Project Types, click Visual Basic Projects.
  4. Under Templates, click ASP.NET Web Application.
  5. Click OK.
  6. In Solution Explorer, right-click the WebForm1.aspx file, and then click View Code.
  7. Add the following code at the top of the Webform1.aspx.vb file.
    Imports System.IO
Imports System.Security
  8. Locate the Page_Load method.
  9. Paste the following code in the Page_Load method. 
            Try
            Dim fs As New FileStream("\\<ServerName>\<ShareName>\<TextFileName>", FileMode.Append)
            Dim w As New StreamWriter(fs)
            '
            Try
                w.Write(w.NewLine)
                w.WriteLine("Hi how are you")
                w.Close()
                fs.Close()
            Catch
                w.Close()
                fs.Close()
            End Try
            '
        Catch ex As Exception
                Response.Write(ex.Message)
        End Try
    Note <ServerName>, <ShareName>, and <TextFileName> are placeholders for these values in your environment.
  10. On the Build menu, click Build Solution.
  11. On the Debug menu, click Start.
You may receive the error message that is mentioned in the "Symptoms" section.

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

306158 INFO: Implementing impersonation in an ASP.NET application

306590 INFO: ASP.NET security overview

For more information, visit the following Microsoft Developer Network (MSDN) Web sites:

Authentication in ASP.NET: .NET security guidance
http://msdn.microsoft.com/library/en-us/dnbda/html/authaspdotnet.asp

WNetAddConnection2
http://msdn.microsoft.com/library/en-us/wnet/wnet/wnetaddconnection2.asp

WNetCancelConnection2
http://msdn.microsoft.com/library/en-us/wnet/wnet/wnetcancelconnection2.asp

DuplicateToken
http://msdn.microsoft.com/library/en-us/security/security/duplicatetoken.asp

RevertToSelf
http://msdn.microsoft.com/library/en-us/security/security/reverttoself.asp

CloseHandle
http://msdn.microsoft.com/library/en-us/sysinfo/base/closehandle.asp

Modification Type:MajorLast Reviewed:5/19/2005
Keywords:kbFileIO kbDLL kbAPI kbUser kbsettings kbpermissions kbpasswords kbConfig kbAuthentication kbprb KB842789 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.