I have a asp.net application that configures asp.net applications running on remote machines using IIS ADSI provider. The applications works when the asp.net application runs on Windows 2003 but failed to access remote machines when it runs on Windows XP. After working with Microsoft support enginner, we found the reason:

1)       ADSI IIS Provider uses process token in additional to thread token.

2)       System and Network Service are special accounts. Domain Controller actually creates a hidden domain account that maps to these accounts. That is why System and Network Service accounts can access other machines but ASPNET cannot, unless the password for the ASPNET account is synchronized with the machine to access.

Base on the theory, I finally come out with a way that would work with Windows XP that is both simple and will not introduce any security risk. That is to run asp.net worker process under the Network service account. We could configure that with the following steps:

1)       In machine.config, change the userName in processModel to “NT AUTHORITY\NetworkService”

2)       Run the following command to setup the necessary privilege for the Network Service account:

Aspnet_regiis –ga “NT AUTHORITY\NetworkService”