Share via


Misbehaving custom SharePoint components leading to claims authentication exceptions (tag bz7l)

 

I have mentioned the steps to troubleshoot Claims to Windows NT Service (c2WTS) problems in a previous post (click here). There is also a post to see if the problem is with Active Directory (AD) or c2WTS (click here). After doinf the normal troubleshooting outlined in the previous posts you still have an issue or you suspect the problem is with a custom component, follow one of the methods discussed here.

 

Symptom

In the ULS log you see occasionally the following ULS log entry:

05/27/2012 14:33:34.03 w3wp.exe (0x1144)0x1960 SharePoint Foundation Claims Authentication bz7l Medium
SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName=’CONTOSO\jdoed’, UPN=’jdoed@contoso.com’. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied. Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown
at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)
at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity().

 

Method 1 – Using a DebugDiag rule to capture dump files and analyze it later

 

Capturing data

Follow instructions here to create a dump file based on ULS tag. The tag of interest is bz7l. Follow instructions in the previous post (click here) and make the following changes:

Step 10:

Use this code instead:

 

 Dim Tag1
 Dim TargetTag1
 TargetTag1 = "bz7l"
 Dim PartialText1
 PartialText1 = ""
 Tag1 = Debugger.Execute("r @$t1=@ecx;.if (@$t1 >> 18 < 24) { r @$t2=@$t1>>18 & 3f; r @$t3=@$t1>>12 & 3f; r@$t4=@$t1>>0c & 3f; r @$t5=@$t1>>6 & 3f;r @$t6=@$t1 & 3f;.printf ""%C%C%C%C%C"",@@c++(@$t2 > 0x19 ? @$t2 + 0x16 : @$t2+'a'),@@c++(@$t3 > 0x19 ? @$t3 + 0x16 : @$t3+'a'),@@c++(@$t4 > 0x19 ? @$t4 + 0x16 : @$t4+'a'),@@c++(@$t5 > 0x19 ? @$t5 + 0x16 : @$t5+'a'),@@c++(@$t6 > 0x19 ? @$t6 + 0x16 : @$t6+'a');} .else { .printf ""%C%C%C%C"", @$t1>>18,@$t1>>10,@$t1>>8,@$t1; };")
 WriteToLog "Tag: " & Tag1 'To avoid DebugDiag log flood comment you may remove this line 
 ' Test if the tag matches
 If InStr(Tag1,TargetTag1)>0 Then
  'Only fetch message if necessary
  Dim Message1
  Message1  = ""
  If PartialText1 <> "" Then
    Message1 = Debugger.Execute(".printf ""%mu"",@r9")
    'WriteToLog "Message: " & Message1 'Uncomment this line if you wish to log the message
  End If
  If Message1 = "" Or  InStr(Message1,PartialText1) > 0 Then
   ' You can change the action to log the stack trace for example
    CreateDump "For Tag " & Tag1, false
  End If
 End If

Step 17:

Use this code instead:

 Dim Tag2
 Dim TargetTag2
 TargetTag2 = "bz7l"
 Dim PartialText2
 PartialText2 = ""
 Tag2 = Debugger.Execute("r @$t1=@ecx;.if (@$t1 >> 18 < 24) { r @$t2=@$t1>>18 & 3f; r @$t3=@$t1>>12 & 3f; r@$t4=@$t1>>0c & 3f; r @$t5=@$t1>>6 & 3f;r @$t6=@$t1 & 3f;.printf ""%C%C%C%C%C"",@@c++(@$t2 > 0x19 ? @$t2 + 0x16 : @$t2+'a'),@@c++(@$t3 > 0x19 ? @$t3 + 0x16 : @$t3+'a'),@@c++(@$t4 > 0x19 ? @$t4 + 0x16 : @$t4+'a'),@@c++(@$t5 > 0x19 ? @$t5 + 0x16 : @$t5+'a'),@@c++(@$t6 > 0x19 ? @$t6 + 0x16 : @$t6+'a');} .else { .printf ""%C%C%C%C"", @$t1>>18,@$t1>>10,@$t1>>8,@$t1; };")
 WriteToLog "Tag: " & Tag2 'To avoid DebugDiag log flood comment you may remove this line 
 ' Test if the tag matches
 If InStr(Tag2,TargetTag2)>0 Then
  'Only fetch message if necessary
  Dim Message2 
 Message2 = ""
  If PartialText2 <> "" Then
    Message2 = Debugger.Execute(".printf ""%mu"",@r9")
    'WriteToLog "Message: " & Message2 'Uncomment this line if you wish to log the message
  End If
  If Message2 = "" Or  InStr(Message2,PartialText2) > 0 Then
   ' You can change the action to log the stack trace for example
    CreateDump "For Tag " & Tag2, false
  End If
 End If

When the dump is captured, the rule you be marked as complete. Move the dump to your working machine so you can analyze it.

 

Analyzing the data

After capturing the dump, open it in WinDbg, If you do not know how to get WinDbg to work, see this previous post (click here).

 

Verifying the user being impersonating

To see the user being impersonated, simply issue the command !token

 0:072> !token
 TS Session ID: 0
 User: S-1-5-17
 Failed to query groups info size
 Primary Group: S-1-5-17
 Privs: 
  00 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
  01 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
  02 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
  03 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - 
 Auth ID: 0:3e3
 Impersonation Level: Impersonation
 TokenType: Impersonation
 Is restricted token: no.

 

So the user SID is S-1-5-17. SID is the internal code of a credential, all SIDs with 4 parts are built-in SIDs. This is already a red flag, a domain account user looks like this: S-1-5-21-174793676-37829515-635260011-218252. Why a SID and not the account name? you may ask yourself. The reason is that the information in the dump is stored as SID. If you are in the same domain where the dump was taken or the SID is a well known group or user (i.e. a short SID like the one we saw) you may try to run this instead: !roken –n

 0:072> !token -n
 *** Friendly name lookup may not work correctly with dumpfiles.
 TS Session ID: 0
 User: S-1-5-17 (Well Known Group: NT AUTHORITY\IUSR)
 Failed to query groups info size
 Primary Group: S-1-5-17 (Well Known Group: NT AUTHORITY\IUSR)
 Privs: 
  00 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
  01 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
  02 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
  03 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - 
 Auth ID: 0:3e3
 Impersonation Level: Impersonation
 TokenType: Impersonation
 Is restricted token: no.

 

So, the SID is for group NT AUTHORITY\IUSR which is the anonymous account for IIS 7+ App Pools. This is a very important clue. This means that the call to c2WTS was done without impersonating the Application Pool account. Even though adding this account to the list of users allowed to access c2WTS would work this is not a secure solution. In other words, DO NOT add the IIS anonymous account to the list of allow users in c2WTS. The solution here is to identify which component is not impersonating the Application Pool account.

 

Verifying the misbehaving component not impersonating App Pool account

You can see the managed stack trace using different commands. If you are using NetExt you may issue !wclrstack command. If you want to use sos, run first this command to load the appropriate sos version: .loadby sos clr (notice the dot in the beginning of the command). Then run !clrstack. In the worst case scenario you can also run kpL to show the stack as native.

 0:072> .loadby sos clr
  
  
 0:072> !clrstack
 OS Thread Id: 0x3e80 (72)
 (...) Call Site
 (...) Microsoft.SharePoint.Diagnostics.ULS+NativeMethods.ULSSendFormattedTrace(UInt32, UInt32, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, Boolean)
 (...) Microsoft.SharePoint.Diagnostics.ULS+NativeMethods.ULSSendFormattedTrace(UInt32, UInt32, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, Boolean)
 (...) DomainBoundILStubClass.IL_STUB_PInvoke(UInt32, UInt32, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, Boolean)
 (...) Microsoft.SharePoint.Diagnostics.ULS.SendTraceImpl(UInt32, Microsoft.SharePoint.Diagnostics.ULSCatBase, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, System.Object[]) 
 (...) Microsoft.SharePoint.Diagnostics.ULS.SendTraceTag(UInt32, Microsoft.SharePoint.Diagnostics.ULSCatBase, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, System.Object[]) 
 (...) Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity() 
 (...) Microsoft.IdentityModel.WindowsTokenService.S4UClient+IS4UService_dup.UpnLogon(System.String, Int32)
 (...) Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(System.Func`2) 
 (...) Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity() 
 (...) Microsoft.SharePoint.Administration.SPFarm.CurrentClaimsUserIsBoxAdministrator(Microsoft.IdentityModel.Claims.IClaimsIdentity) 
 (...) Microsoft.SharePoint.Administration.SPFarm.CurrentUserIsBoxAdministrator() 
 (...) Microsoft.SharePoint.SPManagedCodeInterop.CanCurrentUserIgnoreThrottle(System.Guid) 
 (...) Microsoft.SharePoint.Library.SPRequestInternalClass.GetListItemDataWithCallback2(Microsoft.SharePoint.Library.IListItemSqlClient, System.String, System.String, System.String, System.String, Microsoft.SharePoint.Library.SAFEARRAYFLAGS, Microsoft.SharePoint.Library.ISP2DSafeArrayWriter, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Boolean ByRef)
 (...) Microsoft.SharePoint.Library.SPRequestInternalClass.GetListItemDataWithCallback2(Microsoft.SharePoint.Library.IListItemSqlClient, System.String, System.String, System.String, System.String, Microsoft.SharePoint.Library.SAFEARRAYFLAGS, Microsoft.SharePoint.Library.ISP2DSafeArrayWriter, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Boolean ByRef)
 (...) Microsoft.SharePoint.Library.SPRequest.GetListItemDataWithCallback2(Microsoft.SharePoint.Library.IListItemSqlClient, System.String, System.String, System.String, System.String, Microsoft.SharePoint.Library.SAFEARRAYFLAGS, Microsoft.SharePoint.Library.ISP2DSafeArrayWriter, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Boolean ByRef) 
 (...) Microsoft.SharePoint.SPListItemCollection.EnsureListItemsData() 
 (...) Microsoft.SharePoint.SPListItemCollection.GetDataTableCore(Microsoft.SharePoint.DataTableFetchOptions) 
 (...) Contoso.WebParts.Weather.CreateChildControls() 
 (...) System.Web.UI.Control.EnsureChildControls() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean) 
 (...) System.Web.UI.Page.ProcessRequest(Boolean, Boolean) 
 (...) System.Web.UI.Page.ProcessRequest() 
 (...) System.Web.UI.Page.ProcessRequest(System.Web.HttpContext) 
 (...) Microsoft.SharePoint.Publishing.TemplateRedirectionPage.ProcessRequest(System.Web.HttpContext) 
 (...) System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 
 (...) System.Web.HttpApplication.ExecuteStep(IExecutionStep, Boolean ByRef) 
 (...) System.Web.HttpApplication+PipelineStepManager.ResumeSteps(System.Exception) 
 (...) System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, System.AsyncCallback) 
 (...) System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext) 
 (...) System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32) 
 (...) System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32) 
 (...) DomainBoundILStubClass.IL_STUB_ReversePInvoke(Int64, Int64, Int64, Int32)
 (...) System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus ByRef)
 (...) System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus ByRef)
 (...) DomainBoundILStubClass.IL_STUB_PInvoke(IntPtr, System.Web.RequestNotificationStatus ByRef)
 (...) System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32) 
 (...) System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32) 
 (...) DomainBoundILStubClass.IL_STUB_ReversePInvoke(Int64, Int64, Int64, Int32)
 (...) [ContextTransitionFrame: 0000006d042fe618] 

 

Notice the custom control Contoso.WebParts.Weather is trying to access a list (which requires valid credentials). The custom control is easy to spot, it is the only one not from Microsoft. So you check the version using lmv m Contoso.

 0:072> lmv m Contoso
 start             end                 module name
 0000006d`2ced0000 0000006d`2ceda000   Contoso   (no symbols)           
     Loaded symbol image file: Contoso.dll
     Image path: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Contoso\v4.0_1.0.0.0__7fe4f23318698e3d\Contoso.dll
     Image name: Contoso.dll
     Timestamp:        Wed Aug  5 14:30:09 2011 (55C26441)
     File version:     1.0.0.0
     Product version:  1.0.0.0
     File flags:       0 (Mask 3F)
     File OS:          4 Unknown Win32
     CompanyName:      Contoso The MOSS 2007 King
     ProductName:      Contoso
     InternalName:     Contoso.dll
     OriginalFilename: Contoso.dll
     ProductVersion:   1.0.0.0
     FileVersion:      1.0.0.0
     FileDescription:  Contoso
     LegalCopyright:   Contoso The MOSS 2007 King © 2011

You notice it is an old DLL, thus most likely not claims enabled. Looking at the source code there is the misbehaving part:

    1: namespace Contoso.WebParts
    2: {
    3:  
    4:     public class Weather : WebPart
    5:     {
    6:         public override void CreateChildControls()
    7:         {
    8:             // The full code below should run in elevated privileges to impersonate the app pool account (SPSecurity.RunWithElevatedPrivileges)
    9:             SPWeb rootWeb = SPContext.Current.Site.RootWeb;
   10:             SPList sPList = rootWeb.Lists["WeatherConfig"];
   11:             SPListItemCollection items = sPList.GetItems(new SPQuery
   12:             {
   13:                 Query = "<Where><Eq><FieldRef Name='Title' /><Value Type='Text'>Weather</Value></Eq></Where>"
   14:             });
   15:             DataTable dataTable = items.GetDataTable(); // <-- Here is doing something that requires impersonating caller
   16:             (... removed for clarity ...)
   17:         }
   18:  
   19:     }
   20: }

 

Line 15 is requesting data from a list. To do this it is necessary to impersonate the caller. In attempt to do so, SharePoint will try to impersonate the caller. In some situations if the list requires NTLM/Kerberos authentication, SharePoint will leverage c2WTS to fetch a valid token. The correct way to do that is to run the code in elevated privileges using SPSecurity.RunWithElevatedPrivileges. The code should look like this:

    1: namespace Contoso.WebParts
    2: {
    3:  
    4:     public class Weather : WebPart
    5:     {
    6:         public override void CreateChildControls()
    7:         {
    8:             SPSecurity.RunWithElevatedPrivileges(delegate()
    9:             {
   10:                 SPWeb rootWeb = SPContext.Current.Site.RootWeb;
   11:                 SPList sPList = rootWeb.Lists["WeatherConfig"];
   12:                 SPListItemCollection items = sPList.GetItems(new SPQuery
   13:             (... removed for clarity ...)
   14:  
   15:             
   16:             });
   17:         }
   18:  
   19:     }
   20: }

 

Method 2 – Changing DebugDiag 2 rule to log the user credential and token when bz7l happens

 

Capturing data

The command !token requires the Windows Debugger extension exts.dll. If you do not have Windows Debugger installed, follow instructions here. You can install Debugger in any machine, it does not need to be in the SharePoint server. Copy file exts.dll from the winxp folder under the Windows Debugger installation folder. It is something that looks like: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\winxp\exts.dll. If you not sure you can always open WinDbg, open Task Manager, select process Windows GUI symbolic debugger, right-click and choose Open File Location. Copy exts.dll to your SharePoint machine that you have DebugDiag installed. Place in this folder on the server: C:\Program Files\DebugDiag\Exts. NOTE: Make sure you copy exts.dll from the 64-bits version of the Debugger. If you copy from the 32-bits version IT WILL not work.

Follow instructions here to log user and stack without generating a dump file. The tag of interest is bz7l. Follow instructions in the previous post (click here) and make the following changes:

Step 10:

Use this code instead:

 Dim Tag1
 Dim TargetTag1
 TargetTag1 = "bz7l"
 Dim PartialText1
 PartialText1 = "" 
 Tag1 = Debugger.Execute("r @$t1=@ecx;.if (@$t1 >> 18 < 24) { r @$t2=@$t1>>18 & 3f; r @$t3=@$t1>>12 & 3f; r@$t4=@$t1>>0c & 3f; r @$t5=@$t1>>6 & 3f;r @$t6=@$t1 & 3f;.printf ""%C%C%C%C%C"",@@c++(@$t2 > 0x19 ? @$t2 + 0x16 : @$t2+'a'),@@c++(@$t3 > 0x19 ? @$t3 + 0x16 : @$t3+'a'),@@c++(@$t4 > 0x19 ? @$t4 + 0x16 : @$t4+'a'),@@c++(@$t5 > 0x19 ? @$t5 + 0x16 : @$t5+'a'),@@c++(@$t6 > 0x19 ? @$t6 + 0x16 : @$t6+'a');} .else { .printf ""%C%C%C%C"", @$t1>>18,@$t1>>10,@$t1>>8,@$t1; };") 
 ' Test if the tag matches
 If InStr(Tag1,TargetTag1)>0 Then
 'Only fetch message if necessary
 Dim Message1
 Message1 = ""
 If PartialText1 <> "" Then
   Message1 = Debugger.Execute(".printf ""%mu"",@r9")
   'WriteToLog "Message: " & Message1 'Uncomment this line if you wish to log the message
 End If
 If Message1 = "" Or InStr(Message1,PartialText1) > 0 Then
   WriteToLog "Tag: " & Tag1 
   WriteToLog Debugger.Execute(".load exts\exts;!token –n;!clrstack")
 End If
 End If 

Step 17:

Use this code instead:

 Dim Tag2
 Dim TargetTag2
 TargetTag2 = "bz7l"
 Dim PartialText2
 PartialText2 = ""
 Tag2 = Debugger.Execute("r @$t1=@ecx;.if (@$t1 >> 18 < 24) { r @$t2=@$t1>>18 & 3f; r @$t3=@$t1>>12 & 3f; r@$t4=@$t1>>0c & 3f; r @$t5=@$t1>>6 & 3f;r @$t6=@$t1 & 3f;.printf ""%C%C%C%C%C"",@@c++(@$t2 > 0x19 ? @$t2 + 0x16 : @$t2+'a'),@@c++(@$t3 > 0x19 ? @$t3 + 0x16 : @$t3+'a'),@@c++(@$t4 > 0x19 ? @$t4 + 0x16 : @$t4+'a'),@@c++(@$t5 > 0x19 ? @$t5 + 0x16 : @$t5+'a'),@@c++(@$t6 > 0x19 ? @$t6 + 0x16 : @$t6+'a');} .else { .printf ""%C%C%C%C"", @$t1>>18,@$t1>>10,@$t1>>8,@$t1; };")
 ' Test if the tag matches
 If InStr(Tag2,TargetTag2)>0 Then
 'Only fetch message if necessary
 Dim Message2 
 Message2 = ""
 If PartialText2 <> "" Then
    Message2 = Debugger.Execute(".printf ""%mu"",@r9")
    'WriteToLog "Message: " & Message2 'Uncomment this line if you wish to log the message
 End If
 If Message2 = "" Or  InStr(Message2,PartialText2) > 0 Then
   WriteToLog "Tag: " & Tag2 
   WriteToLog Debugger.Execute(".load exts\exts;!token –n;!clrstack")
  
 End If
 End If

After the problem is reproduced you can open the log file and check the output. It will look like this (excerpt):

 Breakpoint id 1 at onetnative!ULSSendFormattedTrace caused by System ID: 17812
 Tag: bz7l
  
 TS Session ID: 0
 User: S-1-5-17
 Failed to query groups info size
 Primary Group: S-1-5-17
 Privs: 
  00 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
  01 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
  02 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
  03 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - 
 Auth ID: 0:3e3
 Impersonation Level: Impersonation
 TokenType: Impersonation
 Is restricted token: no.
  
