ASP.NET Anonymous Impersonation

Discussion in 'ASP .Net Security' started by sam, Aug 19, 2004.

  1. sam

    sam Guest

    Hi,



    When you impersonate with anonymous security what is suppose to happen (IIS5
    platform). Is it the aspnet_wp.exe process runs under the identity of the
    anonymous user? When I look in the task manager the aspnet_wp.exe process
    always lists ASPNET as the User Name. Am I on the right track here? If so,
    is there a line of code I can use to display the new identity of the
    process? Any pointers to good articles would also be really appreciated.



    Sam
     
    sam, Aug 19, 2004
    #1
    1. Advertising

  2. Impersonation means that the currently executing thread will run as a
    different identity than the process identity. Thus, if you impersonate the
    anonymous user (I have no idea why you would do this, but you certainly
    can), the current thread will be that user, but the process is still running
    as the account the process was started with (what you see in task manager).
    You can see the current thread's identity by doing
    System.Security.Principal.WindowsIdentity.GetCurrent().Name.

    To make the aspnet_wp.exe run as a different process account, you must
    change the process model in the machine.config.

    Joe K.

    "sam" <> wrote in message
    news:...
    > Hi,
    >
    >
    >
    > When you impersonate with anonymous security what is suppose to happen

    (IIS5
    > platform). Is it the aspnet_wp.exe process runs under the identity of the
    > anonymous user? When I look in the task manager the aspnet_wp.exe process
    > always lists ASPNET as the User Name. Am I on the right track here? If so,
    > is there a line of code I can use to display the new identity of the
    > process? Any pointers to good articles would also be really appreciated.
    >
    >
    >
    > Sam
    >
    >
    >
    >
    >
    >
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Aug 19, 2004
    #2
    1. Advertising

  3. sam

    [MSFT] Guest

    Hi Sam,

    When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
    still run under ASPNET. But the code to handle current request will be
    executed under the impersonation user. To check this user, you may check
    following value in the code:

    System.Security.Principal.WindowsIdentity.GetCurrent().Name

    For more information about asp.net impersonate, you may refer to this
    article:

    INFO: Implementing Impersonation in an ASP.NET Application
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158

    Luke
     
    [MSFT], Aug 19, 2004
    #3
  4. sam

    sam Guest

    Thanks Joe and Luke for your replies.

    Have I got this right:



    With anonymous access selected only:

    The aspnet_iisapi.exe process runs as IUSER_machine

    The thread runs under the ASPNET account. All resources are accessed with
    this thread.

    The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



    With anonymous access and impersonation:

    The aspnet_iisapi.exe process runs as IUSER_machine

    The thread impersonates the aspnet_iisapi.exe process and runs as
    IUSER_machine. All resources are accessed with this thread.

    The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



    With Integrated Windows Authentication selected only:

    The aspnet_iisapi.exe process runs as the windows user

    The thread runs under the ASPNET account. All resources are accessed with
    this thread.

    The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



    With Integrated Windows Authentication and impersonation:

    The aspnet_iisapi.exe process runs as the windows user

    The thread impersonates the aspnet_iisapi.exe process and runs as the
    windows user. All resources are accessed with this thread.

    The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



    Context.User.Identity.Name - Returns the aspnet_iisapi.exe process account
    name.

    System.Security.Principle.WindowsIdentity.getcurrent().Name - Returns the
    thread account name inside the aspnet_wp.exe process.



    If I have this right I will be very happy.

    Sam


    "[MSFT]" <> wrote in message
    news:...
    > Hi Sam,
    >
    > When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
    > still run under ASPNET. But the code to handle current request will be
    > executed under the impersonation user. To check this user, you may check
    > following value in the code:
    >
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name
    >
    > For more information about asp.net impersonate, you may refer to this
    > article:
    >
    > INFO: Implementing Impersonation in an ASP.NET Application
    > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158
    >
    > Luke
    >



    Thanks Joe and Luke for your replys.

    Is this correct:





    System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()

    Context.User.Identity.Name

    Response.Write("current thread's identity=" +
    System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() +
    "<BR>");
     
    sam, Aug 19, 2004
    #4
  5. Inline:

    "sam" <> wrote in message
    news:...
    > Thanks Joe and Luke for your replies.
    >
    > Have I got this right:
    >
    >
    >
    > With anonymous access selected only:
    >
    > The aspnet_iisapi.exe process runs as IUSER_machine
    >


    I'm not even sure what process this is. Are you sure that is a process
    related to ASP.NET? aspnet_isapi.dll is an ISAPI filter which is loaded by
    IIS (inetinfo.exe) and dispatches requests for ASP.NET resources to the
    worker process. Is that what you meant?

