Ask a Question related to ASP.NET Security, Design and Development.
-
sam #1
ASP.NET Anonymous Impersonation
Hi,
When you impersonate with anonymous security what is suppose to happen (IIS5
platform). Is it the aspnet_wp.exe process runs under the identity of the
anonymous user? When I look in the task manager the aspnet_wp.exe process
always lists ASPNET as the User Name. Am I on the right track here? If so,
is there a line of code I can use to display the new identity of the
process? Any pointers to good articles would also be really appreciated.
Sam
sam Guest
-
IIS Not using anonymous impersonation
Hi, I havea web app that has anonymous accesss enabled. I have specified that IIS should have the credentials of a user in the active directory.... -
anonymous surf
Hello, i'd like to create a website which could permit me to surf anonymously. As a result, when i will connect to my website it would browse... -
anonymous logon
I have aproblem. I develop my asp.net site at my pc (named PCMANOS)(running IIS) and I have the SQL Server at another pc (named ATHDC). I've... -
How do I log onto anonymous ftp ?
Hello I have logged onto ftps before, but never an anonymous one. I need to log into ftp://archive.progeny.com/ I can view the files with... -
anonymous classes
Hi, Could someone please explain to me the concept of an anonymous class? I'm talking about this construct: class << Foo ... end -
Joe Kaplan \(MVP - ADSI\) #2 Re: ASP.NET Anonymous Impersonation
Impersonation means that the currently executing thread will run as a
different identity than the process identity. Thus, if you impersonate the
anonymous user (I have no idea why you would do this, but you certainly
can), the current thread will be that user, but the process is still running
as the account the process was started with (what you see in task manager).
You can see the current thread's identity by doing
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.
To make the aspnet_wp.exe run as a different process account, you must
change the process model in the machine.config.
Joe K.
"sam" <sxm@nospam.nospam> wrote in message
news:OOvZblXhEHA.3980@TK2MSFTNGP12.phx.gbl...(IIS5> Hi,
>
>
>
> When you impersonate with anonymous security what is suppose to happen> platform). Is it the aspnet_wp.exe process runs under the identity of the
> anonymous user? When I look in the task manager the aspnet_wp.exe process
> always lists ASPNET as the User Name. Am I on the right track here? If so,
> is there a line of code I can use to display the new identity of the
> process? Any pointers to good articles would also be really appreciated.
>
>
>
> Sam
>
>
>
>
>
>
>
>
Joe Kaplan \(MVP - ADSI\) Guest
-
[MSFT] #3 RE: ASP.NET Anonymous Impersonation
Hi Sam,
When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
still run under ASPNET. But the code to handle current request will be
executed under the impersonation user. To check this user, you may check
following value in the code:
System.Security.Principal.WindowsIdentity.GetCurre nt().Name
For more information about asp.net impersonate, you may refer to this
article:
INFO: Implementing Impersonation in an ASP.NET Application
[url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158[/url]
Luke
[MSFT] Guest
-
sam #4 Re: ASP.NET Anonymous Impersonation
Thanks Joe and Luke for your replies.
Have I got this right:
With anonymous access selected only:
The aspnet_iisapi.exe process runs as IUSER_machine
The thread runs under the ASPNET account. All resources are accessed with
this thread.
The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
With anonymous access and impersonation:
The aspnet_iisapi.exe process runs as IUSER_machine
The thread impersonates the aspnet_iisapi.exe process and runs as
IUSER_machine. All resources are accessed with this thread.
The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
With Integrated Windows Authentication selected only:
The aspnet_iisapi.exe process runs as the windows user
The thread runs under the ASPNET account. All resources are accessed with
this thread.
The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
With Integrated Windows Authentication and impersonation:
The aspnet_iisapi.exe process runs as the windows user
The thread impersonates the aspnet_iisapi.exe process and runs as the
windows user. All resources are accessed with this thread.
The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
Context.User.Identity.Name - Returns the aspnet_iisapi.exe process account
name.
System.Security.Principle.WindowsIdentity.getcurre nt().Name - Returns the
thread account name inside the aspnet_wp.exe process.
If I have this right I will be very happy.
Sam
"[MSFT]" <lukezhan@online.microsoft.com> wrote in message
news:R6OeTbZhEHA.3024@cpmsftngxa10.phx.gbl...> Hi Sam,
>
> When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
> still run under ASPNET. But the code to handle current request will be
> executed under the impersonation user. To check this user, you may check
> following value in the code:
>
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
>
> For more information about asp.net impersonate, you may refer to this
> article:
>
> INFO: Implementing Impersonation in an ASP.NET Application
> [url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158[/url]
>
> Luke
>
Thanks Joe and Luke for your replys.
