Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.NET Anonymous Impersonation

Reply
Thread Tools

ASP.NET Anonymous Impersonation

 
 
sam
Guest
Posts: n/a
 
      08-18-2004
Hi,



When you impersonate with anonymous security what is suppose to happen (IIS5
platform). Is it the aspnet_wp.exe process runs under the identity of the
anonymous user? When I look in the task manager the aspnet_wp.exe process
always lists ASPNET as the User Name. Am I on the right track here? If so,
is there a line of code I can use to display the new identity of the
process? Any pointers to good articles would also be really appreciated.



Sam








 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      08-19-2004
Impersonation means that the currently executing thread will run as a
different identity than the process identity. Thus, if you impersonate the
anonymous user (I have no idea why you would do this, but you certainly
can), the current thread will be that user, but the process is still running
as the account the process was started with (what you see in task manager).
You can see the current thread's identity by doing
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.

To make the aspnet_wp.exe run as a different process account, you must
change the process model in the machine.config.

Joe K.

"sam" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
>
>
> When you impersonate with anonymous security what is suppose to happen

(IIS5
> platform). Is it the aspnet_wp.exe process runs under the identity of the
> anonymous user? When I look in the task manager the aspnet_wp.exe process
> always lists ASPNET as the User Name. Am I on the right track here? If so,
> is there a line of code I can use to display the new identity of the
> process? Any pointers to good articles would also be really appreciated.
>
>
>
> Sam
>
>
>
>
>
>
>
>



 
Reply With Quote
 
 
 
 
[MSFT]
Guest
Posts: n/a
 
      08-19-2004
Hi Sam,

When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
still run under ASPNET. But the code to handle current request will be
executed under the impersonation user. To check this user, you may check
following value in the code:

System.Security.Principal.WindowsIdentity.GetCurre nt().Name

For more information about asp.net impersonate, you may refer to this
article:

INFO: Implementing Impersonation in an ASP.NET Application
http://support.microsoft.com/default...;EN-US;Q306158

Luke

 
Reply With Quote
 
sam
Guest
Posts: n/a
 
      08-19-2004
Thanks Joe and Luke for your replies.

Have I got this right:



With anonymous access selected only:

The aspnet_iisapi.exe process runs as IUSER_machine

The thread runs under the ASPNET account. All resources are accessed with
this thread.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



With anonymous access and impersonation:

The aspnet_iisapi.exe process runs as IUSER_machine

The thread impersonates the aspnet_iisapi.exe process and runs as
IUSER_machine. All resources are accessed with this thread.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



With Integrated Windows Authentication selected only:

The aspnet_iisapi.exe process runs as the windows user

The thread runs under the ASPNET account. All resources are accessed with
this thread.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



With Integrated Windows Authentication and impersonation:

The aspnet_iisapi.exe process runs as the windows user

The thread impersonates the aspnet_iisapi.exe process and runs as the
windows user. All resources are accessed with this thread.

The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config



Context.User.Identity.Name - Returns the aspnet_iisapi.exe process account
name.

System.Security.Principle.WindowsIdentity.getcurre nt().Name - Returns the
thread account name inside the aspnet_wp.exe process.



If I have this right I will be very happy.

Sam


"[MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Sam,
>
> When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
> still run under ASPNET. But the code to handle current request will be
> executed under the impersonation user. To check this user, you may check
> following value in the code:
>
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name
>
> For more information about asp.net impersonate, you may refer to this
> article:
>
> INFO: Implementing Impersonation in an ASP.NET Application
> http://support.microsoft.com/default...;EN-US;Q306158
>
> Luke
>



Thanks Joe and Luke for your replys.

Is this correct:





System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString()

Context.User.Identity.Name

Response.Write("current thread's identity=" +
System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString() +
"<BR>");




 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      08-19-2004
Inline:

"sam" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks Joe and Luke for your replies.
>
> Have I got this right:
>
>
>
> With anonymous access selected only:
>
> The aspnet_iisapi.exe process runs as IUSER_machine
>


I'm not even sure what process this is. Are you sure that is a process
related to ASP.NET? aspnet_isapi.dll is an ISAPI filter which is loaded by
IIS (inetinfo.exe) and dispatches requests for ASP.NET resources to the
worker process. Is that what you meant?

