Identity Flow Through Physical Tiers

Identity story with .Net  really rocks, but along with great extensibility it also brings a lots of confusion (One Identity – Many Faces :IIdentity).

I am building now workshop for developers that concentrates on authentication only. It talks about concepts, implementation, scenarios, and of course a bit of hacking exposed – entertaining part never hurts 🙂

I plan to allocate some time for .Net identity implementation, based on IIdentity, in conjunction with what Windows System provides.

My first scenario is simple one where user sits behind her machine A access simple ASPX page on box B that access file on share on box C, like this:

Everything is managed by Windows 2003 Active Directory Domain – Demo.lab

User name is DEMO\Administrator.

Web application runs under DEMO\W3WRUNNER1 service account, specified in application pool configuration.

Web site is set to use Window authentication in web.config and IIS is configured for Windows authentication.

What user runs the app’s security context?

Under what account the file on box C is accessed?

To answer the first question I echo back the following data (meaning there is no single answer for it)


lblHttpCoontextUser.Text = User.Identity.Name; 

lblWindowsThreadUser.Text = WindowsIdentity.GetCurrent().Name;

lblAuthType.Text = User.Identity.AuthenticationType;


And to answer the second question I use techniques described in File Access Auditing – I Am Not Afraid Of GPO and Who Access My File?



Comments (4)

  1. Anonymous says:

    There are scenarios where actual windows identity of end user needs to be flowed to the server so that

  2. Anonymous says:

    If these articles: How To: Implement Kerberos Delegation for Windows 2000 How To: Use Impersonation and

  3. Anonymous says:

    If these articles: How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 Using Protocol

  4. Anonymous says:

    Windows Authentication Identity Flow Through Physical Tiers Identity Flow Through Physical Tiers – Impersonation