Security

Re: ASP.NET, Integrated Windows Authentication and Anonymous Access.

tokyoh — Fri, 10 Oct 2008 02:42:55 GMT

Excellent, thank you very much.

So, I assume the resultant identities of HttpContext, WindowsIdentity and Thread ALL need permission on the website folder.

Re: ASP.NET, Integrated Windows Authentication and Anonymous Access.

tomkmvp — Wed, 08 Oct 2008 13:19:19 GMT

This should explain it:
http://msdn.microsoft.com/en-us/library/aa302377.aspx

The following tables illustrate, for a range of IIS authentication settings, the resultant identity that is obtained from each of the variables that maintain an IPrincipal and/or IIdentity object. The following abbreviations are used in the table:

HttpContext = HttpContext.Current.User, which returns an IPrincipal object that contains security information for the current Web request. This is the authenticated Web client.
WindowsIdentity = WindowsIdentity.GetCurrent(), which returns the identity of the security context of the currently executing Win32 thread.
Thread = Thread.CurrentPrincipal which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread.

Note With IIS 6.0 running on Windows Server 2003, the identity Matrix works except that the Machine\ASPNET identity is replaced with NT Authority\Network Service.

Table 1. IIS anonymous authentication

Web.config Settings	Variable Location	Resultant Identity
<identity impersonate="true"/> <authentication mode="Windows" />	HttpContext WindowsIdentity Thread	- MACHINE\IUSR_MACHINE -
<identity impersonate="false"/> <authentication mode="Windows" />	HttpContext WindowsIdentity Thread	- MACHINE\ASPNET -
<identity impersonate="true"/> <authentication mode="Forms" />	HttpContext WindowsIdentity Thread	Name provided by user MACHINE\IUSR_MACHINE Name provided by user
<identity impersonate="false"/> <authentication mode="Forms" />	HttpContext WindowsIdentity Thread	Name provided by user MACHINE\ASPNET Name provided by user

Table 2. IIS basic authentication

Web.config Settings	Variable Location	Resultant Identity
<identity impersonate="true"/> <authentication mode="Windows" />	HttpContext WindowsIdentity Thread	Domain\UserName Domain\UserName Domain\UserName
<identity impersonate="false"/> <authentication mode="Windows" />	HttpContext WindowsIdentity Thread	Domain\UserName MACHINE\ASPNET Domain\UserName
<identity impersonate="true"/> <authentication mode="Forms" />	HttpContext WindowsIdentity Thread	Name provided by user Domain\UserName Name provided by user
<identity impersonate="false"/> <authentication mode="Forms" />	HttpContext WindowsIdentity Thread	Name provided by user MACHINE\ASPNET Name provided by user

Table 3. IIS digest authentication

Web.config Settings	Variable Location	Resultant Identity
<identity impersonate="true"/> <authentication mode="Windows" />	HttpContext WindowsIdentity Thread	Domain\UserName Domain\UserName Domain\UserName
<identity impersonate="false"/> <authentication mode="Windows" />	HttpContext WindowsIdentity Thread	Domain\UserName MACHINE\ASPNET Domain\UserName
<identity impersonate="true"/> <authentication mode="Forms" />	HttpContext WindowsIdentity Thread	Name provided by user Domain\UserName Name provided by user
<identity impersonate="false"/> <authentication mode="Forms" />	HttpContext WindowsIdentity Thread	Name provided by user MACHINE\ASPNET Name provided by user

Table 4: IIS integrated Windows

Web.config Settings	Variable Location	Resultant Identity
<identity impersonate="true"/> <authentication mode="Windows" />	HttpContext WindowsIdentity Thread	Domain\UserName Domain\UserName Domain\UserName
<identity impersonate="false"/> <authentication mode="Windows" />	HttpContext WindowsIdentity Thread	Domain\UserName MACHINE\ASPNET Domain\UserName
<identity impersonate="true"/> <authentication mode="Forms" />	HttpContext WindowsIdentity Thread	Name provided by user Domain\UserName Name provided by user
<identity impersonate="false"/> <authentication mode="Forms" />	HttpContext. WindowsIdentity Thread	Name provided by user MACHINE\ASPNET Name provided by user

Re: ASP.NET, Integrated Windows Authentication and Anonymous Access.

tokyoh — Wed, 08 Oct 2008 01:02:05 GMT

Right....

What I was trying to do was somehow separate the authentication and authorization, so I could identify the user but still control the authorization with a single identity.
Clearly impossible, right? An identity is either a domain user or anon.

But what about asp.net? With IWA enabled, I see this:

System.Security.Principal.WindowsIdentity: NT AUTHORITY\NETWORK SERVICE
HttpContext.Current.User: Domain\username

Here, the request contains both the worker process id and current user id. How do these relate to the ACL on the website root? Which id is used for authorization?
Sorry for these basic questions but I have to admit I just dont get it!

Re: ASP.NET, Integrated Windows Authentication and Anonymous Access.

tomkmvp — Tue, 07 Oct 2008 12:35:02 GMT

I'm confused ...

tokyoh:
I want to allow anonymous access to an asp.net website but also authenticate the users

What do you mean exactly? For anonymous access, IUSR must have NTFS permissions to the files and folders. For authenticated access, the domain users must have those permissions.

ASP.NET, Integrated Windows Authentication and Anonymous Access.

tokyoh — Tue, 07 Oct 2008 08:53:37 GMT

Hi,
I want to allow anonymous access to an asp.net website but also authenticate the users because some authorization is done by the web application. I want the web app to run under network service account and access to the website root be restricted to the IIS_WPG only.
I am confused because although impersonation is not enabled, the domain users are denied access unless added to the website root ACL. Surely, all requests should be using the network service account??

Thanks for any help.

This is my current setup:

Windows 2003 R2 SP2

ASP.NET 2.0

The website is using the default application pool running under Network service account.
The IIS_WPG group has read and execute access on the website root.
In web.config, I have set authentication mode="Windows" and impersonate = "false"

IIS 6.0

Anonymous access enabled
Integrated Windows Authentication enabled