ASP.NET applications running on IIS6 and IIS7 use the NETWORK SERVICE account by default to access resources on the computer. This post explains how to enable impersonation to have ASP.NET use a different account.

IIS7

When an anonymous request arrives (ie not using Windows Authentication), IIS will by default tag the request as coming from the built in account IUSR. This behaviour is defined in applicationHost.config:

<anonymousAuthentication enabled="true" userName="IUSR" />

IIS then passes the request to ASP.NET where Forms Authentication can be used to independently authenticate the user (note that IIS can still use "anonymous" authentication, even though ASP.NET later applies Forms Authentication).

ASP.NET itself then makes requests for system resources using the NETWORK SERVICE account, by default. The account used is determined by the Application Pool that the web site belongs to, where all application pools are initially configured to use NETWORK SERVICE as determined in applicationHost.config:

<applicationPoolDefaults>
    <processModel identityType="NetworkService" />
</applicationPoolDefaults>

If we want ASP.NET to use a different account instead of NETWORK SERVICE, we can tell it to use impersonation by adding the following to the web application's web.config:

<system.web>
    <identity impersonate="true" />

In our scenario, this will then impersonate the account IUSR, since this is the identity IIS provided for the request.

If IIS was using Windows Authentication (instead of anonymous authentication) then this would allow us to make resource requests from ASP.NET while impersonating the Windows identity of whoever was logged on. This might be necessary to give access to specific resources restricted to that user.

Alternatively, regardless of what mode of authentication IIS was using, we could provide a valid Windows identity to be used for all requests, by adding the following to web.config:

<system.web>
  <identity impersonate="true" 
    userName="[DOMAIN]\UserName"
    password="[Password]" />

IIS6

IIS6 works in the same way as IIS7, except that the default account name used by IIS is in the format: IUSR_[MachineName]

Useful Information

Finding the Current Identity

System.Security.Principal.WindowsIdentity.GetCurrent().Name

IIS Config File

The Internet Information Services Manager lets you configure IIS, but the configuration is ultimately stored in the file:

%windir%\system32\inetsrv\config\applicationHost.config

Links

Comments

Sandeep Bhadauriya

Nice Post, It&#39;s very use full for me,<br />Thanks.

Sandeep Bhadauriya

Mayank

Nice..Short and Simple and yet to the point.

Mayank

Comments are closed