ASP.NET applications running on IIS6 and IIS7 use the
NETWORK SERVICE account by default to access resources on the computer. This post explains how to enable impersonation to have ASP.NET use a different account.
When an anonymous request arrives (ie not using Windows Authentication), IIS will by default tag the request as coming from the built in account
IUSR. This behaviour is defined in applicationHost.config:
<anonymousAuthentication enabled="true" userName="IUSR" />
IIS then passes the request to ASP.NET where Forms Authentication can be used to independently authenticate the user (note that IIS can still use "anonymous" authentication, even though ASP.NET later applies Forms Authentication).
ASP.NET itself then makes requests for system resources using the
NETWORK SERVICE account, by default. The account used is determined by the Application Pool that the web site belongs to, where all application pools are initially configured to use
NETWORK SERVICE as determined in applicationHost.config:
<applicationPoolDefaults> <processModel identityType="NetworkService" /> </applicationPoolDefaults>
If we want ASP.NET to use a different account instead of NETWORK SERVICE, we can tell it to use impersonation by adding the following to the web application's web.config:
<system.web> <identity impersonate="true" />
In our scenario, this will then impersonate the account
IUSR, since this is the identity IIS provided for the request.
If IIS was using Windows Authentication (instead of anonymous authentication) then this would allow us to make resource requests from ASP.NET while impersonating the Windows identity of whoever was logged on. This might be necessary to give access to specific resources restricted to that user.
Alternatively, regardless of what mode of authentication IIS was using, we could provide a valid Windows identity to be used for all requests, by adding the following to web.config:
<system.web> <identity impersonate="true" userName="[DOMAIN]\UserName" password="[Password]" />
IIS6 works in the same way as IIS7, except that the default account name used by IIS is in the format:
Finding the Current Identity
IIS Config FileThe Internet Information Services Manager lets you configure IIS, but the configuration is ultimately stored in the file: