impersonation or auditing issue ???

From: Jayant Sane (JayantSane_at_discussions.microsoft.com)
Date: 12/27/04 

Date: Mon, 27 Dec 2004 12:51:02 -0800

Hi,

I have a simple/test ASP.Net web app. On clicking a button on the page, it
does the following:
   access a specific file in some folder. (there is no impersonation being
done here)

The security on the above folder/file is configured such that only some
users are allowed access to it. The virtual directory hosting the
application in IIS is configured to use Windows Integrated Authentication
only (anonymous access is unchecked). The user to be used for anonymous
access is set to 'UserA'. The identity in the application pool to which this
app belongs is set to 'UserB'

When I access the application with a user (say UserC) who is disallowed
access to the file and then press the button on the application's page to
actually access the file, I do get an error saying "access is denied ..."
which is what is expected here (fine).

However the security audit log shows that "UserC failed to access the file"
when I would have expected it to be either 'UserB' or 'UserA'. Note that I am
not doing impersonation while accessing the file.

Can some one tell what I am missing here:
- Does windows integrated authentication also does impersonation under the
covers? OR
- it is the audit system that is getting confused about the identity that is
trying to access the file?

thx
Jay

Quantcast