    > The thread runs under the ASPNET account. All resources are accessed with
    > this thread.
    >

    Correct, each request (which runs as a separate thread) will not be
    impersonating, so the thread runs with the process identity (ASPNET). The
    things to remember are:
    - A process always has a token associated with a Windows account
    - A process has at least one thread that actually runs code (ASP.NET has a
    pool of them and runs each request on one of these)
    - A thread will execute coding using the identity of the process by
    default, or using a different identity if it is impersonating another
    account

    > The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
    >

    Yes
    >
    >
    > With anonymous access and impersonation:
    >
    > The aspnet_iisapi.exe process runs as IUSER_machine
    >


    Again, not sure what this is.

    > The thread impersonates the aspnet_iisapi.exe process and runs as
    > IUSER_machine. All resources are accessed with this thread.
    >


    This isn't quite right, but the net effect is the same. Each request thread
    will impersonate the account of the the logged on user which is the
    anonymous IUSER_machine account in this case. All resources will be
    accessed with this account.

    > The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
    >


    Yes

    >
    >
    > With Integrated Windows Authentication selected only:
    >
    > The aspnet_iisapi.exe process runs as the windows user
    >
    > The thread runs under the ASPNET account. All resources are accessed with
    > this thread.
    >


    Yes, basically the same as above with the slight terminology correction
    above.

    > The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
    >


    Yes

    >
    >
    > With Integrated Windows Authentication and impersonation:
    >
    > The aspnet_iisapi.exe process runs as the windows user
    >
    > The thread impersonates the aspnet_iisapi.exe process and runs as the
    > windows user. All resources are accessed with this thread.
    >


    Here, each request thread impersonates the logged on user as before. In
    this case, since anonymous is off in IIS, the account of the user who logged
    on (regardless of Basic, Digest, Integrated) will be impersonated by the
    thread and resources are accessed using this account.

    > The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
    >
    >

    Yes
    >
    > Context.User.Identity.Name - Returns the aspnet_iisapi.exe process account
    > name.
    >


    Context.User.Identity will be the identity of the user who logged on. This
    doesn't have to be a Windows account though. It can also be a FormsIdentity
    for forms authentication. The thing to remember is that this is related to
    the user who logged on to the website using an ASP.NET authentication
    mechanism.

    > System.Security.Principle.WindowsIdentity.getcurrent().Name - Returns the
    > thread account name inside the aspnet_wp.exe process.
    >


    This is always the identity of the account that the current thread is
    running under in any .NET code. It could be the process token account or an
    impersonated account. In ASP.NET, this is directly related to the
    impersonation setting in web.config.

    These two will be the same WindowsIdentity IF IIS is configured for Windows
    (Basic/Digest/Integrated) and anonymous is disabled AND you have enabled
    impersonation in web.config.

    >
    >
    > If I have this right I will be very happy.
    >
    > Sam
    >
    >

    I hope this brings you happiness and no more confusion.

    Joe K.
    > "[MSFT]" <> wrote in message
    > news:...
    > > Hi Sam,
    > >
    > > When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
    > > still run under ASPNET. But the code to handle current request will be
    > > executed under the impersonation user. To check this user, you may check
    > > following value in the code:
    > >
    > > System.Security.Principal.WindowsIdentity.GetCurrent().Name
    > >
    > > For more information about asp.net impersonate, you may refer to this
    > > article:
    > >
    > > INFO: Implementing Impersonation in an ASP.NET Application
    > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158
    > >
    > > Luke
    > >

    >
    >
    > Thanks Joe and Luke for your replys.
    >
    > Is this correct:
    >
    >
    >
    >
    >
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()
    >
    > Context.User.Identity.Name
    >
    > Response.Write("current thread's identity=" +
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() +
    > "<BR>");
    >
    >
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Aug 19, 2004
    #5
  6. sam

    sam Guest

    Yes yes yes lots of happiness.
    And yes I did mean aspnet_isapi.dll not .exe.
    Thanks so much Joe.
    The MVP's are the gods of the newsgroups. They know all and see all.


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:%23cR$...
    > Inline:
    >
    > "sam" <> wrote in message
    > news:...
    > > Thanks Joe and Luke for your replies.
    > >
    > > Have I got this right:
    > >
    > >
    > >
    > > With anonymous access selected only:
    > >
    > > The aspnet_iisapi.exe process runs as IUSER_machine
    > >

    >
    > I'm not even sure what process this is. Are you sure that is a process
    > related to ASP.NET? aspnet_isapi.dll is an ISAPI filter which is loaded

    by
    > IIS (inetinfo.exe) and dispatches requests for ASP.NET resources to the
    > worker process. Is that what you meant?
    >
    > > The thread runs under the ASPNET account. All resources are accessed

    with
    > > this thread.
    > >

    > Correct, each request (which runs as a separate thread) will not be
    > impersonating, so the thread runs with the process identity (ASPNET). The
    > things to remember are:
    > - A process always has a token associated with a Windows account
    > - A process has at least one thread that actually runs code (ASP.NET has

    a
    > pool of them and runs each request on one of these)
    > - A thread will execute coding using the identity of the process by
    > default, or using a different identity if it is impersonating another
    > account
    >
    > > The aspnet_wp.exe process runs as ASPNET as defined in the