Is this correct:
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString()
Context.User.Identity.Name
Response.Write("current thread's identity=" +
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString() +
"<BR>");
sam Guest
-
Joe Kaplan \(MVP - ADSI\) #5 Re: ASP.NET Anonymous Impersonation
Inline:
"sam" <sxm@nospam.nospam> wrote in message
news:eVbSdmahEHA.1276@TK2MSFTNGP09.phx.gbl...I'm not even sure what process this is. Are you sure that is a process> Thanks Joe and Luke for your replies.
>
> Have I got this right:
>
>
>
> With anonymous access selected only:
>
> The aspnet_iisapi.exe process runs as IUSER_machine
>
related to ASP.NET? aspnet_isapi.dll is an ISAPI filter which is loaded by
IIS (inetinfo.exe) and dispatches requests for ASP.NET resources to the
worker process. Is that what you meant?
Correct, each request (which runs as a separate thread) will not be> The thread runs under the ASPNET account. All resources are accessed with
> this thread.
>
impersonating, so the thread runs with the process identity (ASPNET). The
things to remember are:
- A process always has a token associated with a Windows account
- A process has at least one thread that actually runs code (ASP.NET has a
pool of them and runs each request on one of these)
- A thread will execute coding using the identity of the process by
default, or using a different identity if it is impersonating another
account
Yes> The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
>Again, not sure what this is.>
>
> With anonymous access and impersonation:
>
> The aspnet_iisapi.exe process runs as IUSER_machine
>
This isn't quite right, but the net effect is the same. Each request thread> The thread impersonates the aspnet_iisapi.exe process and runs as
> IUSER_machine. All resources are accessed with this thread.
>
will impersonate the account of the the logged on user which is the
anonymous IUSER_machine account in this case. All resources will be
accessed with this account.
Yes> The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
>
Yes, basically the same as above with the slight terminology correction>
>
> With Integrated Windows Authentication selected only:
>
> The aspnet_iisapi.exe process runs as the windows user
>
> The thread runs under the ASPNET account. All resources are accessed with
> this thread.
>
above.
Yes> The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
>
Here, each request thread impersonates the logged on user as before. In>
>
> With Integrated Windows Authentication and impersonation:
>
> The aspnet_iisapi.exe process runs as the windows user
>
> The thread impersonates the aspnet_iisapi.exe process and runs as the
> windows user. All resources are accessed with this thread.
>
this case, since anonymous is off in IIS, the account of the user who logged
on (regardless of Basic, Digest, Integrated) will be impersonated by the
thread and resources are accessed using this account.
Yes> The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
>
>Context.User.Identity will be the identity of the user who logged on. This>
> Context.User.Identity.Name - Returns the aspnet_iisapi.exe process account
> name.
>
doesn't have to be a Windows account though. It can also be a FormsIdentity
for forms authentication. The thing to remember is that this is related to
the user who logged on to the website using an ASP.NET authentication
mechanism.
This is always the identity of the account that the current thread is> System.Security.Principle.WindowsIdentity.getcurre nt().Name - Returns the
> thread account name inside the aspnet_wp.exe process.
>
running under in any .NET code. It could be the process token account or an
impersonated account. In ASP.NET, this is directly related to the
impersonation setting in web.config.
These two will be the same WindowsIdentity IF IIS is configured for Windows
(Basic/Digest/Integrated) and anonymous is disabled AND you have enabled
impersonation in web.config.
I hope this brings you happiness and no more confusion.>
>
> If I have this right I will be very happy.
>
> Sam
>
>
Joe K.> "[MSFT]" <lukezhan@online.microsoft.com> wrote in message
> news:R6OeTbZhEHA.3024@cpmsftngxa10.phx.gbl...>> > Hi Sam,
> >
> > When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
> > still run under ASPNET. But the code to handle current request will be
> > executed under the impersonation user. To check this user, you may check
> > following value in the code:
> >
> > System.Security.Principal.WindowsIdentity.GetCurre nt().Name
> >
> > For more information about asp.net impersonate, you may refer to this
> > article:
> >
> > INFO: Implementing Impersonation in an ASP.NET Application
> > [url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158[/url]
> >
> > Luke
> >
>
> Thanks Joe and Luke for your replys.
>
> Is this correct:
>
>
>
>
>
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString()
>
> Context.User.Identity.Name
>
> Response.Write("current thread's identity=" +
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString() +
> "<BR>");
>
>
>
>
Joe Kaplan \(MVP - ADSI\) Guest
-
sam #6 Re: ASP.NET Anonymous Impersonation
Yes yes yes lots of happiness.
And yes I did mean aspnet_isapi.dll not .exe.
Thanks so much Joe.
The MVP's are the gods of the newsgroups. They know all and see all.
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23cR$qHbhEHA.3536@TK2MSFTNGP12.phx.gbl...by> Inline:
>
> "sam" <sxm@nospam.nospam> wrote in message
> news:eVbSdmahEHA.1276@TK2MSFTNGP09.phx.gbl...>> > Thanks Joe and Luke for your replies.