> The thread runs under the ASPNET account. All resources are accessed with
> this thread.
>

Correct, each request (which runs as a separate thread) will not be
impersonating, so the thread runs with the process identity (ASPNET). The
things to remember are:
- A process always has a token associated with a Windows account
- A process has at least one thread that actually runs code (ASP.NET has a
pool of them and runs each request on one of these)
- A thread will execute coding using the identity of the process by
default, or using a different identity if it is impersonating another
account

> The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
>

Yes
>
>
> With anonymous access and impersonation:
>
> The aspnet_iisapi.exe process runs as IUSER_machine
>


Again, not sure what this is.

> The thread impersonates the aspnet_iisapi.exe process and runs as
> IUSER_machine. All resources are accessed with this thread.
>


This isn't quite right, but the net effect is the same. Each request thread
will impersonate the account of the the logged on user which is the
anonymous IUSER_machine account in this case. All resources will be
accessed with this account.

> The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
>


Yes

>
>
> With Integrated Windows Authentication selected only:
>
> The aspnet_iisapi.exe process runs as the windows user
>
> The thread runs under the ASPNET account. All resources are accessed with
> this thread.
>


Yes, basically the same as above with the slight terminology correction
above.

> The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
>


Yes

>
>
> With Integrated Windows Authentication and impersonation:
>
> The aspnet_iisapi.exe process runs as the windows user
>
> The thread impersonates the aspnet_iisapi.exe process and runs as the
> windows user. All resources are accessed with this thread.
>


Here, each request thread impersonates the logged on user as before. In
this case, since anonymous is off in IIS, the account of the user who logged
on (regardless of Basic, Digest, Integrated) will be impersonated by the
thread and resources are accessed using this account.

> The aspnet_wp.exe process runs as ASPNET as defined in the Machine.Config
>
>

Yes
>
> Context.User.Identity.Name - Returns the aspnet_iisapi.exe process account
> name.
>


Context.User.Identity will be the identity of the user who logged on. This
doesn't have to be a Windows account though. It can also be a FormsIdentity
for forms authentication. The thing to remember is that this is related to
the user who logged on to the website using an ASP.NET authentication
mechanism.

> System.Security.Principle.WindowsIdentity.getcurre nt().Name - Returns the
> thread account name inside the aspnet_wp.exe process.
>


This is always the identity of the account that the current thread is
running under in any .NET code. It could be the process token account or an
impersonated account. In ASP.NET, this is directly related to the
impersonation setting in web.config.

These two will be the same WindowsIdentity IF IIS is configured for Windows
(Basic/Digest/Integrated) and anonymous is disabled AND you have enabled
impersonation in web.config.

>
>
> If I have this right I will be very happy.
>
> Sam
>
>

I hope this brings you happiness and no more confusion.

Joe K.
> "[MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Sam,
> >
> > When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
> > still run under ASPNET. But the code to handle current request will be
> > executed under the impersonation user. To check this user, you may check
> > following value in the code:
> >
> > System.Security.Principal.WindowsIdentity.GetCurre nt().Name
> >
> > For more information about asp.net impersonate, you may refer to this
> > article:
> >
> > INFO: Implementing Impersonation in an ASP.NET Application
> > http://support.microsoft.com/default...;EN-US;Q306158
> >
> > Luke
> >

>
>
> Thanks Joe and Luke for your replys.
>
> Is this correct:
>
>
>
>
>
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString()
>
> Context.User.Identity.Name
>
> Response.Write("current thread's identity=" +
> System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString() +
> "<BR>");
>
>
>
>



 
Reply With Quote
 
sam
Guest
Posts: n/a
 
      08-19-2004
Yes yes yes lots of happiness.
And yes I did mean aspnet_isapi.dll not .exe.
Thanks so much Joe.
The MVP's are the gods of the newsgroups. They know all and see all.


"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:%23cR$(E-Mail Removed)...
> Inline:
>
> "sam" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Thanks Joe and Luke for your replies.
> >
> > Have I got this right:
> >
> >
> >
> > With anonymous access selected only:
> >
> > The aspnet_iisapi.exe process runs as IUSER_machine
> >

>
> I'm not even sure what process this is. Are you sure that is a process
> related to ASP.NET? aspnet_isapi.dll is an ISAPI filter which is loaded

by
> IIS (inetinfo.exe) and dispatches requests for ASP.NET resources to the
> worker process. Is that what you meant?
>
> > The thread runs under the ASPNET account. All resources are accessed

with
> > this thread.
> >

> Correct, each request (which runs as a separate thread) will not be
> impersonating, so the thread runs with the process identity (ASPNET). The
> things to remember are:
> - A process always has a token associated with a Windows account
> - A process has at least one thread that actually runs code (ASP.NET has

a
> pool of them and runs each request on one of these)
> - A thread will execute coding using the identity of the process by
> default, or using a different identity if it is impersonating another
> account
>
> > The aspnet_wp.exe process runs as ASPNET as defined in the