    Machine.Config
    > >

    > Yes
    > >
    > >
    > > With anonymous access and impersonation:
    > >
    > > The aspnet_iisapi.exe process runs as IUSER_machine
    > >

    >
    > Again, not sure what this is.
    >
    > > The thread impersonates the aspnet_iisapi.exe process and runs as
    > > IUSER_machine. All resources are accessed with this thread.
    > >

    >
    > This isn't quite right, but the net effect is the same. Each request

    thread
    > will impersonate the account of the the logged on user which is the
    > anonymous IUSER_machine account in this case. All resources will be
    > accessed with this account.
    >
    > > The aspnet_wp.exe process runs as ASPNET as defined in the

    Machine.Config
    > >

    >
    > Yes
    >
    > >
    > >
    > > With Integrated Windows Authentication selected only:
    > >
    > > The aspnet_iisapi.exe process runs as the windows user
    > >
    > > The thread runs under the ASPNET account. All resources are accessed

    with
    > > this thread.
    > >

    >
    > Yes, basically the same as above with the slight terminology correction
    > above.
    >
    > > The aspnet_wp.exe process runs as ASPNET as defined in the

    Machine.Config
    > >

    >
    > Yes
    >
    > >
    > >
    > > With Integrated Windows Authentication and impersonation:
    > >
    > > The aspnet_iisapi.exe process runs as the windows user
    > >
    > > The thread impersonates the aspnet_iisapi.exe process and runs as the
    > > windows user. All resources are accessed with this thread.
    > >

    >
    > Here, each request thread impersonates the logged on user as before. In
    > this case, since anonymous is off in IIS, the account of the user who

    logged
    > on (regardless of Basic, Digest, Integrated) will be impersonated by the
    > thread and resources are accessed using this account.
    >
    > > The aspnet_wp.exe process runs as ASPNET as defined in the

    Machine.Config
    > >
    > >

    > Yes
    > >
    > > Context.User.Identity.Name - Returns the aspnet_iisapi.exe process

    account
    > > name.
    > >

    >
    > Context.User.Identity will be the identity of the user who logged on.

    This
    > doesn't have to be a Windows account though. It can also be a

    FormsIdentity
    > for forms authentication. The thing to remember is that this is related

    to
    > the user who logged on to the website using an ASP.NET authentication
    > mechanism.
    >
    > > System.Security.Principle.WindowsIdentity.getcurrent().Name - Returns

    the
    > > thread account name inside the aspnet_wp.exe process.
    > >

    >
    > This is always the identity of the account that the current thread is
    > running under in any .NET code. It could be the process token account or

    an
    > impersonated account. In ASP.NET, this is directly related to the
    > impersonation setting in web.config.
    >
    > These two will be the same WindowsIdentity IF IIS is configured for

    Windows
    > (Basic/Digest/Integrated) and anonymous is disabled AND you have enabled
    > impersonation in web.config.
    >
    > >
    > >
    > > If I have this right I will be very happy.
    > >
    > > Sam
    > >
    > >

    > I hope this brings you happiness and no more confusion.
    >
    > Joe K.
    > > "[MSFT]" <> wrote in message
    > > news:...
    > > > Hi Sam,
    > > >
    > > > When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
    > > > still run under ASPNET. But the code to handle current request will be
    > > > executed under the impersonation user. To check this user, you may

    check
    > > > following value in the code:
    > > >
    > > > System.Security.Principal.WindowsIdentity.GetCurrent().Name
    > > >
    > > > For more information about asp.net impersonate, you may refer to this
    > > > article:
    > > >
    > > > INFO: Implementing Impersonation in an ASP.NET Application
    > > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158
    > > >
    > > > Luke
    > > >

    > >
    > >
    > > Thanks Joe and Luke for your replys.
    > >
    > > Is this correct:
    > >
    > >
    > >
    > >
    > >
    > > System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()
    > >
    > > Context.User.Identity.Name
    > >
    > > Response.Write("current thread's identity=" +
    > > System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() +
    > > "<BR>");
    > >
    > >
    > >
    > >

    >
    >
     
    sam, Aug 19, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?amVzdGVy?=
    Replies:
    1
    Views:
    473
    Patrice
    Sep 23, 2004
  2. Reporter
    Replies:
    3
    Views:
    477
    Mike Schilling
    May 12, 2007
  3. MattC

    IIS Not using anonymous impersonation

    MattC, Jan 4, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    139
    MattC
    Jan 6, 2005
  4. anonymous access + impersonation

    , Jan 30, 2006, in forum: ASP .Net Security
    Replies:
    5
    Views:
    237
  5. Replies:
    1
    Views:
    223
Loading...

Share This Page