> >
> > Have I got this right:
> >
> >
> >
> > With anonymous access selected only:
> >
> > The aspnet_iisapi.exe process runs as IUSER_machine
> >
> I'm not even sure what process this is. Are you sure that is a process
> related to ASP.NET? aspnet_isapi.dll is an ISAPI filter which is loadedwith> IIS (inetinfo.exe) and dispatches requests for ASP.NET resources to the
> worker process. Is that what you meant?
>> > The thread runs under the ASPNET account. All resources are accesseda> Correct, each request (which runs as a separate thread) will not be> > this thread.
> >
> impersonating, so the thread runs with the process identity (ASPNET). The
> things to remember are:
> - A process always has a token associated with a Windows account
> - A process has at least one thread that actually runs code (ASP.NET hasMachine.Config> pool of them and runs each request on one of these)
> - A thread will execute coding using the identity of the process by
> default, or using a different identity if it is impersonating another
> account
>> > The aspnet_wp.exe process runs as ASPNET as defined in thethread> Yes> >>> >
> >
> > With anonymous access and impersonation:
> >
> > The aspnet_iisapi.exe process runs as IUSER_machine
> >
> Again, not sure what this is.
>>> > The thread impersonates the aspnet_iisapi.exe process and runs as
> > IUSER_machine. All resources are accessed with this thread.
> >
> This isn't quite right, but the net effect is the same. Each requestMachine.Config> will impersonate the account of the the logged on user which is the
> anonymous IUSER_machine account in this case. All resources will be
> accessed with this account.
>> > The aspnet_wp.exe process runs as ASPNET as defined in thewith>> >
> Yes
>> >
> >
> > With Integrated Windows Authentication selected only:
> >
> > The aspnet_iisapi.exe process runs as the windows user
> >
> > The thread runs under the ASPNET account. All resources are accessedMachine.Config>> > this thread.
> >
> Yes, basically the same as above with the slight terminology correction
> above.
>> > The aspnet_wp.exe process runs as ASPNET as defined in thelogged>> >
> Yes
>>> >
> >
> > With Integrated Windows Authentication and impersonation:
> >
> > The aspnet_iisapi.exe process runs as the windows user
> >
> > The thread impersonates the aspnet_iisapi.exe process and runs as the
> > windows user. All resources are accessed with this thread.
> >
> Here, each request thread impersonates the logged on user as before. In
> this case, since anonymous is off in IIS, the account of the user whoMachine.Config> on (regardless of Basic, Digest, Integrated) will be impersonated by the
> thread and resources are accessed using this account.
>> > The aspnet_wp.exe process runs as ASPNET as defined in theaccount> Yes> >
> >> >
> > Context.User.Identity.Name - Returns the aspnet_iisapi.exe processThis>> > name.
> >
> Context.User.Identity will be the identity of the user who logged on.FormsIdentity> doesn't have to be a Windows account though. It can also be ato> for forms authentication. The thing to remember is that this is relatedthe> the user who logged on to the website using an ASP.NET authentication
> mechanism.
>> > System.Security.Principle.WindowsIdentity.getcurre nt().Name - Returnsan>> > thread account name inside the aspnet_wp.exe process.
> >
> This is always the identity of the account that the current thread is
> running under in any .NET code. It could be the process token account orWindows> impersonated account. In ASP.NET, this is directly related to the
> impersonation setting in web.config.
>
> These two will be the same WindowsIdentity IF IIS is configured forcheck> (Basic/Digest/Integrated) and anonymous is disabled AND you have enabled
> impersonation in web.config.
>> I hope this brings you happiness and no more confusion.> >
> >
> > If I have this right I will be very happy.
> >
> > Sam
> >
> >
>
> Joe K.> > "[MSFT]" <lukezhan@online.microsoft.com> wrote in message
> > news:R6OeTbZhEHA.3024@cpmsftngxa10.phx.gbl...> > > Hi Sam,
> > >
> > > When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
> > > still run under ASPNET. But the code to handle current request will be
> > > executed under the impersonation user. To check this user, you may>> >> > > following value in the code:
> > >
> > > System.Security.Principal.WindowsIdentity.GetCurre nt().Name
> > >
> > > For more information about asp.net impersonate, you may refer to this
> > > article:
> > >
> > > INFO: Implementing Impersonation in an ASP.NET Application
> > > [url]http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q306158[/url]
> > >
> > > Luke
> > >
> >
> > Thanks Joe and Luke for your replys.
> >
> > Is this correct:
> >
> >
> >
> >
> >
> > System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString()
> >
> > Context.User.Identity.Name
> >
> > Response.Write("current thread's identity=" +
> > System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString() +
> > "<BR>");
> >
> >
> >
> >
>
sam Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
