Process and Thread Identity in ASP.NET – A Practical Approach

The following scenarios establish the way the process identity and the thread identity are defined while building asp.net websites and publishing using the IIS webserver.

IIS supports the following authentication types :

· Anonymous – In this case the default credentials are of the IUSR_Machinename user .

· Integrated Windows Authentication (IWA) : This can either use NTLM challenge/Response or can be configured to use Kerberos. However for this discussion we will not delve into those details. In general while using IWA IIS authenticates using the credentials of the logged on user.

· Basic authentication

· Digest authentication

Here we are interested in the anonymous and IWA authentication types and how it impacts ASP.NET

ASP.NET Impersonation

Impersonation is when ASP.NET executes code in the context of an authenticated and authorized client. By default, ASP.NET does not use impersonation and instead executes all code using the same user account as the ASP.NET process, which is typically the ASPNET account. This is contrary to the default behavior of ASP, which uses impersonation by default. In Internet Information Services (IIS) 6, the default identity is the NetworkService account.

Eg. <identity impersonate = “true”/>

Using impersonation, ASP.NET applications can optionally execute the processing thread using the identity of the client on whose behalf they are operating. If you enable impersonation, ASP.NET can either impersonate the authenticated identity received from IIS or one specified in the application's Web.config file.

Now we’ll have a look at the scenarios inorder to get a better under standing of the process identity and the Win32 thread identity under which ASP.NET is executing.

The following code is used to get the current process identity for asp.net and the win32 thread identity rideing on top of it.

System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()

System.Threading.Thread.CurrentPrincipal.Identity.Name.ToString()

Now lets take a look at the scenarios :

Scenario 1 : ASP.NET Website located on the local machine and IIS uses IWA . Impersonation is set as “false” .

Observation : The process identity =NT AUTHORITY\NETWORK SERVICE and the Thread identity is the default logged on users credentials

Scenario 2: ASP.NET Website located on the local machine and IIS uses IWA

Impersonation is set as “true” .

Observation : Both the Process Identity and the Thread Identity is the default logged on user credentials .

Next We’ll look at the way the process identity is affected if we place the website contents on a remote UNC share path.

Scenario 3: ASP.NET website placed on a remote share location and Impersonation is set as “false” and IIS uses IWA. In the connect as option check the box which says , Always use the authenticated users credentials when validating access to the network directory.

Observation : The process Identity = NT AUTHORITY\NETWORK SERVICE.

You may receive one or more error messages when you try to access an ASP.NET application that is hosted by using pass-through authentication in a UNC virtual directory in Internet Information Services 6.0

CAUSE

This problem occurs because ASP.NET applications are not supported when you select the Always use the authenticated user's credentials when validating access to the network directory check box in IIS 6.0.

RESOLUTION

To resolve this issue, enter a valid user name and password on the Security Credentials page in the Virtual Directory Creation Wizard when you intend to host an ASP.NET application that is located on a UNC share.

Refer KB : http://support.microsoft.com/kb/897110

Scenario 4 : ASP.NET website placed on a remote share location and Impersonation is set as “true” and IIS uses IWA. In the connect as option specify a user name and password to reach the path.

Note : The username and password specified should also be there on the folder being accessed . i.e the same user should be explicity added and the password should be in sync on that folder.

Observation : Both the Process identity and the thread identity is that of the one used to access the UNC path .

For further information visit :

http://support.microsoft.com/kb/910449

http://support.microsoft.com/kb/891031

http://msdn.microsoft.com/en-us/library/aa302393.aspx

No Comments