Re: ASP.NET Anonymous Impersonation

• Previous message: Yan-Hong Huang[MSFT]: "Re: 2 Project in same WebRoot"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Anonymous Impersonation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 19 Aug 2004 19:21:22 +1000

Yes yes yes lots of happiness.
And yes I did mean aspnet_isapi.dll not .exe.
Thanks so much Joe.
The MVP's are the gods of the newsgroups. They know all and see all.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23cR$qHbhEHA.3536@TK2MSFTNGP12.phx.gbl...
> Inline:
>
> "sam" <sxm@nospam.nospam> wrote in message
> news:eVbSdmahEHA.1276@TK2MSFTNGP09.phx.gbl...
> > Thanks Joe and Luke for your replies.
> >
> > Have I got this right:
> >
> >
> >
> > With anonymous access selected only:
> >
> > The aspnet_iisapi.exe process runs as IUSER_machine
> >
>
> I'm not even sure what process this is. Are you sure that is a process
> related to ASP.NET? aspnet_isapi.dll is an ISAPI filter which is loaded
by
> IIS (inetinfo.exe) and dispatches requests for ASP.NET resources to the
> worker process. Is that what you meant?
>
> > The thread runs under the ASPNET account. All resources are accessed
with
> > this thread.
> >
> Correct, each request (which runs as a separate thread) will not be
> impersonating, so the thread runs with the process identity (ASPNET). The
> things to remember are:
> - A process always has a token associated with a Windows account
> - A process has at least one thread that actually runs code (ASP.NET has
a
> pool of them and runs each request on one of these)
> - A thread will execute coding using the identity of the process by
> default, or using a different identity if it is impersonating another
> account
>
> > The aspnet_wp.exe process runs as ASPNET as defined in the
Machine.Config
> >
> Yes
> >
> >
> > With anonymous access and impersonation:
> >
> > The aspnet_iisapi.exe process runs as IUSER_machine
> >
>
> Again, not sure what this is.
>
> > The thread impersonates the aspnet_iisapi.exe process and runs as
> > IUSER_machine. All resources are accessed with this thread.
> >
>
> This isn't quite right, but the net effect is the same. Each request
thread
> will impersonate the account of the the logged on user which is the
> anonymous IUSER_machine account in this case. All resources will be
> accessed with this account.
>
> > The aspnet_wp.exe process runs as ASPNET as defined in the
Machine.Config
> >
>
> Yes
>
> >
> >
> > With Integrated Windows Authentication selected only:
> >
> > The aspnet_iisapi.exe process runs as the windows user
> >
> > The thread runs under the ASPNET account. All resources are accessed
with
> > this thread.
> >
>
> Yes, basically the same as above with the slight terminology correction
> above.
>
> > The aspnet_wp.exe process runs as ASPNET as defined in the
Machine.Config
> >
>
> Yes
>
> >
> >
> > With Integrated Windows Authentication and impersonation:
> >
> > The aspnet_iisapi.exe process runs as the windows user
> >
> > The thread impersonates the aspnet_iisapi.exe process and runs as the
> > windows user. All resources are accessed with this thread.
> >
>
> Here, each request thread impersonates the logged on user as before. In
> this case, since anonymous is off in IIS, the account of the user who
logged
> on (regardless of Basic, Digest, Integrated) will be impersonated by the
> thread and resources are accessed using this account.
>
> > The aspnet_wp.exe process runs as ASPNET as defined in the
Machine.Config
> >
> >
> Yes
> >
> > Context.User.Identity.Name - Returns the aspnet_iisapi.exe process
account
> > name.
> >
>
> Context.User.Identity will be the identity of the user who logged on.
This
> doesn't have to be a Windows account though. It can also be a
FormsIdentity
> for forms authentication. The thing to remember is that this is related
to
> the user who logged on to the website using an ASP.NET authentication
> mechanism.
>
> > System.Security.Principle.WindowsIdentity.getcurrent().Name - Returns
the
> > thread account name inside the aspnet_wp.exe process.
> >
>
> This is always the identity of the account that the current thread is
> running under in any .NET code. It could be the process token account or
an
> impersonated account. In ASP.NET, this is directly related to the
> impersonation setting in web.config.
>
> These two will be the same WindowsIdentity IF IIS is configured for
Windows
> (Basic/Digest/Integrated) and anonymous is disabled AND you have enabled
> impersonation in web.config.
>
> >
> >
> > If I have this right I will be very happy.
> >
> > Sam
> >
> >
> I hope this brings you happiness and no more confusion.
>
> Joe K.
> > "[MSFT]" <lukezhan@online.microsoft.com> wrote in message
> > news:R6OeTbZhEHA.3024@cpmsftngxa10.phx.gbl...
> > > Hi Sam,
> > >
> > > When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
> > > still run under ASPNET. But the code to handle current request will be
> > > executed under the impersonation user. To check this user, you may
check
> > > following value in the code:
> > >
> > > System.Security.Principal.WindowsIdentity.GetCurrent().Name
> > >
> > > For more information about asp.net impersonate, you may refer to this
> > > article:
> > >
> > > INFO: Implementing Impersonation in an ASP.NET Application
> > > http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158
> > >
> > > Luke
> > >
> >
> >
> > Thanks Joe and Luke for your replys.
> >
> > Is this correct:
> >
> >
> >
> >
> >
> > System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()
> >
> > Context.User.Identity.Name
> >
> > Response.Write("current thread's identity=" +
> > System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() +
> > "<BR>");
> >
> >
> >
> >
>
>

• Previous message: Yan-Hong Huang[MSFT]: "Re: 2 Project in same WebRoot"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Anonymous Impersonation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]