Persits Software, Inc. Knowledge Base Articles

A required privilege is not held by the client

Problem Description

When trying to impersonate a user account using the LogonUser method, the line of code

obj.LogonUser "domain", "usermame", "password"

generates the following error:

A required privilege is not held by the client.

Solution

There are several solutions to this problem.

1. Application Protection

Run Internet Services Manager. Right-click the virtual directory in which your ASP script is running and select Properties. On the "Virtual Directory" tab, set the Application Protection option to Low (IIS Process) . If the option is disabled, click on the "Create" button first.

In Windows NT4 (IIS4), instead of the above, disable the option "Run in separate memory space".

2. User Privileges

Grant the "Act as Part of Operating System" privilege to the user context under which the ASP script runs. By default, IIS is configured for anonymous access under the user account IUSR_machinename although you may have configured it differently.

This is usually only necessary in Windows NT 4 (IIS 4). To grant a user this privilege, go to User Manager, select Policies/User Rights, check "Show Advanced User Rights", select "Act as Part of Operating System", and add your IIS user account.

This is usually not necessary in Windows 2000 or later, but here are the steps for that. Go to Control Panel / Administrative Tools, and run Local Security Policy. Select User Rights Assignment under Local Policies in the left pane. Double-click the "Act as part of the operating system" policy in the right pane, and add your IIS user account.

Under some configurations, the IWAM_machinename account is also used. You can try adding this privilege to that user account as well.

3. ASP.NET

Under ASP.NET, the error message reads as follows:

Exception Details: System.Runtime.InteropServices.COMException: A required privilege is not held by the client.

To solve this, follow the steps above (in any version of Windows) to grant the "Act as Part of Operating System" privilege to the user account ASPNET .

Comments

You must restart IIS for a change in user privileges to take effect. You may use the following commands at a commmand prompt:

net stop iisadmin /y
net start w3svc

Granting the "Act as Part of Operating System" privilege is not a security vulnerability. Administrator accounts and privileges are always still protected by the administrator password.

This article applies to AspUpload, AspEmail, AspEncrypt, AspUser, and AspPDF.