locked
ASP.NET, Integrated Windows Authentication and Anonymous Access. RRS feed

  • Question

  • User-197304117 posted

    Hi,
    I want to allow anonymous access to an asp.net website but also authenticate the users because some authorization is done by the web application. I want the web app to run under network service account and access to the website root be restricted to the IIS_WPG only.
    I am confused because although impersonation is not enabled, the domain users are denied access unless added to the website root ACL. Surely, all requests should be using the network service account??

    Thanks for any help.


    This is my current setup:

    Windows 2003 R2 SP2

    ASP.NET 2.0

    • The website is using the default application pool running under Network service account.
    • The IIS_WPG group has read and execute access on the website root.
    • In web.config, I have set authentication mode="Windows" and impersonate = "false"

    IIS 6.0

    • Anonymous access enabled
    • Integrated Windows Authentication enabled


     

    Tuesday, October 7, 2008 4:53 AM

Answers

  • User-823196590 posted

    This should explain it:
    http://msdn.microsoft.com/en-us/library/aa302377.aspx

    The following tables illustrate, for a range of IIS authentication settings, the resultant identity that is obtained from each of the variables that maintain an IPrincipal and/or IIdentity object. The following abbreviations are used in the table:

    • HttpContext = HttpContext.Current.User, which returns an IPrincipal object that contains security information for the current Web request. This is the authenticated Web client.
    • WindowsIdentity = WindowsIdentity.GetCurrent(), which returns the identity of the security context of the currently executing Win32 thread.
    • Thread = Thread.CurrentPrincipal which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread.
    Note   With IIS 6.0 running on Windows Server 2003, the identity Matrix works except that the Machine\ASPNET identity is replaced with NT Authority\Network Service.

    Table 1. IIS anonymous authentication

    Web.config Settings Variable Location Resultant Identity
    <identity impersonate="true"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    -
    MACHINE\IUSR_MACHINE
    -
    <identity impersonate="false"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    -
    MACHINE\ASPNET
    -
    <identity impersonate="true"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    MACHINE\IUSR_MACHINE
    Name provided by user
    <identity impersonate="false"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    MACHINE\ASPNET
    Name provided by user

    Table 2. IIS basic authentication

    Web.config Settings Variable Location Resultant Identity
    <identity impersonate="true"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    Domain\UserName
    Domain\UserName
    <identity impersonate="false"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    MACHINE\ASPNET
    Domain\UserName
    <identity impersonate="true"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    Domain\UserName
    Name provided by user
    <identity impersonate="false"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    MACHINE\ASPNET
    Name provided by user

    Table 3. IIS digest authentication

    Web.config Settings Variable Location Resultant Identity
    <identity impersonate="true"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    Domain\UserName
    Domain\UserName
    <identity impersonate="false"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    MACHINE\ASPNET
    Domain\UserName
    <identity impersonate="true"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    Domain\UserName
    Name provided by user
    <identity impersonate="false"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    MACHINE\ASPNET
    Name provided by user

    Table 4: IIS integrated Windows

    Web.config Settings Variable Location Resultant Identity
    <identity impersonate="true"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    Domain\UserName
    Domain\UserName
    <identity impersonate="false"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    MACHINE\ASPNET
    Domain\UserName
    <identity impersonate="true"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    Domain\UserName
    Name provided by user
    <identity impersonate="false"/>
    <authentication mode="Forms" />
    HttpContext. WindowsIdentity
    Thread
    Name provided by user
    MACHINE\ASPNET
    Name provided by user
    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, October 8, 2008 9:19 AM

All replies

  • User-823196590 posted

    I'm confused ... 

    I want to allow anonymous access to an asp.net website but also authenticate the users
    What do you mean exactly? For anonymous access, IUSR must have NTFS permissions to the files and folders.  For authenticated access, the domain users must have those permissions.

    Tuesday, October 7, 2008 8:35 AM
  • User-197304117 posted

    Right....

    What I was trying to do was somehow separate the authentication and authorization, so I could identify the user but still control the authorization with a single identity.
    Clearly impossible, right? An identity is either a domain user or anon.

    But what about asp.net? With IWA enabled, I see this:

    System.Security.Principal.WindowsIdentity: NT AUTHORITY\NETWORK SERVICE
    HttpContext.Current.User: Domain\username

    Here, the request contains both the worker process id and current user id. How do these relate to the ACL on the website root? Which id is used for authorization?
    Sorry for these basic questions but I have to admit I just dont get it!

    Tuesday, October 7, 2008 9:02 PM
  • User-823196590 posted

    This should explain it:
    http://msdn.microsoft.com/en-us/library/aa302377.aspx

    The following tables illustrate, for a range of IIS authentication settings, the resultant identity that is obtained from each of the variables that maintain an IPrincipal and/or IIdentity object. The following abbreviations are used in the table:

    • HttpContext = HttpContext.Current.User, which returns an IPrincipal object that contains security information for the current Web request. This is the authenticated Web client.
    • WindowsIdentity = WindowsIdentity.GetCurrent(), which returns the identity of the security context of the currently executing Win32 thread.
    • Thread = Thread.CurrentPrincipal which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread.
    Note   With IIS 6.0 running on Windows Server 2003, the identity Matrix works except that the Machine\ASPNET identity is replaced with NT Authority\Network Service.

    Table 1. IIS anonymous authentication

    Web.config Settings Variable Location Resultant Identity
    <identity impersonate="true"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    -
    MACHINE\IUSR_MACHINE
    -
    <identity impersonate="false"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    -
    MACHINE\ASPNET
    -
    <identity impersonate="true"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    MACHINE\IUSR_MACHINE
    Name provided by user
    <identity impersonate="false"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    MACHINE\ASPNET
    Name provided by user

    Table 2. IIS basic authentication

    Web.config Settings Variable Location Resultant Identity
    <identity impersonate="true"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    Domain\UserName
    Domain\UserName
    <identity impersonate="false"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    MACHINE\ASPNET
    Domain\UserName
    <identity impersonate="true"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    Domain\UserName
    Name provided by user
    <identity impersonate="false"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    MACHINE\ASPNET
    Name provided by user

    Table 3. IIS digest authentication

    Web.config Settings Variable Location Resultant Identity
    <identity impersonate="true"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    Domain\UserName
    Domain\UserName
    <identity impersonate="false"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    MACHINE\ASPNET
    Domain\UserName
    <identity impersonate="true"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    Domain\UserName
    Name provided by user
    <identity impersonate="false"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    MACHINE\ASPNET
    Name provided by user

    Table 4: IIS integrated Windows

    Web.config Settings Variable Location Resultant Identity
    <identity impersonate="true"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    Domain\UserName
    Domain\UserName
    <identity impersonate="false"/>
    <authentication mode="Windows" />
    HttpContext
    WindowsIdentity
    Thread
    Domain\UserName
    MACHINE\ASPNET
    Domain\UserName
    <identity impersonate="true"/>
    <authentication mode="Forms" />
    HttpContext
    WindowsIdentity
    Thread
    Name provided by user
    Domain\UserName
    Name provided by user
    <identity impersonate="false"/>
    <authentication mode="Forms" />
    HttpContext. WindowsIdentity
    Thread
    Name provided by user
    MACHINE\ASPNET
    Name provided by user
    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, October 8, 2008 9:19 AM
  • User-197304117 posted

    Excellent, thank you very much.

    So, I assume the resultant identities of HttpContext, WindowsIdentity and Thread ALL need permission on the website folder.

    Thursday, October 9, 2008 10:42 PM