 OS Thread Id: 0x3e80 (72)
 (...) Call Site
 (...) Microsoft.SharePoint.Diagnostics.ULS+NativeMethods.ULSSendFormattedTrace(UInt32, UInt32, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, Boolean)
 (...) Microsoft.SharePoint.Diagnostics.ULS+NativeMethods.ULSSendFormattedTrace(UInt32, UInt32, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, Boolean)
 (...) DomainBoundILStubClass.IL_STUB_PInvoke(UInt32, UInt32, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, Boolean)
 (...) Microsoft.SharePoint.Diagnostics.ULS.SendTraceImpl(UInt32, Microsoft.SharePoint.Diagnostics.ULSCatBase, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, System.Object[]) 
 (...) Microsoft.SharePoint.Diagnostics.ULS.SendTraceTag(UInt32, Microsoft.SharePoint.Diagnostics.ULSCatBase, Microsoft.SharePoint.Diagnostics.ULSTraceLevel, System.String, System.Object[]) 
 (...) Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity() 
 (...) Microsoft.IdentityModel.WindowsTokenService.S4UClient+IS4UService_dup.UpnLogon(System.String, Int32)
 (...) Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(System.Func`2) 
 (...) Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity() 
 (...) Microsoft.SharePoint.Administration.SPFarm.CurrentClaimsUserIsBoxAdministrator(Microsoft.IdentityModel.Claims.IClaimsIdentity) 
 (...) Microsoft.SharePoint.Administration.SPFarm.CurrentUserIsBoxAdministrator() 
 (...) Microsoft.SharePoint.SPManagedCodeInterop.CanCurrentUserIgnoreThrottle(System.Guid) 
 (...) Microsoft.SharePoint.Library.SPRequestInternalClass.GetListItemDataWithCallback2(Microsoft.SharePoint.Library.IListItemSqlClient, System.String, System.String, System.String, System.String, Microsoft.SharePoint.Library.SAFEARRAYFLAGS, Microsoft.SharePoint.Library.ISP2DSafeArrayWriter, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Boolean ByRef)
 (...) Microsoft.SharePoint.Library.SPRequestInternalClass.GetListItemDataWithCallback2(Microsoft.SharePoint.Library.IListItemSqlClient, System.String, System.String, System.String, System.String, Microsoft.SharePoint.Library.SAFEARRAYFLAGS, Microsoft.SharePoint.Library.ISP2DSafeArrayWriter, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Boolean ByRef)
 (...) Microsoft.SharePoint.Library.SPRequest.GetListItemDataWithCallback2(Microsoft.SharePoint.Library.IListItemSqlClient, System.String, System.String, System.String, System.String, Microsoft.SharePoint.Library.SAFEARRAYFLAGS, Microsoft.SharePoint.Library.ISP2DSafeArrayWriter, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Microsoft.SharePoint.Library.ISPDataCallback, Boolean ByRef) 
 (...) Microsoft.SharePoint.SPListItemCollection.EnsureListItemsData() 
 (...) Microsoft.SharePoint.SPListItemCollection.GetDataTableCore(Microsoft.SharePoint.DataTableFetchOptions) 
 (...) Contoso.WebParts.Weather.CreateChildControls()
 (...) System.Web.UI.Control.EnsureChildControls() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Control.PreRenderRecursiveInternal() 
 (...) System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean) 
 (...) System.Web.UI.Page.ProcessRequest(Boolean, Boolean) 
 (...) System.Web.UI.Page.ProcessRequest() 
 (...) System.Web.UI.Page.ProcessRequest(System.Web.HttpContext) 
 (...) Microsoft.SharePoint.Publishing.TemplateRedirectionPage.ProcessRequest(System.Web.HttpContext) 
 (...) System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 
 (...) System.Web.HttpApplication.ExecuteStep(IExecutionStep, Boolean ByRef) 
 (...) System.Web.HttpApplication+PipelineStepManager.ResumeSteps(System.Exception) 
 (...) System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, System.AsyncCallback) 
 (...) System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext) 
 (...) System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32) 
 (...) System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32) 
 (...) DomainBoundILStubClass.IL_STUB_ReversePInvoke(Int64, Int64, Int64, Int32)
 (...) System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus ByRef)
 (...) System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatus ByRef)
 (...) DomainBoundILStubClass.IL_STUB_PInvoke(IntPtr, System.Web.RequestNotificationStatus ByRef)
 (...) System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32) 
 (...) System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32) 
 (...) DomainBoundILStubClass.IL_STUB_ReversePInvoke(Int64, Int64, Int64, Int32)
 (...) [ContextTransitionFrame: 0000006d042fe618]