impersonation and location element

[Brad]

I have an asp.net app with one sub folder that requires windows
authentication. The IIS folder is set to require intergrated security and
the sub folder has its own web.config
with the following setting.
<identity impersonate="true" />
<authorization>
<allow users ="*" />
</authorization>
This works fine and WindowsIdentity.GetCurrent.Name yields the true users
identity.

But...if I remove the web.config from the sub folder and place the above
settings in a "location" element in the apps web.config (se below) then
impersonation seems to fail and the "WindowsIdentity.GetCurrent.Name
always equals "NT AUTHORITY\NETWORK SERVICE".

<location path="subfoldername/page.aspx">
<system.web>
<identity impersonate="true" />
<authorization>
<allow users ="*" /><!-- This allows access to all users -->
</authorization>
</system.web>
</location>

My question is: Why does setting the impersonate in the location element in
the apps web.config behave differently than setting it in the separate
web.config?


Brad

 

[MSFT]

Hi Brad,

I tested this situation but I got different result with you. When I open
the webform in sub folder, it give me correct user account instead of "NT
AUTHORITY\NETWORK SERVICE".

Therefore, I want confirm with you that if you also create a virtual
directory for the sub folder in IIS? When you open the page, did you use:

Http://localhost/WebApplication1/Sub1/page.aspx

or

Http://localhost/Sub1/page.aspx ?

In my test, I only have "WebApplication1" as a virtual directory and set
its securoty to "Integrated Windows Authentication"

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Brad]

Luke,
Using your example:
Sub1 is not a virtual directory. Anonymous access is enabled for WebApp1
but it is disabled for Sub1. The page must be accessed as
Http://localhost/WebApplication1/Sub1/page.aspx as it is part of the
WebApp1 compiled application.

I see the question coming: why not just use integrated auth for WebApp1?
WebApp1 actually uses forms authentication because some users can be
authenticated on our domain and others must login using a login page. With
integrated auth on Sub1 I can test users against folder and, if they can
access sub1/page.aspx, I set the forms auth using their windows identity
name otherwise they have to use the login page and I set the forms auth
using the login page info. It works quite well and I've been using for a
year now. I was just trying to eliminate multiple web configs in the same
app and ran into this little issue.

Brad

 

[MSFT]

Hi Brad,

I tested "Sub1 is not a virtual directory. Anonymous access is enabled for
WebApp1 but it is disabled for Sub1. ", but I still get the correct result.
Here is my ASPX code behind:

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
Response.Write(WindowsIdentity.GetCurrent.Name)
End Sub

And here is the configration section in web.config of webapp1:

<location path="sub1/webform5.aspx">
<system.web>
<identity impersonate="true" />
<authorization>
<allow users ="*" /><!-- This allows access to all users -->
</authorization>
</system.web>
</location>

Can you create a new web project to test this?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[MSFT]

Hello Bard, what is the result after you create a new web project for test?
any updates?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Brad]

Bard?? Hmmm...I'm not so adept with word or pen as to be called a Bard ;-)
Anyway....it works now. I'm not sure why it didn't earlier though
assumption would be that I had a typo or left something out before.

Thanks for looking into this and the followup.

Brad