asp.net, basic authentication, file access

[jzink]

I have a asp.net application that is configured to
use "basic authentication". The application needs to have
access to delete a file in let's say directory
d:\inetpub\wwwroot\myApp\reports. Do I need to grant
access to the ASPNET account or to the accounts of the
users who will be accessing the site ?

I put the following line of code in
Thread.CurrentPrincipal.Identity.Name.ToString() and it
returns the id of the person logged in.



thanks for your help

[Andrea D'Onofrio [MSFT]]

If you have turned the impersonation on the .net code will run under the
identity of he users who will be accessing the site, else the .net code will
run under the ASPNET account (this is a default) identity.

HtH,
Andrea

--
This posting is provided "AS IS" with no warranties, and confers no rights.


"jzink" <zinks.home@verizon.net> wrote in message
news:065401c3d141$c293ee60$a501280a@phx.gbl...

> I have a asp.net application that is configured to
> use "basic authentication". The application needs to have
> access to delete a file in let's say directory
> d:\inetpub\wwwroot\myApp\reports. Do I need to grant
> access to the ASPNET account or to the accounts of the
> users who will be accessing the site ?
>
> I put the following line of code in
> Thread.CurrentPrincipal.Identity.Name.ToString() and it
> returns the id of the person logged in.
>
>
>
> thanks for your help

[JZink]

I don't believe I have impersonation turned on. Here is
my machine.config entries:
<identity impersonate="false" userName="" password=""/>

<processModel
enable="true"
timeout="Infinite"
idleTimeout="Infinite"
shutdownTimeout="0:00:05"
requestLimit="Infinite"
requestQueueLimit="5000"
restartQueueLimit="10"
memoryLimit="60"
webGarden="false"
cpuMask="0xffffffff"
userName="machine"
password="AutoGenerate"
logLevel="Errors"
clientConnectedCheck="0:00:05"
comAuthenticationLevel="Connect"
comImpersonationLevel="Impersonate"
responseDeadlockInterval="00:03:00"
maxWorkerThreads="20"
maxIoThreads="20"
/>

However, if I place this code in an aspx page:
Thread.CurrentPrincipal.Identity.Name.ToString()
I see the id of the person being authenticated.

>-----Original Message-----
>If you have turned the impersonation on the .net code

will run under the

>identity of he users who will be accessing the site, else

the .net code will

>run under the ASPNET account (this is a default) identity.
>
>HtH,
>Andrea
>
>--
>This posting is provided "AS IS" with no warranties, and

confers no rights.

>
>
>"jzink" <zinks.home@verizon.net> wrote in message
>news:065401c3d141$c293ee60$a501280a@phx.gbl...

>> I have a asp.net application that is configured to
>> use "basic authentication". The application needs to

have

>> access to delete a file in let's say directory
>> d:\inetpub\wwwroot\myApp\reports. Do I need to grant
>> access to the ASPNET account or to the accounts of the
>> users who will be accessing the site ?
>>
>> I put the following line of code in
>> Thread.CurrentPrincipal.Identity.Name.ToString() and it
>> returns the id of the person logged in.
>>
>>
>>
>> thanks for your help

>
>
>.
>

[Holly Mazerolle]

You will want to grant access to the ASPNET account for deleting the file.
If you want only the authenticated user to have the ability to delete the
file then you could simply set impersonation to true and set permissions
for that logged on user. If you do this and you are still having problems,
a good way to troubleshoot would be to use filemon while you repro any
errors. You can download it from [url]www.sysinternals.com[/url]. It will show you
what user is accessing what files and whether the access was successful or
not.

This posting is provided "AS IS" with no warranties, and confers no rights.

Holly

[jzink]

I do not have impersonation set to true, yet when I put
this code into my aspx page:
Response.Write (
Thread.CurrentPrincipal.Identity.Name.ToString() )
it will write out the name of the user who was
authenticated not ASPNET. What am I missing ???

>-----Original Message-----
>You will want to grant access to the ASPNET account for

deleting the file.

>If you want only the authenticated user to have the

ability to delete the

>file then you could simply set impersonation to true and

set permissions

>for that logged on user. If you do this and you are still

having problems,

>a good way to troubleshoot would be to use filemon while

you repro any

>errors. You can download it from [url]www.sysinternals.com[/url]. It

will show you

>what user is accessing what files and whether the access

was successful or

>not.
>
>This posting is provided "AS IS" with no warranties, and

confers no rights.

>
>Holly
>
>.
>

[Hernan de Lahitte]

If you want to see the identity of the worker process, that is, the account
that will be used to access your protected resource, you should use
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.

This will return, in you case, the ASPNET account if you turn off
impersonation, or your logged on user account if you turn on impersonation.



--
Eng. Hernan de Lahitte - MSDE
Lagash Systems S.A. - Buenos Aires, Argentina
[url]http://www.lagash.com[/url]



"jzink" <zinks.home@verizon.net> wrote in message
news:096201c3d468$ab769af0$a601280a@phx.gbl...

> I do not have impersonation set to true, yet when I put
> this code into my aspx page:
> Response.Write (
> Thread.CurrentPrincipal.Identity.Name.ToString() )
> it will write out the name of the user who was
> authenticated not ASPNET. What am I missing ???
>

> >-----Original Message-----
> >You will want to grant access to the ASPNET account for

> deleting the file.

> >If you want only the authenticated user to have the

> ability to delete the

> >file then you could simply set impersonation to true and

> set permissions

> >for that logged on user. If you do this and you are still

> having problems,

> >a good way to troubleshoot would be to use filemon while

> you repro any

> >errors. You can download it from [url]www.sysinternals.com[/url]. It

> will show you

> >what user is accessing what files and whether the access

> was successful or

> >not.
> >
> >This posting is provided "AS IS" with no warranties, and

> confers no rights.

> >
> >Holly
> >
> >.
> >

[jzink]

I changed the aspx code to print out
System.Security.Principal.WindowsIdentity.GetCurre nt().Name
and now i see NT AUTHORITY\NETWORK SERVICE. shouldn't i
see aspnet ???

>-----Original Message-----
>If you want to see the identity of the worker process,

that is, the account

>that will be used to access your protected resource, you

should use

>System.Security.Principal.WindowsIdentity.GetCurr ent

().Name.

>
>This will return, in you case, the ASPNET account if you

turn off

>impersonation, or your logged on user account if you turn

on impersonation.

>
>
>
>--
>Eng. Hernan de Lahitte - MSDE
>Lagash Systems S.A. - Buenos Aires, Argentina
>[url]http://www.lagash.com[/url]
>
>
>
>"jzink" <zinks.home@verizon.net> wrote in message
>news:096201c3d468$ab769af0$a601280a@phx.gbl...

>> I do not have impersonation set to true, yet when I put
>> this code into my aspx page:
>> Response.Write (
>> Thread.CurrentPrincipal.Identity.Name.ToString() )
>> it will write out the name of the user who was
>> authenticated not ASPNET. What am I missing ???
>>

>> >-----Original Message-----
>> >You will want to grant access to the ASPNET account for

>> deleting the file.

>> >If you want only the authenticated user to have the

>> ability to delete the

>> >file then you could simply set impersonation to true

and

>> set permissions

>> >for that logged on user. If you do this and you are

still

>> having problems,

>> >a good way to troubleshoot would be to use filemon

while

>> you repro any

>> >errors. You can download it from [url]www.sysinternals.com[/url].

It

>> will show you

>> >what user is accessing what files and whether the

access

>> was successful or

>> >not.
>> >
>> >This posting is provided "AS IS" with no warranties,

and

>> confers no rights.

>> >
>> >Holly
>> >
>> >.
>> >

>
>
>.
>

[Hernan de Lahitte]

This is the default AppPoll Account for W2K3. This might be you case. The
ASPNET account is the default for an XP box or lower.

--
Eng. Hernan de Lahitte - MSDE
Lagash Systems S.A. - Buenos Aires, Argentina
[url]http://www.lagash.com[/url]



"jzink" <zinks.home@verizon.net> wrote in message
news:00ac01c3d48a$fe49a340$a601280a@phx.gbl...

> I changed the aspx code to print out
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
> and now i see NT AUTHORITY\NETWORK SERVICE. shouldn't i
> see aspnet ???
>

> >-----Original Message-----
> >If you want to see the identity of the worker process,

> that is, the account

> >that will be used to access your protected resource, you

> should use

> >System.Security.Principal.WindowsIdentity.GetCurr ent

> ().Name.

