« Previous Next »

• 10-07-2008, 4:53 AM

  tokyoh Joined on 10-07-2008, 4:24 AM Posts 3

  ASP.NET, Integrated Windows Authentication and Anonymous Access. Reply Contact Hi, I want to allow anonymous access to an asp.net website but also authenticate the users because some authorization is done by the web application. I want the web app to run under network service account and access to the website root be restricted to the IIS_WPG only. I am confused because although impersonation is not enabled, the domain users are denied access unless added to the website root ACL. Surely, all requests should be using the network service account?? Thanks for any help. This is my current setup: Windows 2003 R2 SP2 ASP.NET 2.0 The website is using the default application pool running under Network service account. The IIS_WPG group has read and execute access on the website root. In web.config, I have set authentication mode="Windows" and impersonate = "false" IIS 6.0 Anonymous access enabled Integrated Windows Authentication enabled

• 10-07-2008, 8:35 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 10:27 AM Central NJ Posts 6,078

  Re: ASP.NET, Integrated Windows Authentication and Anonymous Access. Reply Contact I'm confused ...  tokyoh: I want to allow anonymous access to an asp.net website but also authenticate the users What do you mean exactly? For anonymous access, IUSR must have NTFS permissions to the files and folders.  For authenticated access, the domain users must have those permissions. Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 10-07-2008, 9:02 PM

  In reply to

  tokyoh Joined on 10-07-2008, 4:24 AM Posts 3

  Re: ASP.NET, Integrated Windows Authentication and Anonymous Access. Reply Contact Right.... What I was trying to do was somehow separate the authentication and authorization, so I could identify the user but still control the authorization with a single identity. Clearly impossible, right? An identity is either a domain user or anon. But what about asp.net? With IWA enabled, I see this: System.Security.Principal.WindowsIdentity: NT AUTHORITY\NETWORK SERVICE HttpContext.Current.User: Domain\username Here, the request contains both the worker process id and current user id. How do these relate to the ACL on the website root? Which id is used for authorization? Sorry for these basic questions but I have to admit I just dont get it!

• 10-08-2008, 9:19 AM

  In reply to

  tomkmvp Joined on 03-20-2003, 10:27 AM Central NJ Posts 6,078

  Re: ASP.NET, Integrated Windows Authentication and Anonymous Access. Reply Contact This should explain it: http://msdn.microsoft.com/en-us/library/aa302377.aspx The following tables illustrate, for a range of IIS authentication settings, the resultant identity that is obtained from each of the variables that maintain an IPrincipal and/or IIdentity object. The following abbreviations are used in the table: HttpContext = HttpContext.Current.User, which returns an IPrincipal object that contains security information for the current Web request. This is the authenticated Web client. WindowsIdentity = WindowsIdentity.GetCurrent(), which returns the identity of the security context of the currently executing Win32 thread. Thread = Thread.CurrentPrincipal which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread. Note   With IIS 6.0 running on Windows Server 2003, the identity Matrix works except that the Machine\ASPNET identity is replaced with NT Authority\Network Service. Table 1. IIS anonymous authentication Web.config Settings Variable Location Resultant Identity <identity impersonate="true"/> <authentication mode="Windows" /> HttpContext WindowsIdentity Thread - MACHINE\IUSR_MACHINE - <identity impersonate="false"/> <authentication mode="Windows" /> HttpContext WindowsIdentity Thread - MACHINE\ASPNET - <identity impersonate="true"/> <authentication mode="Forms" /> HttpContext WindowsIdentity Thread Name provided by user MACHINE\IUSR_MACHINE Name provided by user <identity impersonate="false"/> <authentication mode="Forms" /> HttpContext WindowsIdentity Thread Name provided by user MACHINE\ASPNET Name provided by user Table 2. IIS basic authentication Web.config Settings Variable Location Resultant Identity <identity impersonate="true"/> <authentication mode="Windows" /> HttpContext WindowsIdentity Thread Domain\UserName Domain\UserName Domain\UserName <identity impersonate="false"/> <authentication mode="Windows" /> HttpContext WindowsIdentity Thread Domain\UserName MACHINE\ASPNET Domain\UserName <identity impersonate="true"/> <authentication mode="Forms" /> HttpContext WindowsIdentity Thread Name provided by user Domain\UserName Name provided by user <identity impersonate="false"/> <authentication mode="Forms" /> HttpContext WindowsIdentity Thread Name provided by user MACHINE\ASPNET Name provided by user Table 3. IIS digest authentication Web.config Settings Variable Location Resultant Identity <identity impersonate="true"/> <authentication mode="Windows" /> HttpContext WindowsIdentity Thread Domain\UserName Domain\UserName Domain\UserName <identity impersonate="false"/> <authentication mode="Windows" /> HttpContext WindowsIdentity Thread Domain\UserName MACHINE\ASPNET Domain\UserName <identity impersonate="true"/> <authentication mode="Forms" /> HttpContext WindowsIdentity Thread Name provided by user Domain\UserName Name provided by user <identity impersonate="false"/> <authentication mode="Forms" /> HttpContext WindowsIdentity Thread Name provided by user MACHINE\ASPNET Name provided by user Table 4: IIS integrated Windows Web.config Settings Variable Location Resultant Identity <identity impersonate="true"/> <authentication mode="Windows" /> HttpContext WindowsIdentity Thread Domain\UserName Domain\UserName Domain\UserName <identity impersonate="false"/> <authentication mode="Windows" /> HttpContext WindowsIdentity Thread Domain\UserName MACHINE\ASPNET Domain\UserName <identity impersonate="true"/> <authentication mode="Forms" /> HttpContext WindowsIdentity Thread Name provided by user Domain\UserName Name provided by user <identity impersonate="false"/> <authentication mode="Forms" /> HttpContext. WindowsIdentity Thread Name provided by user MACHINE\ASPNET Name provided by user Tom Kaminski IIS MVP http://mvp.support.microsoft.com/ http://blogs.iis.net/tomkmvp/ http://www.linkedin.com/pub/8/690/408 http://www.bluesrepublic.org/

• 10-09-2008, 10:42 PM

  In reply to

  tokyoh Joined on 10-07-2008, 4:24 AM Posts 3	Re: ASP.NET, Integrated Windows Authentication and Anonymous Access. Reply Contact Excellent, thank you very much. So, I assume the resultant identities of HttpContext, WindowsIdentity and Thread ALL need permission on the website folder.