Inline:
sam said:
Thanks Joe and Luke for your replies.
Have I got this right:
With anonymous access selected only:
The aspnet_iisapi.exe process runs as IUSER_machine
I'm not even sure what process this is. Are you sure that is a process
related to ASP.NET? aspnet_isapi.dll is an ISAPI filter which is loaded by
IIS (inetinfo.exe) and dispatches requests for ASP.NET resources to the
worker process. Is that what you meant?
The thread runs under the ASPNET account. All resources are accessed with
this thread.
Correct, each request (which runs as a separate thread) will not be
impersonating, so the thread runs with the process identity (ASPNET). The
things to remember are:
- A process always has a token associated with a Windows account
- A process has at least one thread that actually runs code (ASP.NET has a
pool of them and runs each request on one of these)
- A thread will execute coding using the identity of the process by
default, or using a different identity if it is impersonating another
account
The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
Yes
With anonymous access and impersonation:
The aspnet_iisapi.exe process runs as IUSER_machine
Again, not sure what this is.
The thread impersonates the aspnet_iisapi.exe process and runs as
IUSER_machine. All resources are accessed with this thread.
This isn't quite right, but the net effect is the same. Each request thread
will impersonate the account of the the logged on user which is the
anonymous IUSER_machine account in this case. All resources will be
accessed with this account.
The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
Yes
With Integrated Windows Authentication selected only:
The aspnet_iisapi.exe process runs as the windows user
The thread runs under the ASPNET account. All resources are accessed with
this thread.
Yes, basically the same as above with the slight terminology correction
above.
The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
Yes
With Integrated Windows Authentication and impersonation:
The aspnet_iisapi.exe process runs as the windows user
The thread impersonates the aspnet_iisapi.exe process and runs as the
windows user. All resources are accessed with this thread.
Here, each request thread impersonates the logged on user as before. In
this case, since anonymous is off in IIS, the account of the user who logged
on (regardless of Basic, Digest, Integrated) will be impersonated by the
thread and resources are accessed using this account.
The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
Yes
Context.User.Identity.Name - Returns the aspnet_iisapi.exe process account
name.
Context.User.Identity will be the identity of the user who logged on. This
doesn't have to be a Windows account though. It can also be a FormsIdentity
for forms authentication. The thing to remember is that this is related to
the user who logged on to the website using an ASP.NET authentication
mechanism.
System.Security.Principle.WindowsIdentity.getcurrent().Name - Returns the
thread account name inside the aspnet_wp.exe process.
This is always the identity of the account that the current thread is
running under in any .NET code. It could be the process token account or an
impersonated account. In ASP.NET, this is directly related to the
impersonation setting in web.config.
These two will be the same WindowsIdentity IF IIS is configured for Windows
(Basic/Digest/Integrated) and anonymous is disabled AND you have enabled
impersonation in web.config.
If I have this right I will be very happy.
Sam
I hope this brings you happiness and no more confusion.
Joe K.