ASP.NET Anonymous Impersonation

[sam]

Hi,



When you impersonate with anonymous security what is suppose to happen (IIS5
platform). Is it the aspnet_wp.exe process runs under the identity of the
anonymous user? When I look in the task manager the aspnet_wp.exe process
always lists ASPNET as the User Name. Am I on the right track here? If so,
is there a line of code I can use to display the new identity of the
process? Any pointers to good articles would also be really appreciated.



Sam

 

[Joe Kaplan \(MVP - ADSI\)]

Impersonation means that the currently executing thread will run as a
different identity than the process identity. Thus, if you impersonate the
anonymous user (I have no idea why you would do this, but you certainly
can), the current thread will be that user, but the process is still running
as the account the process was started with (what you see in task manager).
You can see the current thread's identity by doing
System.Security.Principal.WindowsIdentity.GetCurrent().Name.

To make the aspnet_wp.exe run as a different process account, you must
change the process model in the machine.config.

Joe K.

 

[[MSFT]]

Hi Sam,

When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
still run under ASPNET. But the code to handle current request will be
executed under the impersonation user. To check this user, you may check
following value in the code:

System.Security.Principal.WindowsIdentity.GetCurrent().Name

For more information about asp.net impersonate, you may refer to this
article:

INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158

Luke

 

[sam]

Thanks Joe and Luke for your replies.

Have I got this right:



With anonymous access selected only:

The aspnet_iisapi.exe process runs as IUSER_machine

The thread runs under the ASPNET account. All resources are accessed with
this thread.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



With anonymous access and impersonation:

The aspnet_iisapi.exe process runs as IUSER_machine

The thread impersonates the aspnet_iisapi.exe process and runs as
IUSER_machine. All resources are accessed with this thread.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



With Integrated Windows Authentication selected only:

The aspnet_iisapi.exe process runs as the windows user

The thread runs under the ASPNET account. All resources are accessed with
this thread.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



With Integrated Windows Authentication and impersonation:

The aspnet_iisapi.exe process runs as the windows user

The thread impersonates the aspnet_iisapi.exe process and runs as the
windows user. All resources are accessed with this thread.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



Context.User.Identity.Name - Returns the aspnet_iisapi.exe process account
name.

System.Security.Principle.WindowsIdentity.getcurrent().Name - Returns the
thread account name inside the aspnet_wp.exe process.



If I have this right I will be very happy.

Sam

Hi Sam,

When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
still run under ASPNET. But the code to handle current request will be
executed under the impersonation user. To check this user, you may check
following value in the code:

System.Security.Principal.WindowsIdentity.GetCurrent().Name

For more information about asp.net impersonate, you may refer to this
article:

INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158

Luke

Thanks Joe and Luke for your replys.

Is this correct:





System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()

Context.User.Identity.Name

Response.Write("current thread's identity=" +
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() +
"<BR>");

 

[Joe Kaplan \(MVP - ADSI\)]

Inline:

Thanks Joe and Luke for your replies.

Have I got this right:



With anonymous access selected only:

The aspnet_iisapi.exe process runs as IUSER_machine

I'm not even sure what process this is. Are you sure that is a process
related to ASP.NET? aspnet_isapi.dll is an ISAPI filter which is loaded by
IIS (inetinfo.exe) and dispatches requests for ASP.NET resources to the
worker process. Is that what you meant?

The thread runs under the ASPNET account. All resources are accessed with
this thread.

Correct, each request (which runs as a separate thread) will not be
impersonating, so the thread runs with the process identity (ASPNET). The
things to remember are:
- A process always has a token associated with a Windows account
- A process has at least one thread that actually runs code (ASP.NET has a
pool of them and runs each request on one of these)
- A thread will execute coding using the identity of the process by
default, or using a different identity if it is impersonating another
account

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
Yes


With anonymous access and impersonation:

The aspnet_iisapi.exe process runs as IUSER_machine

Again, not sure what this is.

The thread impersonates the aspnet_iisapi.exe process and runs as
IUSER_machine. All resources are accessed with this thread.

This isn't quite right, but the net effect is the same. Each request thread
will impersonate the account of the the logged on user which is the
anonymous IUSER_machine account in this case. All resources will be
accessed with this account.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config

Yes



With Integrated Windows Authentication selected only:

The aspnet_iisapi.exe process runs as the windows user

The thread runs under the ASPNET account. All resources are accessed with
this thread.

Yes, basically the same as above with the slight terminology correction
above.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config

Yes



With Integrated Windows Authentication and impersonation:

The aspnet_iisapi.exe process runs as the windows user

The thread impersonates the aspnet_iisapi.exe process and runs as the
windows user. All resources are accessed with this thread.

Here, each request thread impersonates the logged on user as before. In
this case, since anonymous is off in IIS, the account of the user who logged
on (regardless of Basic, Digest, Integrated) will be impersonated by the
thread and resources are accessed using this account.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config

Yes

Context.User.Identity.Name - Returns the aspnet_iisapi.exe process account
name.

Context.User.Identity will be the identity of the user who logged on. This
doesn't have to be a Windows account though. It can also be a FormsIdentity
for forms authentication. The thing to remember is that this is related to
the user who logged on to the website using an ASP.NET authentication
mechanism.

System.Security.Principle.WindowsIdentity.getcurrent().Name - Returns the
thread account name inside the aspnet_wp.exe process.

This is always the identity of the account that the current thread is
running under in any .NET code. It could be the process token account or an
impersonated account. In ASP.NET, this is directly related to the
impersonation setting in web.config.

These two will be the same WindowsIdentity IF IIS is configured for Windows
(Basic/Digest/Integrated) and anonymous is disabled AND you have enabled
impersonation in web.config.

If I have this right I will be very happy.

Sam

I hope this brings you happiness and no more confusion.

Joe K.

 

[sam]

Yes yes yes lots of happiness.
And yes I did mean aspnet_isapi.dll not .exe.
Thanks so much Joe.
The MVP's are the gods of the newsgroups. They know all and see all.