Re: Configuration Differences

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 11/22/04 

Date: Mon, 22 Nov 2004 14:38:02 -0600

I don't see how that would make a difference unless the web sites are
running with partial trust. Do your web.config files use the securityPolicy
element in them?

Joe K.

"Matt" <Matt@discussions.microsoft.com> wrote in message
news:A7B2AE4D-16BC-4CDD-AEE9-A5D5ECB3C761@microsoft.com...
> Thanks for your response. I am still trying to isolate the exact lines
> responsible for this difference. However, copying one system's
> security.config to the other and restarting IIS seems to have addressed
> the
> problem I am having. I believe there was just a lower level difference in
> permissions granted to the Intrenet_Zone code group.
>
> Thanks again for your help.
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Are you certain the second site doesn't have Windows Integrated
>> Authentication enabled? The results you got indicate that someone was
>> authenticated by IIS (unless some special code ran that changed
>> Context.User
>> to a Windows account).
>>
>> When impersonation is enabled, ASP.NET will impersonate the account that
>> was
>> authenticated by IIS. If anonymous access was enabled, then the
>> anonymous
>> user account is impersonated. This is assuming that you haven't
>> specified
>> the user and password attributes in that tag.
>>
>> Joe K.
>>
>> "Matt" <Matt@discussions.microsoft.com> wrote in message
>> news:03FCAD6B-DA13-42AB-962D-2450554CCBBA@microsoft.com...
>> >I checked both sites. Both have Anon access enabled via IIS Mgr. Both
>> >sites
>> > are using a domain-level account and the web.config on both is set to
>> > impersonate. The behaviors on each are still different. Are there
>> > other
>> > things I can check? Also, when the impersonation is enabled in
>> > web.config,
>> > is it the user specified in the "Enable Anon Access" dialog that is
>> > impersonated? Are there other settings in the machine.config and
>> > security.config that may impact this?
>> >
>> > "Paul Glavich [MVP - ASP.NET]" wrote:
>> >
>> >> I think Joe is spot on. The only thing to add is that impersonation is
>> >> enabled in both web.config files as well.
>> >>
>> >> --
>> >> - Paul Glavich
>> >> Microsoft MVP - ASP.NET
>> >>
>> >>
>> >> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> >> wrote
>> >> in message news:ur$6x8pzEHA.2568@TK2MSFTNGP10.phx.gbl...
>> >> > My guess is that anonymous access is enabled in IIS on server 1 and
>> >> > is
>> >> > not
>> >> > on server 2.
>> >> >
>> >> > Joe K.
>> >> >
>> >> > "Matt" <Matt@discussions.microsoft.com> wrote in message
>> >> > news:69AEF6B7-159E-4739-96E9-7E8A9F24C05A@microsoft.com...
>> >> > >I have two sites on separate servers configured. When I query a
>> >> > >page
>> >> that
>> >> > > returns information on security/user context, I get two different
>> >> replies.
>> >> > >
>> >> > > On Server 1:
>> >> > > HttpContext.Current.User.Identity
>> >> > > Name
>> >> > > IsAuthenticated False
>> >> > > AuthenticationType
>> >> > >
>> >> > > WindowsIdentity.GetCurrent()
>> >> > > Name MACHINENAME\IUSR_MACHINENAME1
>> >> > > IsAuthenticated True
>> >> > > AuthenticationType NTLM
>> >> > >
>> >> > > Thread.CurrentPrincipal.Identity
>> >> > > Name
>> >> > > IsAuthenticated False
>> >> > > AuthenticationType
>> >> > >
>> >> > >
>> >> > > On Server 2:
>> >> > > HttpContext.Current.User.Identity
>> >> > > Name DOMAIN\USER
>> >> > > IsAuthenticated True
>> >> > > AuthenticationType Negotiate
>> >> > >
>> >> > > WindowsIdentity.GetCurrent()
>> >> > > Name DOMAIN\USER
>> >> > > IsAuthenticated True
>> >> > > AuthenticationType NTLM
>> >> > >
>> >> > > Thread.CurrentPrincipal.Identity
>> >> > > Name DOMAIN\USER
>> >> > > IsAuthenticated True
>> >> > > AuthenticationType Negotiate
>> >> > >
>> >> > > --
>> >> > >
>> >> > > My question is what is the likely configuration that is created
>> >> > > these
>> >> > > differing scenarios. I have not been able to locate the entries
>> >> > > in
>> >> > > machine.config,web.config or system.config that would be causing
>> >> > > this
>> >> > > since
>> >> > > most of these files have the default configuration. Also, which
>> >> > > of
>> >> > > the
>> >> > > above
>> >> > > could I expect to see as a default configuration on a web in IIS?
>> >> >
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>

Relevant Pages

  • Re: Remote control of windows service with windows 2003 server
    ... Impersonation is more difficult in forms authentication. ... you are passing the username and password for a windows account. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: localhost vs. macinename in URL (access denied)
    ... Impersonation with Integrated Authentication will work if you are accessing ... a resource on the same machine. ... being delegated to allow delegation or change the computer account to allow ...
    (microsoft.public.dotnet.security)
  • Re: impersonating a user
    ... > authentication is what determines the context of the thread. ... > applications, IIS will read the HTTP, and when anonymous is selected IIS ... > Local System account (which is the default account for Services that are ... > impersonation and authentication very clearly. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Active Directory and asp.net....
    ... Actualy if you enable impersonation on forms authentication, ... impersonates IIS account. ... > LogonUser api to change the current user from the default asp account to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Disable account in Active Directory from .NET using DirectoryEntry
    ... The account impersonated depends upon the authentication mechanism you are using ... As I previously mentioned, if impersonation is not enabled, then the ASPNET ...
    (microsoft.public.dotnet.framework.aspnet.security)