PRB: Required Privilege is Not Held ISAPI Debugging Error

 Last reviewed: May 20, 1997
Article ID: Q163351
The information in this article applies to:
  • Microsoft Internet Information Server, versions 1.0, 2.0, 3.0

SYMPTOMS

While attempting to debug an ISAPI extension, you may receive the following error message: 

   HTTP/1.0 500 Server Error ( A required privilege is not held by the
   client. )
If you are running any CGI applications while running IIS interactively, you will need to grant the following right to the logged on use in addition to the above: 

   - Replace a process level token.

CAUSE

This error occurs if the user context in which Internet Information Server (IIS) is running does not have the following privileges: 

   - Act as a part of the operating system
   - Generate security audits
Normally Internet Information Server (IIS) runs as a service and has system permissions. Often when debugging ISAPI DLLs under IIS, users run IIS interactively, in the context of the logged on user.

If the logged on user does not have the above privileges on the local Windows NT Server or Workstation, IIS starts, but any attempts to access a page on the server results in the above error on the browser.

RESOLUTION

Perform the following steps on the IIS server to correct the problem. It is necessary to have administrative privileges on the IIS machine to perform these steps:

  1. From the Administrative Tools group, run User Manager or User Manager for domains. If you are not using User Manager for Domains, skip to step 5.

  2. From the User menu, choose Select Domain.

  3. If the IIS server is a domain controller, select the domain in which it resides.

  4. If the IIS server is a "stand alone" server or a workstation, enter the server name in the following form in the Domain text box and click OK: 

          \\machinename

  5. From the Policies menu, choose User Rights.

  6. Check the box labeled "Show Advanced User Rights."

  7. In the drop-down list labeled "Right:," select "Act as a part of the operating system."

  8. Choose the Add button.

  9. In the Add User and Groups dialog box, ensure that the box labeled "Show names from:" displays the correct domain or machine name for the account to be added.

  10. Click the Show Users button.

  11. In the Names list, select the user account to be added.

  12. Click the Add button. The user name now is listed in the Add Names 

        box.

  13. Click OK.

  14. Repeat steps 7 through 13 and add the user to the "Generate security 

        audit" right.

  15. Log off and log on to the system. The above changes do not take effect 

        until a log on occurs.

If the IIS machine is a "stand-alone" server or a workstation that is also a member of a domain, steps 3 through 5 are required.

STATUS

This behavior is by design.

REFERENCES

For additional information and detailed steps on how to debug an ISAPI DLL, please see the following article in the Microsoft Knowledge Base: 

   ARTICLE-ID: Q152054
   TITLE     : "Tips for Debugging ISAPI DLLs"
Developer Studio version 4.1 and up, Technical Note 63

Additional query words:
Keywords : IISAPI
Technology : kbInetDev
Version : 1.0 2.0 3.0
Platform : NT WINDOWS

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: May 20, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.