I’ve just finished upgrading a customer to SDL Tridion 2011 where part of the task involved migrating a custom application from Tridion 2009 server to the new 2011 GUI server. The application uses the .Net Interop library in order to create a TDSE object. When the code ran to impersonate the object the following exception was thrown with the message:
<?xml version=”1.0″ standalone=”yes”?><tcm:Error ErrorCode=”80040302″ Category=”16″ Source=”Kernel” Severity=”2″ xmlns:tcm=”http://www.tridion.com/ContentManager/5.0″>
<tcm:Line ErrorCode=”80040302″ Cause=”false” MessageID=”4394″>
<![CDATA[Unable to Initialize TDSE object.]]>
<tcm:Line ErrorCode=”80040302″ Cause=”true”>
<![CDATA[Impersonation by this user requires the DOMAIN\john account to be configured as impersonation user.]]><tcm:Token>DOMAIN\john</tcm:Token>
This isn’t something I’ve seen before and was a bit surprised as I had full admin access to the machine. A cure was found in the Online SDL Tridion documentation here (thanks to Tridion Customer Support!). to explain the security issue, I’ve reproduced their documentation below:
The Content Manager uses a .NET encryption key to ensure the encryption of sensitive configuration data such as passwords. The following user accounts automatically have access to this encryption key:
- Any Content Manager system account (including the Content Manager user account and impersonation user accounts created during installation)
- The user account of the user who originally ran the installer
The use of the configuration encryption functionality is completely transparent, so long as the following is true:
- The user account that runs the SDL Tridion MMC Snap-in configuration tool is the same user account that originally ran the installer.
- The user executing the various SDL Tridion Windows services is not changed from its default value.
If you want to run the Snap-in and/or Windows services as another user than specified, you must grant that new user access to the encryption key. To grant this access, log on as the user account of the user who originally ran the installer, or as another, similarly authorized user with access to the encryption key, and do the following:
- Open a Windows command prompt.
- Go to a directory on your machine on which a version of the .NET Framework is installed (a subdirectory of C:\Windows\Microsoft.NET\Framework\ or C:\Windows\Microsoft.NET\Framework64\).
- Enter the following command:
aspnet_regiis -pa “TridionRsaKeyContainer” “<domain>\<account>”
where <domain> is the domain of this user and <account> is the username of the user.
So after running the aspnet_regiis tool, I can now I can go in and add my user account to the impersonation user list: