Re: IIS and ASP.NET authentication
From: KDV (KDV_at_discussions.microsoft.com)
Date: 06/01/05
- Next message: sekhar mantrala via .NET 247: "System.Runtime.InteropServices.COMException in WebPart"
- Previous message: Dominick Baier [DevelopMentor]: "Re: IIS and ASP.NET authentication"
- In reply to: Dominick Baier [DevelopMentor]: "Re: IIS and ASP.NET authentication"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: IIS and ASP.NET authentication"
- Reply: Dominick Baier [DevelopMentor]: "Re: IIS and ASP.NET authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 1 Jun 2005 07:01:03 -0700
It is good discussion. Let me explain a simple scenario what I did.
I am doing no authentication in ASP.NET so I set
<authentication mode="None">
</authentication>
in config file.
In IIS I set anonymous and using an account test/test. There I intentially
set wrong password. I tried to access aspx file as follow
http://localhost/WebApplication2/WebForm1.aspx
because password is wrong so IIS refuses this request. I understand all
combinations of IIS and ASP.NET authentication except anonymous which I could
not find anywhere where it is clearly explained. Do u think that IIS passes
token to ASP.NET if anonymous is enabled? I think we have gone a long
discussion but still my mind is not very clear. Or I can undrstand this way
that if anonymous is enabled then IIS just does its own authentication but
does not pass any token to ASP.NET
Looks like more research I have to make.
Thanks for ur help
"Dominick Baier [DevelopMentor]" wrote:
> Hello KDV,
>
> ok -
>
> the anonymous account is used to access static files like gif or jpg...
> it is possible that IIS generally refuses requests if the anon account is
> wrong (haven't tried that)
>
> if you access an asp.net file (aspx, asmx...) - IIS passes this request on
> to the ASP.NET runtime.
>
> The asp.net worker process runs under a configured identity (<processModel>
> element under IIS5/5.1 or app pool configuration under IIS6). This account
> is used to access and process the files. you can access that account programmatically
> using WindowsIdentity.GetCurrent() in an aspx file.
>
> if you have configured auth in IIS - IIS will pass the resulting token to
> ASP.NET which you can access via Page.User (Thread.CurrentPrincipal) - if
> anon is selected this will be empty.
>
> does that clear it up?
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Thanks for the reply. But my confusion was that IIS anonymous setting
> > still uses an account to access the resources. This means while
> > accessing resources IIS uses either its built in account or the
> > account which is set in console window. That means account still
> > exists in Windows. eg example if I set any user name whose account
> > does not exist in Windows IIS will refuse the request. That means it
> > is doing authentication. If anyone is allowed to access the resource
> > under anonymous setting then all requests should pass no matter which
> > account I used. I still do not understand if IIS passes any
> > authenticated/authorized token to ASP.NET in anonymous. If I blindly
> > accept that under anonymous setting there is no authentication then I
> > can give up
> >
> > Can u clear it?
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello KDV,
> >>
> >> when you use IIS authentication - your users are always based on
> >> windows
> >> accounts - that's why you end up with a
> >> WindowsPrincipal/WindowsIdentity
> >> in ASP.NET
> >> when you choose anonymous - you won't get that information. This
> >> scenario
> >> is designed to do your own authentication, e.g. via ASP.NET Forms
> >> Authentication
> >> the anonymous account is only used if you access non ASP.NET
> >> resources like jpg or gif.
> >>
> >> The ASP.NET app will always run under the worker process identity.
> >>
> >> HTH
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> I was playing around with IIS and ASP.NET authentication. I
> >>> understood Basic,Digest and Integrated Windows authentication
> >>> provided by IIS. When I use either of these mode and use Windows
> >>> authentication in ASP.NET then ASP.NET automatically constructs
> >>> Windows principal which is available in any APS.NET page. My
> >>> question is that when IIS is set to anonymous and account is defined
> >>> (rather than IIS control the password) why ASP.NET does not
> >>> construct Windows principal. After all each request coming to IIS is
> >>> authenticated automatically using the account defined. My
> >>> understanding is that there is no difference between anonymous and
> >>> other type of authentication except that in anonymous every request
> >>> uses IUSER_machine account or the account set explictly in inetmgr
> >>> console. eg if I use username as test and password as test (test
> >>> account is created) in anonymous setting then ASP.NET should
> >>> construct windows principal using test account. Where I am
> >>> misunderstanding ? Can anyone clear it out ?
> >>>
> >>> Thanks in advance
> >>>
>
>
>
>
- Next message: sekhar mantrala via .NET 247: "System.Runtime.InteropServices.COMException in WebPart"
- Previous message: Dominick Baier [DevelopMentor]: "Re: IIS and ASP.NET authentication"
- In reply to: Dominick Baier [DevelopMentor]: "Re: IIS and ASP.NET authentication"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: IIS and ASP.NET authentication"
- Reply: Dominick Baier [DevelopMentor]: "Re: IIS and ASP.NET authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
