Allows you to impersonate a different user.



XForm.SetUser inName, inPassword [,inDomain ]



To determine what resources are accessible to IIS and ASP every session runs in a security context. This context is a particular user impersonated by IIS (typically IUSR_machinename). SetUser allows you to impersonate a different user so that you can access resources in a different context.

Impersonation is a security risk so we recommend avoiding it if possible. Indeed we consider it such a security risk that we ship ABCUpload with impersonation disabled. If you wish to enable it you must enable it via a registry key (see registry keys for details). Impersonation is also difficult to configure correctly so if you must use it we recommend running your virtual directory in the IIS Process (Low Application Protection).

For further details of Windows security see Microsoft's "Windows NT Security". If you want to run IIS in an isolated process see "Server Reliability Through Process Isolation". Please note that security works differently when running in an isolated process. This is fully covered in the above articles.

If you have problems configuring impersonation you should bear in mind that the Microsoft recommended solution to this is to create a Microsoft Transaction Server (MTS) or COM+ package to host ABCUpload. This will handle the security context switching for you.

The user you are trying to impersonate must have the privilege 'Log on as a batch job'. If you try to impersonate and do not have the correct privileges you will receive one of these errors:

A required privilege is not held by the client. (1314)
Access is denied. (5)

When your virtual directory is running in the IIS Process (Low Application Protection) IIS runs as SYSTEM and then impersonates the Anonymous User. You can change the identity of the Anonymous User but it is typically IUSR_machinename.

When your virtual directory is running at part of MTS or COM+ (Medium - Pooled or High - Isolated Application Protection) it will run as IWAM_machinename and again impersonate the IUSR_machinename user.

On Windows NT 4 the IUSR_machinename user does not have the privileges to do impersonation. On Windows 2000 neither the IUSR_machinename nor the IWAM_machinename has the required privileges. To enable impersonation ABCUpload must drop back into the base user (SYSTEM or IWAM_machinename).

Under Windows NT 4.0

You will be able to impersonate if you do not have "Run in separate memory space" checked. If you do have this option checked you must enable "Act as Part of Operating System" for the IWAM_machinename user.

Under Windows 2000

You will be able to impersonate if your Application Protection is set to Low. If your Application Protection is set to Medium or High you will not be able to impersonate.

To change user privileges on Windows NT 4.0

  1. Open "User Manager" in "Administrative Tools"
  2. Choose "User Rights" from the "Policies" Menu
  3. You many need to check "Show Advanced User Rights"
  4. Change user rights as required
  5. After changing User Rights we advise rebooting

To change user privileges on Windows 2000

  1. Open "Local Security Settings"
  2. Select "Local Policies/User Rights Assignment"
  3. Double click on the required policy
  4. Add or remove users as appropriate
  5. After changing User Rights we advise rebooting

If you need to change back to the IUSR_machinename after impersonating another user you should do so by calling SetUser again. You will need to obtain the Anonymous User name and password from the Metabase. Note that you must be impersonating a user such as SYSTEM which has access to the Metabase.

Set theObj = GetObject("IIS://LocalHost/W3SVC")
theUser = theObj.Get("AnonymousUserName")
thePass = theObj.Get("AnonymousUserPass")
theForm.SetUser theUser , thePass


See Also

User property. Domain property.