ASP.NET / IIS identity and impersonation for Java Developers
Questions on Windows and IIS around identity and impersonation come up quite a bit when talking with folks who don’t work on Windows on a regular basis. The question most often asked is "I want to use Integrated Windows Authentication in IIS but I want a different account to be the execution context, how do I do that?". Related questions are: "How do I configureASP.NET to run under user X?" or how do I control IIS so that requests have these security permissions?" or, "Why does IIS need an administrator account?".
For sure these are smart folks asking these questions but they haven't had an opportunity to work in Windows with IIS and ASP.NET (i.e. they are Java developers:-)) but have a need to do some work on Windows and need quick answers. I can completely understand and I would be in the same boat if I needed to do the same with Java and Apache.
I humbly admit that I enjoy these conversations and the opportunity to show that it is not all bad in Windows and ASP.NET:-) So with that, here goes...
in IIS 6 and later, request execution identity is governed by these rules that I grabbed from the ASP.NET Identity Matrix located here:
Table 1. IIS anonymous authentication
Web.config Settings |
Variable Location |
Resultant Identity |
<identity impersonate="true"/><authentication mode="Windows" /> |
HttpContextWindowsIdentityThread |
-MACHINE\IUSR_MACHINE- |
<identity impersonate="false"/><authentication mode="Windows" /> |
HttpContextWindowsIdentityThread |
-MACHINE\ASPNET- |
<identity impersonate="true"/><authentication mode="Forms" /> |
HttpContextWindowsIdentityThread |
Name provided by userMACHINE\IUSR_MACHINEName provided by user |
<identity impersonate="false"/><authentication mode="Forms" /> |
HttpContextWindowsIdentityThread |
Name provided by userMACHINE\ASPNETName provided by user |
Table 2. IIS basic authentication
Web.config Settings |
Variable Location |
Resultant Identity |
<identity impersonate="true"/><authentication mode="Windows" /> |
HttpContextWindowsIdentityThread |
Domain\UserNameDomain\UserNameDomain\UserName |
<identity impersonate="false"/><authentication mode="Windows" /> |
HttpContextWindowsIdentityThread |
Domain\UserNameMACHINE\ASPNETDomain\UserName |
<identity impersonate="true"/><authentication mode="Forms" /> |
HttpContextWindowsIdentityThread |
Name provided by userDomain\UserNameName provided by user |
<identity impersonate="false"/><authentication mode="Forms" /> |
HttpContextWindowsIdentityThread |
Name provided by userMACHINE\ASPNETName provided by user |
Table 3. IIS digest authentication
Web.config Settings |
Variable Location |
Resultant Identity |
<identity impersonate="true"/><authentication mode="Windows" /> |
HttpContextWindowsIdentityThread |
Domain\UserNameDomain\UserNameDomain\UserName |
<identity impersonate="false"/><authentication mode="Windows" /> |
HttpContextWindowsIdentityThread |
Domain\UserNameMACHINE\ASPNETDomain\UserName |
<identity impersonate="true"/><authentication mode="Forms" /> |
HttpContextWindowsIdentityThread |
Name provided by userDomain\UserNameName provided by user |
<identity impersonate="false"/><authentication mode="Forms" /> |
HttpContextWindowsIdentityThread |
Name provided by userMACHINE\ASPNETName provided by user |
Table 4: IIS integrated Windows
Web.config Settings |
Variable Location |
Resultant Identity |
<identity impersonate="true"/><authentication mode="Windows" /> |
HttpContextWindowsIdentityThread |
Domain\UserNameDomain\UserNameDomain\UserName |
<identity impersonate="false"/><authentication mode="Windows" /> |
HttpContextWindowsIdentityThread |
Domain\UserNameMACHINE\ASPNETDomain\UserName |
<identity impersonate="true"/><authentication mode="Forms" /> |
HttpContextWindowsIdentityThread |
Name provided by userDomain\UserNameName provided by user |
<identity impersonate="false"/><authentication mode="Forms" /> |
HttpContext. WindowsIdentityThread |
Name provided by userMACHINE\ASPNETName provided by user |
Here is a key "note" at the above link:
Note With IIS 6.0 running on Windows Server 2003, the identity Matrix works except that the Machine\ASPNET identity is replaced with NT Authority\Network Service.
To answer the first commonly asked question above, "I want to use Integrated Windows Authentication so that users don't have to enter a username password but I want a single execution identity when connecting to resources like a database", configure IIS to use Integrated Windows Authentication, disable anonymous and basic authentication, and add this entry to your web.config:
<configuration>
<system.web>
.
.
<identity impersonate="false"/>
<authentication mode="Windows" />
.
.
</system.web>
</configuration>
Restart the IIS worker process that your application runs in and grant the necessary permissions to the worker process identity so that the application has access to needed resources. The worker process identity does not require local admin rights but the user account should be a member of the local IIS_WPG group.