Wednesday 22 February 2012

What Identity does IIS return to an ASP.NET application

Windows Authentication results in the the value of the current User property of the application being set to a WindowsIdentity based on the credenticals supplied by IIS.

IIS has a number of authentication mechanisms through which it derives this WindowsIdentity.
eg Anonymous, Windows integrated (NTLM and Kerberos), Basic (clear text credentials), Digest (Hash encoded) and Client certificates

So if Windows Integrated is the authentication mechanism set for the website in IIS, then the User property for the application will be set to Identity of the User making the request.

However, using Windows Authentication mode for your application does not modify the Windows identity of the application - this Windows Identity, the one supplied by IIS to the web server's O/S, is used for permission checking, eg making sure the application has access to files/folders etc., or for connecting to a database.

By default, the Windows Identity of an ASP.Net application is the ASP.Net process.

If your application runs on Win2000 or WinXP, the identity is defined by that of the ASP.Net worker (Aspnet_wp.exe) process -> that is, the local ASPNET account.

If the app runs on Windows Server 2003, the identity is defined by that of the app pool for the Web application, which is, by default, the NETWORK_SERVICE account.

You can actually configure the Windows Identity of your ASP.Net application to use the identity provided by IIS by enabling impersonation.

For example, if you enable impersonation for an ASP.Net application which uses Windows authentication and IIS is configured to use Windows integrated authentication, then the identiy of the application sent to the server's O/S will be that of the User which made the request.

Because the application is pooled in IIS 6 though, the identity of your application will not change between requests - it will remain as the identity of the user which first started the application!

No comments:

Post a Comment