MailEnable .NET web mail and web administration do not function on a Windows 2000 Domain Controller
SYMPTOMS
MailEnable .NET web mail and web administration do not function on a Windows 2000 Domain Controller.
CAUSE
There are some issues associated with getting ASP.NET working on Windows 2000 domain controllers. These issues are widely experienced and seem to stem from the fact that it is generally not advisable to run ASP.NET applications on a Domain Controller.
By default, a Windows 2000 Domain Controller has the ASP.NET identity account configured as the IWAM_COMPUTERNAME account (as opposed to the ASPNET account that is typically used for ASP.NET). By default, this account does not hold the necessary rights to facilitate running ASP.NET applications - hence requiring system changes to get ASP.NET to work on domain controllers.
RESOLUTION
Here is what can be done to make ASP.NET functional on a Windows 2000 DC.
IMPORTANT: Follow this procedure if experiencing issues with a Windows 2000 Domain Controller. It is also advisable to review the Microsoft Knowledge Base in order to understand the rationale behind the changes made to the system.
Step 1: Setting Domain Controller User Rights Policies
Under Start|Programs|Administrative Tools you should access the Domain Controller Security Policy for the server.
Then grant IWAM_COMPUTERNAME the following rights:
- Impersonate a client after authentication
- Logon as a service
- Logon as a batch job
Step 2: Setting Domain Local User Rights Policies
Under Start|Programs|Administrative Tools you should access the Local Security Policy for the server.
Then grant IWAM_COMPUTERNAME the following rights:
Step 3: Apply Policy changes
To make these changes effective, run these commands from the Windows command prompt:
secedit /refreshpolicy machine_policy
/enforce
secedit /refreshpolicy user_policy /enforce
Step 4: Cycle the web server to ensure that the IWAM account picks up new rights
From the Windows command prompt type:iisreset
Step 5: Give IWAM access to MailEnable registry keys so it can read encrypted impersonation credentials
Now you need to give the IWAM account access to some MailEnable registry keys:
"C:\PROGRA~1\MAILEN~1\Bin\SETACL.EXE" " \\%COMPUTERNAME%MACHINE\SOFTWARE\AspNetIdentity\WebMail\ASPNET_SETREG" /registry /grant IWAM_%COMPUTERNAME% /read
"C:\PROGRA~1\MAILEN~1\Bin\SETACL.EXE" " \\%COMPUTERNAME%MACHINE\SOFTWARE\AspNetIdentity\WebMail\ASPNET_SETREG" /registry /grant IWAM_%COMPUTERNAME%
/read
Step 6: Optionally re-configure .NET
F/W V2 to use IWAM account as ASP.NET identity
If version 2.0 of the framework is installed, then ensure that the IWAM account has been set up correctly as the ASPNET identity account:
"C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis" -ga IWAM_%COMPUTERNAME%
At this point, it should be possible to access the ASP.NET web mail and web administration applications.
REFERENCES
See the Microsoft Knowledge Base: http://support.microsoft.com/?id=315158
| Product: | MailEnable |
| Category: | Environment |
| Article: | ME020430 |
| Module: | WebMail |
| Keywords: | .NET,ASP,WebMail,WebAdmin,Permissions,Security,Rights,Impersonation,web,mail |
| Class: | PRB: Product Problem or Issue |
| Revised: | Wednesday, May 4, 2016 |
| Author: | MailEnable |
| Publisher: | MailEnable |
- Mail Server
- Overview
- Features
- Comparisons
- Solutions
- Product Editions
- Feature Matrix
- Webmail Demo
- Video Gallery
- Migrate To MailEnable
- Testimonials