Professional Web Applications Themes

ASP.NET worker process context and SQL authentication - ASP.NET General

I am trying to configure my ASP.NET application and have come across something unexpected. First, I understand that all ASP.NET applications running on a single server will utilize a single aspnet_wp.exe process. And that this process, by default, runs under the context of the ASPNET username. I would rather use a trusted connection to connect to SQL Server to avoid having to put a username and password in a config file. However, if I use a trusted connection, all of my databases will have to be configured to use ASPNET as the user. Is this true. In another post, I ...

  1. #1

    Default ASP.NET worker process context and SQL authentication

    I am trying to configure my ASP.NET application and have come across
    something unexpected.

    First, I understand that all ASP.NET applications running on a single server
    will utilize a single aspnet_wp.exe process. And that this process, by
    default, runs under the context of the ASPNET username.

    I would rather use a trusted connection to connect to SQL Server to avoid
    having to put a username and password in a config file. However, if I use a
    trusted connection, all of my databases will have to be configured to use
    ASPNET as the user. Is this true.

    In another post, I read that the aspnet_wp.exe process would impersonate the
    caller? Is this IIS or the ISAPI filter? Is this possible? If so, then it
    would be possible to use a trusted connection to SQL and that user would be
    the user that is configured to run the IIS application, correct?

    Thank you for your help,

    Dave


    Dave Guest

  2. #2

    Default Re: ASP.NET worker process context and SQL authentication

    Hi Dave,
     
    server 

    No this isn't entirely correct. In Windows 2000 the Application Isolation
    determines how many instances of the process are started. If you use the
    default of medium there is only a single instance. But if you use High then
    each virtual defined as such runs its own process and spans a new instance
    of the ASPNet client process.

    In Windows 2003 you can set up an Application pool which can be assigned to
    a virtual directory and each application pool runs in its own process.

    If you have a multi-homed Web server using integrated authentication is
    probably a bad idea because you can only have a single user that runs all
    these applications as configured in Machine.config's ProcessModel|Username
    setting. In Windows 2003 you have more control as you can assign a username
    and password for each application pool.

    To impersonate the calling user account you can use <identity
    impersonate="true"/> in web.config. This would be an anonymous user (IUSR_
    most likely) or the user that is authenticated if the page is protected by
    file/directory security. This may work well for an extranet internal app,
    but is probably a bad choice for public apps...

    Hope this helps,

    +++ Rick ---







    --

    Rick Strahl
    West Wind Technologies
    http://www.west-wind.com/
    http://www.west-wind.com/wwHelp
    ----------------------------------
    Making waves on the Web


    "Dave Mehrtens" <com> wrote in message
    news:phx.gbl... 
    server 

    the 
    it 
    be 


    Rick Guest

  3. #3

    Default Re: ASP.NET worker process context and SQL authentication

    Thanks for the reply. I got it working.

    I did not question about application isolation. I was more concerned with
    the account that was used to connect to SQL SErver from the aspnet_wp
    process. It kept connecting as ASPNET, and I wanted to control it more. I
    wanted it to impersonate the user of the IIS application, which is
    configurable per app.

    Thank You,

    Dave


    "MS News (MS ILM)" <com> wrote in message
    news:%phx.gbl... 
    > > server [/ref][/ref]
    by 
    > >
    > > No this isn't entirely correct. In Windows 2000 the Application[/ref][/ref]
    Isolation 
    > then [/ref]
    instance 
    > to [/ref]
    all [/ref]
    ProcessModel|Username 
    > username [/ref]
    (IUSR_ [/ref]
    by [/ref]
    app, 
    > > server [/ref][/ref]
    by [/ref]
    > avoid [/ref]
    > use [/ref]
    > use [/ref][/ref]
    impersonate [/ref]
    > then [/ref][/ref]
    would 
    > >
    > >[/ref]
    >
    >[/ref]


    Dave Guest

  4. #4

    Default Re: ASP.NET worker process context and SQL authentication

    The IIS virtual directory uses IUSR_AAA as the logon for anonymous access.

    In the web.config file for the asp.net application, I use <identity
    impersonate="true"/>. I DO NOT supply a username and password as part of
    this. This causes, I think, the aspnet_wp.exe process to impersonate the
    calling app which is IIS.

    Then I use a trusted connection to connect to the database, which uses the
    IIS logon info.

    Dave




    "MS News (MS ILM)" <com> wrote in message
    news:uIu0k$phx.gbl... [/ref]
    with 
    > I [/ref]
    > single [/ref][/ref]
    process, 
    > > Isolation [/ref]
    > the [/ref][/ref]
    High 
    > > instance [/ref]
    > assigned [/ref][/ref]
    process. [/ref]
    > is [/ref][/ref]
    runs 
    > > ProcessModel|Username 
    > > (IUSR_ [/ref]
    > protected 
    > > app, [/ref][/ref]
    across [/ref]
    > single [/ref][/ref]
    process, [/ref][/ref]
    to [/ref][/ref]
    if [/ref]
    > to 
    > > impersonate [/ref][/ref]
    so, 
    > > would 
    > >
    > >[/ref]
    >
    >[/ref]


    Dave Guest

  5. #5

    Default Re: ASP.NET worker process context and SQL authentication


    With Impersonation you get the calling user's security context. This is the
    way ASP worked prior to ASP.Net...

    So it's IUSR_ when not logged in or whatever accuont when you are via file
    permissions.

    +++ Rick ---

    --

    Rick Strahl
    West Wind Technologies
    http://www.west-wind.com/
    http://www.west-wind.com/wwHelp
    ----------------------------------
    Making waves on the Web


    "Dave Mehrtens" <com> wrote in message
    news:phx.gbl... [/ref]
    > with [/ref][/ref]
    more. 
    > > single [/ref]
    > process, [/ref][/ref]
    use [/ref]
    > High 
    > > assigned [/ref]
    > process. [/ref][/ref]
    authentication [/ref]
    > runs [/ref][/ref]
    user 
    > > protected [/ref][/ref]
    internal [/ref]
    > across 
    > > single [/ref]
    > process, [/ref]
    > to [/ref][/ref]
    However, [/ref][/ref]
    configured [/ref]
    > so, [/ref][/ref]
    user 
    > >
    > >[/ref]
    >
    >[/ref]


    Rick Guest

Similar Threads

  1. custom account for ASP.NET worker process
    By in forum ASP.NET Security
    Replies: 5
    Last Post: June 8th, 03:47 PM
  2. Worker Process Account for ASP.NET
    By Ajay Choudhary in forum ASP.NET Security
    Replies: 1
    Last Post: April 20th, 08:19 AM
  3. worker process aspnet_wp.exe identity
    By Calvin in forum ASP.NET Security
    Replies: 1
    Last Post: August 20th, 03:27 PM
  4. Worker Process Timeout Woes
    By beachnut in forum ASP.NET General
    Replies: 0
    Last Post: August 10th, 07:12 PM
  5. Two Worker Process running at once
    By Adam in forum ASP.NET General
    Replies: 5
    Last Post: July 29th, 07:00 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139