Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, April 24, 2007 10:03 PM
Hi.
Inside my ASP.NET app, I would like to obtain the authenticated windows user then have my backend code do the following:
1. Determine the group membership of the user ala Active Directory. Currently, I'm using DirectoryServices but I wonder if I can just use isRole(...) and pass in a list of group names from AD.
2. Access UNC shares using a predefine/set user account.
My questions are:
1. How do I have my ASP.NET page use windows authentication while having my IIS6.0 process execute code (e.g. accessing UNC share) using a set user account with limited permissions? I currenly have the webconfig set for windows auth. I'm not sure what I need to do within the IIS web site properties dialog to make sure it runs as a specify user.
2. I'm trying to get the authenticated user info. Why is WindowsIdentity.GetCurrent() returning a different value from User.Identity.Name? (see 2.d below) I'm not sure if one call is within the context of the thread and the other in the context of the process.
2.a //Prints "NT AUTHORITY\NETWORK SERVICE, 1064"
WindowsIdentity current = WindowsIdentity.GetCurrent();
Response.Write("WindowsIdentity Info: "+current.Name + ", "+current.Token+"<br />");
2.b //Prints "NT AUTHORITY\NETWORK SERVICE, 1064"
WindowsPrincipal wp = new WindowsPrincipal(current);
Response.Write("WindowsPrincipal Info via WindowsIdentity: "+wp.Identity.Name.ToString()+"<br>\n");
2.c //Prints My domain\username as expected
AppDomain myDomain = Thread.GetDomain();
myDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
WindowsPrincipal myPrincipal = (WindowsPrincipal)Thread.CurrentPrincipal;
Response.Write("WindowsPrincipal Info\nUser: "+myPrincipal.Identity.Name.ToString()+"\n");
2.d //Prints My domain\username as expected but using HttpContext
HttpContext myContext = HttpContext.Current; // I could just reference User.Identity.Name
Response.Write("\n\nHttpContext Info: "+myContext.User.Identity.Name+"\n");
Thank you.
Leon
All replies (1)
Friday, April 27, 2007 2:51 AM âś…Answered
My questions are:
1. How do I have my ASP.NET page use windows authentication while having my IIS6.0 process execute code (e.g. accessing UNC share) using a set user account with limited permissions? I currenly have the webconfig set for windows auth. I'm not sure what I need to do within the IIS web site properties dialog to make sure it runs as a specify user.
Add this to your web.config file to impersonate a user account rather the default NETWORK SERVICE account
<identity impersonate="true" userName="" password="" />
Then you can use this line of code.
System.Security.Principal.WindowsIdentity.GetCurrent().Name)
2. I'm trying to get the authenticated user info. Why is WindowsIdentity.GetCurrent() returning a different value from User.Identity.Name? (see 2.d below) I'm not sure if one call is within the context of the thread and the other in the context of the process.
This table can help you understand the HttpContext.User.Identity better
Table IIS anonymous authentication
| Web.config Settings | Variable Location | Resultant Identity |
|---|---|---|
| <identity impersonate="true"/> <authentication mode="Windows" /> |
HttpContext WindowsIdentity Thread |
- MACHINE\IUSR_MACHINE - |
| <identity impersonate="false"/> <authentication mode="Windows" /> |
HttpContext WindowsIdentity Thread |
- MACHINE\ASPNET - |
| <identity impersonate="true"/> <authentication mode="Forms" /> |
HttpContext WindowsIdentity Thread |
Name provided by user MACHINE\IUSR_MACHINE Name provided by user |
| <identity impersonate="false"/> <authentication mode="Forms" /> |
HttpContext WindowsIdentity Thread |
Name provided by user MACHINE\ASPNET Name provided by user |
For more information please see this link, Hope it helps