JSI Tip 6981. The IWAM account is NOT granted the impersonate user right for ASP.NET 1.1 on a Windows 2000 domain controller with Service Pack 4 installed?

When you request an ASP.NET 1.1 page, you receive:

Server Error in '/iwamtest' Application.

Access is denied.
Description: An unhandled exception occurred during the execution of the current Web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details System.ApplicationException: Access is denied.

Source Error
An unhandled exception was generated during the execution of the current Web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace
\[ApplicationException: Access is denied. \]

		  userToken) +0 System.Security.Principal.WindowsIdentity.get_Name() +71
		  System.Web.Configuration.AuthorizationConfigRule.IsUserAllowed(IPrincipal user,
		  String verb) +100
		  System.Web.Configuration.AuthorizationConfig.IsUserAllowed(IPrincipal user,
		  String verb) +81 System.Web.Security.UrlAuthorizationModule.OnEnter(Object
		  source, EventArgs eventArgs) +178
		  +60 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
		  completedSynchronously) +87
When you upgrade a Windows 2000 domain controller to SP4, the IWAM account name is NOT granted the SeImpersonatePrivilege, and programs that use impersonation may not function properly.

To workaround this behavior:

01. Open the Domain Controller Security Policy from the Administrative Tools folder.

02. Navigate through Security Settings / Local Policies / User Rights Assignment.

03. In the right-hand pane, double-click Impersonate a client after authentication.

04. Select Define these policy settings in the Security Policy Setting dialog.

05. Press Add.

06. Press Browse.

07. In the Select Users or Groups dialog, select the IWAM account name and press Add.

08. Press OK, OK, and OK.

09. For the policy to be applied by typing the following at a CMD.EXE prompt:

secedit /refreshpolicy machine_policy /enforce

10. In the CMD.EXE prompt, type iisreset

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.