UnauthorizedAccessException after using LogonUser

Question

I am overriding Application_AuthenticateRequest to replace the windows authenticated user with another user that I programmatically retrieve with a call to LogonUser. As I assign the resulting WindowsPrinciple to Context.User I get the following exception. I don't get this exception on my development machine (everything works perfectly), only on my QA machine. Both machines are Windows Server 2008 R2. Something is different on the QA machine, but I don't know what it is.

Here is the full description of what I'm trying to accomplish.

    [UnauthorizedAccessException: Attempted to perform an unauthorized operation.]
   System.Security.Principal.WindowsIdentity.get_AuthenticationType() +317
   System.Web.Hosting.IIS7WorkerRequest.SetPrincipal(IPrincipal user, IntPtr pManagedPrincipal) +106
   System.Web.HttpContext.SetPrincipalNoDemand(IPrincipal principal, Boolean needToSetNativePrincipal) +9022044
   System.Web.HttpContext.SetPrincipalNoDemand(IPrincipal principal) +6
   System.Web.HttpContext.set_User(IPrincipal value) +36
   MyProj.MvcApplication.OverrideLoginUser() in C:\Data\Project\MyProj\Global.asax.cs:317
   MyProj.MvcApplication.Application_AuthenticateRequest(Object sender, EventArgs e) in C:\Data\Project\MyProj\Global.asax.cs:305
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

Update

I resolved the error on the QA machine by changing the application pool's identity from "ApplicationPoolIdentity" to "LocalSystem". On my Dev box the setting is ApplicationPoolIdentity, so why are the privileges different? What permissions does the failing functionality require?

Update 2

I've exhausted all my options. Even using a user account in a local Administrators group doesn't help. The only thing that works is running the application pool as LocalSystem. Some other people have also had this problem (documented here) Any ideas are appreciated. Thanks.

Answer 1

Ok. It only took me 5 hours but I found a solution. I narrowed down the problem to Identity.AuthenticationType call by calling the property of the newly created identity BEFORE assigning the principal object to Context.User. This time I got the unauthorized error on my Dev box as well. I guess that means that for some reason the property wasn't being executed on my dev box during Context.User assignment but was being executed on my QA box. Anyway, after googling around a bit I found this documentation which showed how to specify the AuthenticationType during WindowsIdentity construction. After I did that my problem was solved! Here's the code:

// Construct a WindowsIdentity object using the input account token 
// and the specified authentication type.
var foo = new WindowsIdentity(logonToken, "WindowsAuthentication");

That's it! No more authentication error on both of my servers!