I'm making an app that needs to access network resources (files). Some of these resources have access restrictions. I wanted to use Windows authentication and impersonation but I cannot configure IIS to use Integrated Windows authentication, so that solution
is thrown out.
My new approach is to use Forms authentication. I have to use an Access database instead of a SQL one which is no big deal, I got through that. My problem is that if I turn on impersonation in my web.config file, I can't access any of web pages. I don't
understand why. If I remove the impersonation line, I can view the pages but I still don't have access to the resources I need. Does anyone have any ideas as to why that is? I don't get an error or an exception but rather Page Cannot be Displayed Error
for IE.
I was also thinking that maybe the username has to be in the form of Domain\userID instead of just userID, but that didn't work for me either.
If anyone knows what I'm doing wrong or if I'm taking the wrong approach, please help. I would like to avoid using LogonUser from that one dll (this seems to be the popular solution on the internet) if possible. If this is any help, this is an intranet
site.
Which version of IIS are you using? IIS6 uses the Application Pool which can run either as Network Service user or any local/Domain account. When you turn on the Impersonation, this is what you see in the web.config.
Name provided by user
MACHINE\ASPNET
Name provided by user
</div>
Best Regards
XiaoYong Dai
Microsoft Online Community Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thank you for the matrix. Although, I kinda knew what the identity for each case you described, I never put in a table altogether like this. This definitely will help others in general as well.
HttpContext returns an IPrincipal object that contains security information for the current Web request. (FormsIdentity in this scenario)
WindowsIdentity returns the identity of the security context of the currently executing Win32 thread(impersonate authenticated domain account)
Thread returns the principal of the currently executing .NET thread which rides on top of the Win32 thread(Being the same or identical to HttpContext in value as usually)
Best Regards
XiaoYong Dai
Microsoft Online Community Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
bbudz
Member
408 Points
100 Posts
Forms authentication and impersonation problem
Oct 22, 2007 10:24 PM|LINK
Hi all,
I'm making an app that needs to access network resources (files). Some of these resources have access restrictions. I wanted to use Windows authentication and impersonation but I cannot configure IIS to use Integrated Windows authentication, so that solution is thrown out.
My new approach is to use Forms authentication. I have to use an Access database instead of a SQL one which is no big deal, I got through that. My problem is that if I turn on impersonation in my web.config file, I can't access any of web pages. I don't understand why. If I remove the impersonation line, I can view the pages but I still don't have access to the resources I need. Does anyone have any ideas as to why that is? I don't get an error or an exception but rather Page Cannot be Displayed Error for IE.
I was also thinking that maybe the username has to be in the form of Domain\userID instead of just userID, but that didn't work for me either.
If anyone knows what I'm doing wrong or if I'm taking the wrong approach, please help. I would like to avoid using LogonUser from that one dll (this seems to be the popular solution on the internet) if possible. If this is any help, this is an intranet site.
Thank you,
Bart
RachitP
Member
34 Points
7 Posts
Re: Forms authentication and impersonation problem
Oct 23, 2007 12:56 AM|LINK
Which version of IIS are you using? IIS6 uses the Application Pool which can run either as Network Service user or any local/Domain account. When you turn on the Impersonation, this is what you see in the web.config.
bbudz
Member
408 Points
100 Posts
Re: Forms authentication and impersonation problem
Oct 24, 2007 12:34 AM|LINK
I'm using IIS 6. I need to run impersonate a Doman\userID so can use Forms authentication to do that?
Thanks, Bart
XiaoYong Dai...
All-Star
38312 Points
4229 Posts
Re: Forms authentication and impersonation problem
Oct 26, 2007 09:57 AM|LINK
Hi
It doesn't matter, please refer to this impersonate identity Matrix:.
Table 1. IIS anonymous authentication
<div class=tablediv><authentication mode="Windows" />
WindowsIdentity
Thread
MACHINE\IUSR_MACHINE
-
<authentication mode="Windows" />
WindowsIdentity
Thread
MACHINE\ASPNET
-
<authentication mode="Forms" />
WindowsIdentity
Thread
MACHINE\IUSR_MACHINE
Name provided by user
<authentication mode="Forms" />
WindowsIdentity
Thread
MACHINE\ASPNET
Name provided by user
Table 2. IIS basic authentication
<div class=tablediv><authentication mode="Windows" />
WindowsIdentity
Thread
Domain\UserName
Domain\UserName
<authentication mode="Windows" />
WindowsIdentity
Thread
MACHINE\ASPNET
Domain\UserName
<authentication mode="Forms" />
WindowsIdentity
Thread
Domain\UserName
Name provided by user
<authentication mode="Forms" />
WindowsIdentity
Thread
MACHINE\ASPNET
Name provided by user
Table 3. IIS digest authentication
<div class=tablediv><authentication mode="Windows" />
WindowsIdentity
Thread
Domain\UserName
Domain\UserName
<authentication mode="Windows" />
WindowsIdentity
Thread
MACHINE\ASPNET
Domain\UserName
<authentication mode="Forms" />
WindowsIdentity
Thread
Domain\UserName
Name provided by user
<authentication mode="Forms" />
WindowsIdentity
Thread
MACHINE\ASPNET
Name provided by user
Table 4: IIS integrated Windows
<div class=tablediv><authentication mode="Windows" />
WindowsIdentity
Thread
Domain\UserName
Domain\UserName
<authentication mode="Windows" />
WindowsIdentity
Thread
MACHINE\ASPNET
Domain\UserName
<authentication mode="Forms" />
WindowsIdentity
Thread
Domain\UserName
Name provided by user
<authentication mode="Forms" />
Thread
MACHINE\ASPNET
Name provided by user
XiaoYong Dai
Microsoft Online Community Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
RachitP
Member
34 Points
7 Posts
Re: Forms authentication and impersonation problem
Oct 26, 2007 10:58 AM|LINK
XiaoYong Dai,
Thank you for the matrix. Although, I kinda knew what the identity for each case you described, I never put in a table altogether like this. This definitely will help others in general as well.
Rachit
security Asp.net identity
XiaoYong Dai...
All-Star
38312 Points
4229 Posts
Re: Forms authentication and impersonation problem
Oct 29, 2007 03:22 AM|LINK
Hi
OK. for the narrator to explain more as in the matter of integrated Windows authentication, for instance.
Web.config Settings
<identity impersonate="true"/>
<authentication mode="Forms" />
HttpContext returns an IPrincipal object that contains security information for the current Web request. (FormsIdentity in this scenario)
WindowsIdentity returns the identity of the security context of the currently executing Win32 thread(impersonate authenticated domain account)
Thread returns the principal of the currently executing .NET thread which rides on top of the Win32 thread(Being the same or identical to HttpContext in value as usually)
XiaoYong Dai
Microsoft Online Community Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
bbudz
Member
408 Points
100 Posts
Re: Forms authentication and impersonation problem
Oct 29, 2007 05:19 PM|LINK
Thank you for the matrix, that was a BIG help.
Thank you,
Bart