authentication and impersonation question

D

djc

For asp.net applications:
1) when asp.net impersonation is not set, authentication by IIS happens
first (if anonymous access is enabled then identity is the IUSR_ account),
but any resource access (read/write for files etc) is done by the asp.net
process account (the IIS application pool process account for IIS 6, network
service). This means NTFS permissions need to be set for that asp.net
process (or IIS app pool process) account to control access to resources.
True/false? correct me if/where wrong?

2) when asp.net impersonation *is* set, authentication by IIS happens first
(if anonymous access is enabled then identity is the IUSR_ account), and any
resource access (read/write for files etc) is done by the IIS account, IUSR_
if anonymous. This means NTFS permissions need to be set for that IUSR_
account to control access to resources. True/false? correct me if/where
wrong?

I don't think I have this straight yet.
 
D

Dominick Baier

Hi,

yeah that can be confusing:

For asp.net applications:
1) when asp.net impersonation is not set, authentication by IIS
happens
first (if anonymous access is enabled then identity is the IUSR_
account),
but any resource access (read/write for files etc) is done by the
asp.net
process account (the IIS application pool process account for IIS 6,
network
service). This means NTFS permissions need to be set for that asp.net
process (or IIS app pool process) account to control access to
resources.
True/false? correct me if/where wrong?

Control access is too much. You need read/read execute/list folder contents
for the worker process
In addition the FileAuthorizationModule checks if read access is allowed
on the requested resource for the client (either the auth client or IUSR).

2) when asp.net impersonation *is* set, authentication by IIS happens
first (if anonymous access is enabled then identity is the IUSR_
account), and any resource access (read/write for files etc) is done
by the IIS account, IUSR_ if anonymous. This means NTFS permissions
need to be set for that IUSR_ account to control access to resources.
True/false? correct me if/where wrong?

I don't think I have this straight yet.

right. Again read/rx/lfc is enough
 
D

djc

thanks Dominick,

when I said 'control access' I just meant that was the means by which to
control access, not to assign permissions to the aspnet process or IUSR_
that would allow 'them' to control access. I'm just looking to clarify under
which scenarios what particular account needs ntfs access, whether read or
rx, or I guess write in the case the application has some feature that
allows the user to upload files.

thanks again.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top