PRB: Required Privilege is Not Held ISAPI Debugging Error

ID: Q163351

The information in this article applies to:

Microsoft Internet Information Server, versions 1.0, 2.0, 3.0

SYMPTOMS

While attempting to debug an ISAPI extension, you may receive the following error message:

   HTTP/1.0 500 Server Error ( A required privilege is not held by the
   client. )

If you are running any CGI applications while running IIS interactively, you will need to grant the following right to the logged on use in addition to the above:

   - Replace a process level token.

CAUSE

This error occurs if the user context in which Internet Information Server (IIS) is running does not have the following privileges:

   - Act as a part of the operating system
   - Generate security audits

Normally Internet Information Server (IIS) runs as a service and has system permissions. Often when debugging ISAPI DLLs under IIS, users run IIS interactively, in the context of the logged on user.

If the logged on user does not have the above privileges on the local Windows NT Server or Workstation, IIS starts, but any attempts to access a page on the server results in the above error on the browser.

RESOLUTION

Perform the following steps on the IIS server to correct the problem. It is necessary to have administrative privileges on the IIS machine to perform these steps:

1. From the Administrative Tools group, run User Manager or User Manager

   for domains. If you are not using User Manager for Domains, skip to
   step 5.

2. From the User menu, choose Select Domain.

3. If the IIS server is a domain controller, select the domain in which it

   resides.

4. If the IIS server is a "stand alone" server or a workstation, enter the

   server name in the following form in the Domain text box and click OK:

      \\machinename

5. From the Policies menu, choose User Rights.

6. Check the box labeled "Show Advanced User Rights."

7. In the drop-down list labeled "Right:," select "Act as a part of the

   operating system."

8. Choose the Add button.

9. In the Add User and Groups dialog box, ensure that the box labeled "Show

   names from:" displays the correct domain or machine name for the account
   to be added.

10. Click the Show Users button.

11. In the Names list, select the user account to be added.

12. Click the Add button. The user name now is listed in the Add Names

    box.

13. Click OK.

14. Repeat steps 7 through 13 and add the user to the "Generate security

    audit" right.

15. Log off and log on to the system. The above changes do not take effect

    until a log on occurs.

If the IIS machine is a "stand-alone" server or a workstation that is also a member of a domain, steps 3 through 5 are required.

STATUS

This behavior is by design.

REFERENCES

For additional information and detailed steps on how to debug an ISAPI DLL, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q152054
   TITLE     : "Tips for Debugging ISAPI DLLs"

Developer Studio version 4.1 and up, Technical Note 63

Additional query words:

Keywords          : iisapi 
Version           : 1.0 2.0 3.0
Platform          : NT WINDOWS

Last Reviewed: May 21, 1997