Machine.Config
> >

> Yes
> >
> >
> > With anonymous access and impersonation:
> >
> > The aspnet_iisapi.exe process runs as IUSER_machine
> >

>
> Again, not sure what this is.
>
> > The thread impersonates the aspnet_iisapi.exe process and runs as
> > IUSER_machine. All resources are accessed with this thread.
> >

>
> This isn't quite right, but the net effect is the same. Each request

thread
> will impersonate the account of the the logged on user which is the
> anonymous IUSER_machine account in this case. All resources will be
> accessed with this account.
>
> > The aspnet_wp.exe process runs as ASPNET as defined in the

Machine.Config
> >

>
> Yes
>
> >
> >
> > With Integrated Windows Authentication selected only:
> >
> > The aspnet_iisapi.exe process runs as the windows user
> >
> > The thread runs under the ASPNET account. All resources are accessed

with
> > this thread.
> >

>
> Yes, basically the same as above with the slight terminology correction
> above.
>
> > The aspnet_wp.exe process runs as ASPNET as defined in the

Machine.Config
> >

>
> Yes
>
> >
> >
> > With Integrated Windows Authentication and impersonation:
> >
> > The aspnet_iisapi.exe process runs as the windows user
> >
> > The thread impersonates the aspnet_iisapi.exe process and runs as the
> > windows user. All resources are accessed with this thread.
> >

>
> Here, each request thread impersonates the logged on user as before. In
> this case, since anonymous is off in IIS, the account of the user who

logged
> on (regardless of Basic, Digest, Integrated) will be impersonated by the
> thread and resources are accessed using this account.
>
> > The aspnet_wp.exe process runs as ASPNET as defined in the

Machine.Config
> >
> >

> Yes
> >
> > Context.User.Identity.Name - Returns the aspnet_iisapi.exe process

account
> > name.
> >

>
> Context.User.Identity will be the identity of the user who logged on.

This
> doesn't have to be a Windows account though. It can also be a

FormsIdentity
> for forms authentication. The thing to remember is that this is related

to
> the user who logged on to the website using an ASP.NET authentication
> mechanism.
>
> > System.Security.Principle.WindowsIdentity.getcurre nt().Name - Returns

the
> > thread account name inside the aspnet_wp.exe process.
> >

>
> This is always the identity of the account that the current thread is
> running under in any .NET code. It could be the process token account or

an
> impersonated account. In ASP.NET, this is directly related to the
> impersonation setting in web.config.
>
> These two will be the same WindowsIdentity IF IIS is configured for

Windows
> (Basic/Digest/Integrated) and anonymous is disabled AND you have enabled
> impersonation in web.config.
>
> >
> >
> > If I have this right I will be very happy.
> >
> > Sam
> >
> >

> I hope this brings you happiness and no more confusion.
>
> Joe K.
> > "[MSFT]" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Hi Sam,
> > >
> > > When we perform inpersonate in ASP.NET, the process aspnet_wp.exe will
> > > still run under ASPNET. But the code to handle current request will be
> > > executed under the impersonation user. To check this user, you may

check
> > > following value in the code:
> > >
> > > System.Security.Principal.WindowsIdentity.GetCurre nt().Name
> > >
> > > For more information about asp.net impersonate, you may refer to this
> > > article:
> > >
> > > INFO: Implementing Impersonation in an ASP.NET Application
> > > http://support.microsoft.com/default...;EN-US;Q306158
> > >
> > > Luke
> > >

> >
> >
> > Thanks Joe and Luke for your replys.
> >
> > Is this correct:
> >
> >
> >
> >
> >
> > System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString()
> >
> > Context.User.Identity.Name
> >
> > Response.Write("current thread's identity=" +
> > System.Security.Principal.WindowsIdentity.GetCurre nt().Name.ToString() +
> > "<BR>");
> >
> >
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Impersonation and Anonymous User msnews.microsoft.com ASP .Net Security 1 08-31-2008 10:52 AM
IIS seetings for impersonation with basic authenticaion and Anonymous access sitaramig Software 0 06-03-2007 06:48 AM
anonymous access + impersonation yonido@gmail.com ASP .Net Security 5 01-31-2006 11:24 AM
IIS Not using anonymous impersonation MattC ASP .Net Security 2 01-06-2005 10:06 AM
Programmatically getting impersonation and anonymous user name =?Utf-8?B?amVzdGVy?= ASP .Net 1 09-23-2004 05:04 PM



Advertisments