WindowsPrincipal and WindowsIdentity.

[Kevin Burton]

This is more of a solution that raised a question.

I have a Web service that does not allow anonymous users.
For debugging I put in the following lines in my Web
Service:

WindowsIdentity wi = WindowsIdentity.GetCurrent();
WindowsPrincipal wp = Thread.CurrentPrincipal as
WindowsPrincipal;
wi = wp.Identity as WindowsIdentity;
wi.Impersonate();

My question was the the first WindowsIdentity returned
from GetCurrent shows MACHINE\ASPNET (MACHINE is the name
of the machine) yet the WindowsIdentity returned from
CurrentPrincipal shows DOMAIN\kburton (DOMAIN is the name
of the domain I am logged in as a domain user when I am
running this). The Web service needs to access a database
and the ASPNET account cannot be used to access the
database. It seems that Impersonate() makes the
identity "correct". My question is why is GetCurrent and
CurrentPrincipal different? Under what conditions will
they be different? Why does Impersonate make them the
same?

Thank you for your help in understanding this.

Kevin Burton
(e-mail address removed)

 

[bruce barker]

asp.net broke out the authenication identity (who called this page -
Principle) from the security identity used by the thread servicing the page.
the default is for the page threads to run under the asp.net account.

you can achieve the same result without code by specifing in you web.config:

<identity impersonate="true" />

note: if the user hitting the site is is not logged on the local machine
(try hitting you site from another box) the Impersonated identity is not a
primmary token, so can not be used to access resources (say a sqlserver) on
another box.

-- bruce (sqlwork.com)