Web Debug

Fix broken web applications, from servers to clients.

Windows Authentication and Impersonation

Internet Information Services (IIS) provides several authentication schemes that can be employed when securing a Web application. Common scenarios include using Integrated Windows authentication (NTLM) within a corporate intranet to determine application users' identity based on their Windows login, or specifying a single anonymous identity for a particular application. The Windows identity supplied by IIS can then be used to determine whether the Web application has access to a protected Windows resource, such as a file protected using an Access Control List (ACL), or a network resource such as a file or database server. You can configure ASP.NET to use the Windows identity supplied by IIS using impersonation.

By default, ASP.NET is configured to use Windows authentication mode, which applies the Windows identity supplied by IIS to the User property of the current HttpContext object. This enables you to determine the identity supplied by IIS through the User property (the user Name is blank when anonymous identification is used), but does not use the supplied identity as the WindowsIdentity for the current page. The WindowsIdentity for an application is used when determining if the application has access to a particular file or network resource.

To configure ASP.NET to impersonate the Windows identity supplied by IIS as the WindowsIdentity for the ASP.NET application, edit the Web.config file for the application and set the impersonate attribute of the identity configuration element to true, as shown in the following example,

<configuration>
  <system.web>
    <identity impersonate="true" />
  </system.web>
</configuration>

Impersonation is independent of the authentication mode configured using the authentication configuration element. The authentication element is used to determine the User property of the current HttpContext. Impersonation is used to determine the WindowsIdentity of the ASP.NET application.

Table below shows the resulting identities that are obtained from the various identity properties available to ASP.NET application code when your application uses Windows authentication and IIS is configured to use Integrated Windows authentication.

Web.config settings Variable location Resultant identity

< authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
Domain\UserName
Domain\UserName
Domain\UserName

< authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
Domain\UserName
NT AUTHORITY\NETWORK SERVICE
Domain\UserName

< authentication mode="Forms" />
HttpContext
WindowsIdentity
Thread
Name provided by user
Domain\UserName
Name provided by user

< authentication mode="Forms" />
HttpContext
WindowsIdentity
Thread
Name provided by user
NT AUTHORITY\NETWORK SERVICE
Name provided by user
You can check how to configure Impersonation in IIS in this article.

http://technet.microsoft.com/en-us/library/cc730708(v=ws.10).aspx

Reference


Explained: Windows Authentication in ASP.NET 2.0

http://msdn.microsoft.com/en-us/library/ff647076.aspx

Using IIS Authentication with ASP.NET Impersonation

http://msdn.microsoft.com/en-us/library/vstudio/134ec8tc(v=vs.100).aspx

Configure ASP.NET Impersonation Authentication (IIS 7)

http://technet.microsoft.com/en-us/library/cc730708(v=ws.10).aspx




Fork me on GitHub