RE: UNC file share and NTLM user identity

From: Bassel Tabbara [MSFT] (basselt@online.microsoft.com)
Date: 04/22/03 

From: basselt@online.microsoft.com ("Bassel Tabbara [MSFT]")
Date: Mon, 21 Apr 2003 23:50:24 GMT

Hello Michael,

Basically, Context.User is what ASP.Net uses. The HttpContext.User property
provides programmatic access to the properties and methods of the
IPrincipal interface. Because ASP.NET pages contain a default reference to
the System.Web namespace (which contains the HttpContext class), you can
reference the members of HttpContext on an .aspx page without the fully
qualified class reference to HttpContext. For example, you can use just
User.Identity.Name to get the name of the user on whose behalf the current
process is running. It will return the authenticated user.

System.Threading.Thread.CurrentPrincipal is used as a local storage of the
thread. It Gets or sets the thread's current principal (for role-based
security).
Without impersonation, this identity will be empty. Only in ASP.Net, it
will be equal to Context.User. In normal windows apps this will return null
value.
You have to set it in your application, for example in a thread pool you
will set the currentPrincipal to an identity for a particular thread.

I hope this helps.

Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------
| X-Tomcat-ID: 11309804
| References: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: basselt@online.microsoft.com ("Bassel Tabbara [MSFT]")
| Organization: Microsoft
| Date: Mon, 07 Apr 2003 05:16:41 GMT
| Subject: RE: UNC file share and NTLM user identity
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| Message-ID: <002YkTM$CHA.1636@cpmsftngxa06.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| Lines: 81
| NNTP-Posting-Host: TOMCATIMPORT2 10.201.218.182
| Path: cpmsftngxa08.phx.gbl!cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa08.phx.gbl
microsoft.public.dotnet.framework.aspnet.security:4717
|
| Hello Michael,
| I will do more research on this and will provide you with a viable
solution.
|
| Thanks,
| Bassel Tabbara
| Microsoft, ASP.NET
|
| This posting is provided "AS IS", with no warranties, and confers no
rights.
|
|
| --------------------
| | Content-Class: urn:content-classes:message
| | From: "Michael Leung" <kmleung@hec.com.hk>
| | Sender: "Michael Leung" <kmleung@hec.com.hk>
| | Subject: UNC file share and NTLM user identity
| | Date: Sun, 6 Apr 2003 06:20:43 -0700
| | Lines: 57
| | Message-ID: <01ed01c2fc3f$53a88f10$a601280a@phx.gbl>
| | MIME-Version: 1.0
| | Content-Type: text/plain;
| | charset="iso-8859-1"
| | Content-Transfer-Encoding: 7bit
| | X-Newsreader: Microsoft CDO for Windows 2000
| | Thread-Index: AcL8P1OoE8DJP0gfTA+5GVVr9H8ANw==
| | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| | Path: cpmsftngxa08.phx.gbl
| | Xref: cpmsftngxa08.phx.gbl
| microsoft.public.dotnet.framework.aspnet.security:4716
| | NNTP-Posting-Host: TK2MSFTNGXA14 10.40.1.166
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
| |
| | Hi,
| |
| | I have used a wrong email address. This one belongs to my
| | MSDN subscription. I do a re-post.
| |
| | All machines are in the same domain (AOL_DEV). I have a
| | W2KAS running IIS having two web sites. port 80 points to
| | c:\inetpub\wwwroot and port 81 points to \\192.168.8.1
| | \fileshare\wwwroot\
| |
| | In both port 80 & 81, I have the following ASP page
| | statement
| | Welcomes <%=Request.ServerVariables("REMOTE_USER")%>
| | It works fine. I get "Welcomes AOL_DEV\dcs4585"
| |
| | I followed Microsoft's document
| | "http://msdn.microsoft.com/library/en-
| | us/dnbda/html/authaspdotnet.asp" to create a domain
| | account for .NET Process model in machine.config and
| | impersonation in WEB.config. I granted that account TCB
| | privilege. I used the local administration account for IIS
| | UNC Token to create the WEB site.
| |
| | In both port 80 and 81, I have the following ASP.NET
| | statements.
| |
| | Response.Write("You are : " +
| | Context.User.Identity.Name.ToString() + "<BR>");
| | Response.Write("Page run as : " +
| | System.Security.Principal.WindowsIdentity.GetCurrent
| | ().Name.ToString() + "<BR>");
| | Response.Write("Root is : " +
| | Request.PhysicalApplicationPath.ToString() + "<BR>");
| |
| | In Port 80, I get the following response:-
| | You are : AOL_DEV\dcs4585
| | Page run as : AOL_DEV\dcszcluster
| | Root is : c:\inetpub\wwwroot\
| |
| | Unluckily in Port 81, I get the following response:-
| | You are : DCSCS5\Administrator
| | Page run as : AOL_DEV\dcszcluster
| | Root is : \\192.168.8.1\fileshare\wwwroot\
| |
| | Questions?????
| | The whole purpose of impersonation is to keep the original
| | authenticated user's identity while executing in another
| | user's privileges. The response from port 80 (without UNC
| | file share) is correct but that from port 81 (with UNC
| | file share) is not. I believe it is a bug.
| |
| | Imagine you have 20 NLBs for load balancing. Is it better
| | to deploy the .NET application to one single UNC directory
| | rather that to deploy it to 20 local machines?
| |
| | Michael Leung
| |
| |
|
|