> >
> >This will return, in you case, the ASPNET account if you

> turn off

> >impersonation, or your logged on user account if you turn

> on impersonation.

> >
> >
> >
> >--
> >Eng. Hernan de Lahitte - MSDE
> >Lagash Systems S.A. - Buenos Aires, Argentina
> >[url]http://www.lagash.com[/url]
> >
> >
> >
> >"jzink" <zinks.home@verizon.net> wrote in message
> >news:096201c3d468$ab769af0$a601280a@phx.gbl...

> >> I do not have impersonation set to true, yet when I put
> >> this code into my aspx page:
> >> Response.Write (
> >> Thread.CurrentPrincipal.Identity.Name.ToString() )
> >> it will write out the name of the user who was
> >> authenticated not ASPNET. What am I missing ???
> >>
> >> >-----Original Message-----
> >> >You will want to grant access to the ASPNET account for
> >> deleting the file.
> >> >If you want only the authenticated user to have the
> >> ability to delete the
> >> >file then you could simply set impersonation to true

> and

> >> set permissions
> >> >for that logged on user. If you do this and you are

> still

> >> having problems,
> >> >a good way to troubleshoot would be to use filemon

> while

> >> you repro any
> >> >errors. You can download it from [url]www.sysinternals.com[/url].

> It

> >> will show you
> >> >what user is accessing what files and whether the

> access

> >> was successful or
> >> >not.
> >> >
> >> >This posting is provided "AS IS" with no warranties,

> and

> >> confers no rights.
> >> >
> >> >Holly
> >> >
> >> >.
> >> >

> >
> >
> >.
> >

[jzink]

what do you mean by appPoll account and how come I don't
see nt authority\network service as a user in computer
management\users ??

>-----Original Message-----
>This is the default AppPoll Account for W2K3. This might

be you case. The

>ASPNET account is the default for an XP box or lower.
>
>--
>Eng. Hernan de Lahitte - MSDE
>Lagash Systems S.A. - Buenos Aires, Argentina
>[url]http://www.lagash.com[/url]
>
>
>
>"jzink" <zinks.home@verizon.net> wrote in message
>news:00ac01c3d48a$fe49a340$a601280a@phx.gbl...

>> I changed the aspx code to print out
>> System.Security.Principal.WindowsIdentity.GetCurre nt

().Name

>> and now i see NT AUTHORITY\NETWORK SERVICE. shouldn't i
>> see aspnet ???
>>

>> >-----Original Message-----
>> >If you want to see the identity of the worker process,

>> that is, the account

>> >that will be used to access your protected resource,

you

>> should use

>> >System.Security.Principal.WindowsIdentity.GetCurr ent

>> ().Name.

>> >
>> >This will return, in you case, the ASPNET account if

you

>> turn off

>> >impersonation, or your logged on user account if you

turn

>> on impersonation.

>> >
>> >
>> >
>> >--
>> >Eng. Hernan de Lahitte - MSDE
>> >Lagash Systems S.A. - Buenos Aires, Argentina
>> >[url]http://www.lagash.com[/url]
>> >
>> >
>> >
>> >"jzink" <zinks.home@verizon.net> wrote in message
>> >news:096201c3d468$ab769af0$a601280a@phx.gbl...
>> >> I do not have impersonation set to true, yet when I

put

>> >> this code into my aspx page:
>> >> Response.Write (
>> >> Thread.CurrentPrincipal.Identity.Name.ToString() )
>> >> it will write out the name of the user who was
>> >> authenticated not ASPNET. What am I missing ???
>> >>
>> >> >-----Original Message-----
>> >> >You will want to grant access to the ASPNET account

for

>> >> deleting the file.
>> >> >If you want only the authenticated user to have the
>> >> ability to delete the
>> >> >file then you could simply set impersonation to true

>> and

>> >> set permissions
>> >> >for that logged on user. If you do this and you are

>> still

>> >> having problems,
>> >> >a good way to troubleshoot would be to use filemon

>> while

>> >> you repro any
>> >> >errors. You can download it from

[url]www.sysinternals.com[/url].

