ME020430 - PRB: MailEnable .NET web mail and web administration do not function on a Windows 2000 Domain Controller


SYMPTOMS

MailEnable .NET web mail and web administration do not function on a Windows 2000 Domain Controller.

CAUSE

There are some issues associated with getting ASP.NET working on Windows 2000 domain controllers.  These issues are widely experienced and seem to stem from the fact that it is generally not advisable to run ASP.NET applications on a Domain Controller.

By default, a Windows 2000 Domain Controller has the ASP.NET identity account configured as the IWAM_COMPUTERNAME account (as opposed to the ASPNET account that is typically used for ASP.NET). By default, this account does not hold the necessary rights to facilitate running ASP.NET applications - hence requiring system changes to get ASP.NET to work on domain controllers.

RESOLUTION

Here is what can be done to make ASP.NET functional on a Windows 2000 DC.

IMPORTANT: Follow this procedure if experiencing issues with a Windows 2000 Domain Controller. It is also advisable to review the Microsoft Knowledge Base in order to understand the rationale behind the changes made to the system.

Step 1: Setting Domain Controller User Rights Policies

Under Start|Programs|Administrative Tools you should access the Domain Controller Security Policy for the server.

Then grant IWAM_COMPUTERNAME the following rights:

  • Impersonate a client after authentication
  • Logon as a service
  • Logon as a batch job

Step 2: Setting Domain Local User Rights Policies

Under Start|Programs|Administrative Tools you should access the Local Security Policy for the server.

Then grant IWAM_COMPUTERNAME the following rights:

  • Impersonate a client after authentication
  • Logon as a service
  • Logon as a batch job

    Step 3: Apply Policy changes

    To make these changes effective, run these commands from the Windows command prompt:

    secedit /refreshpolicy machine_policy /enforce
    secedit /refreshpolicy user_policy /enforce

    Step 4: Cycle the web server to ensure that the IWAM account picks up new rights

    From the Windows command prompt type:iisreset 

    Step 5: Give IWAM access to MailEnable registry keys so it can read encrypted impersonation credentials

    Now you need to give the IWAM account access to some MailEnable registry keys:

    "C:\PROGRA~1\MAILEN~1\Bin\SETACL.EXE" " \\%COMPUTERNAME%MACHINE\SOFTWARE\AspNetIdentity\WebMail\ASPNET_SETREG" /registry /grant IWAM_%COMPUTERNAME% /read

    "C:\PROGRA~1\MAILEN~1\Bin\SETACL.EXE" " \\%COMPUTERNAME%MACHINE\SOFTWARE\AspNetIdentity\WebMail\ASPNET_SETREG" /registry /grant IWAM_%COMPUTERNAME% /read


    Step 6: Optionally re-configure .NET F/W V2 to use IWAM account as ASP.NET identity

    If version 2.0 of the framework is installed, then ensure that the IWAM account has been set up correctly as the ASPNET identity account:

    "C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis" -ga IWAM_%COMPUTERNAME%

    At this point, it should be possible to access the ASP.NET web mail and web administration applications.

    REFERENCES

    See the Microsoft Knowledge Base: http://support.microsoft.com/?id=315158



  • Product:MailEnable
    Category:Environment
    Module:WebMail
    Keywords:.NET ASP WebMail WebAdmin Permissions Security Rights Impersonation web mail
    Class:PRB: Product Problem or Issue
    Revised:Wednesday, May 4, 2016
    Author:
    Publisher:MailEnable