>> It

>> >> will show you
>> >> >what user is accessing what files and whether the

>> access

>> >> was successful or
>> >> >not.
>> >> >
>> >> >This posting is provided "AS IS" with no warranties,

>> and

>> >> confers no rights.
>> >> >
>> >> >Holly
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >

>
>
>.
>

[Hernan de Lahitte]

With AppPool, I refer to the Application Pool that has Windows 2003. To
check this, go to the IIS Management Console snap-in and in the Application
Pools folder, right click the DefaultAppPool node (This is the default
Application Pool for all Web Sites). In the Properties/Identity tab option,
you will see you selected Application Pool Identity.This should be the
Network Service or in the canonical format, "NT AUTHORITY\NETWORK SERVICE".
As you ponted out, you won't see this account with the Users manager. This
is a predefined system account, like the System (TCB) account. The Network
Service account is a low priviledge account so if you change this account in
the AppPool Identity option for another with more priviledges, be carefull
with a possible "Elevation of Priviledge Threat".

--
Eng. Hernan de Lahitte - MSDE
Lagash Systems S.A. - Buenos Aires, Argentina
[url]http://www.lagash.com[/url]



"jzink" <zinks.home@verizon.net> wrote in message
news:076701c3d4cb$1e7e7740$a101280a@phx.gbl...

> what do you mean by appPoll account and how come I don't
> see nt authority\network service as a user in computer
> management\users ??
>

> >-----Original Message-----
> >This is the default AppPoll Account for W2K3. This might

> be you case. The

> >ASPNET account is the default for an XP box or lower.
> >
> >--
> >Eng. Hernan de Lahitte - MSDE
> >Lagash Systems S.A. - Buenos Aires, Argentina
> >[url]http://www.lagash.com[/url]
> >
> >
> >
> >"jzink" <zinks.home@verizon.net> wrote in message
> >news:00ac01c3d48a$fe49a340$a601280a@phx.gbl...

> >> I changed the aspx code to print out
> >> System.Security.Principal.WindowsIdentity.GetCurre nt

> ().Name

> >> and now i see NT AUTHORITY\NETWORK SERVICE. shouldn't i
> >> see aspnet ???
> >>
> >> >-----Original Message-----
> >> >If you want to see the identity of the worker process,
> >> that is, the account
> >> >that will be used to access your protected resource,

> you

> >> should use
> >> >System.Security.Principal.WindowsIdentity.GetCurr ent
> >> ().Name.
> >> >
> >> >This will return, in you case, the ASPNET account if

> you

> >> turn off
> >> >impersonation, or your logged on user account if you

> turn

> >> on impersonation.
> >> >
> >> >
> >> >
> >> >--
> >> >Eng. Hernan de Lahitte - MSDE
> >> >Lagash Systems S.A. - Buenos Aires, Argentina
> >> >[url]http://www.lagash.com[/url]
> >> >
> >> >
> >> >
> >> >"jzink" <zinks.home@verizon.net> wrote in message
> >> >news:096201c3d468$ab769af0$a601280a@phx.gbl...
> >> >> I do not have impersonation set to true, yet when I

> put

> >> >> this code into my aspx page:
> >> >> Response.Write (
> >> >> Thread.CurrentPrincipal.Identity.Name.ToString() )
> >> >> it will write out the name of the user who was
> >> >> authenticated not ASPNET. What am I missing ???
> >> >>
> >> >> >-----Original Message-----
> >> >> >You will want to grant access to the ASPNET account

> for

> >> >> deleting the file.
> >> >> >If you want only the authenticated user to have the
> >> >> ability to delete the
> >> >> >file then you could simply set impersonation to true
> >> and
> >> >> set permissions
> >> >> >for that logged on user. If you do this and you are
> >> still
> >> >> having problems,
> >> >> >a good way to troubleshoot would be to use filemon
> >> while
> >> >> you repro any
> >> >> >errors. You can download it from

> [url]www.sysinternals.com[/url].

> >> It
> >> >> will show you
> >> >> >what user is accessing what files and whether the
> >> access
> >> >> was successful or
> >> >> >not.
> >> >> >
> >> >> >This posting is provided "AS IS" with no warranties,
> >> and
> >> >> confers no rights.
> >> >> >
> >> >> >Holly
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >

> >
> >
> >.
> >

[Holly Mazerolle]

So in your case since you are on Win2003 and you are not using
impersonation the NT Authority\Network Service account will be who is
accessing the location you are attempting to delete files from. As I
mentioned before you may want to consider impersonation so that you only
give permission to a specific domain account.

This posting is provided "AS IS" with no warranties, and confers no rights.

Holly