Well, the key thing to keep in mind is this. Each process runs with a given
user token. When you launch an application, it's typically you. With
services, it is often System (a VERY high privilege account) or a particular
user, but starting with XP could also be LocalService or NetworkService
(lower privilege accounts for running services in).
With ASP.NET, unlike ASP, you have two different processes to keep track of.
First, you have IIS itself. Typically, this runs in the process
MACHINENAME\IWAM_MACHINENAME. You can change this in IIS configuration if
you would like, and IIS will have these credentials for every request it
makes. In classic ASP, it had these credentials as well. If you use windows
authentication, then it can pass on these credentials, however - the process
identity you have set up is used for anonymous authentication only.
Next, you have aspnet_wp - the worker process for ASP.NET pages. By default,
this runs under the MACHINENAME\ASPNET account. So, if you make a request
from an ASP.NET page to a database on a different server, you will have some
problems. You can change the credentials of the ASP.NET process in the
machine.config file for the version of the runtime you are using.
Next, you have windows authentication possible on ASP.NET, even if you are
using anonymous authentication on IIS. In addition, you have impersonation
possible on ASP.NET, which tells it to get its credentials from IIS and
pretend to have these credentials. In this event, it will get the anonymous
authentication account if you are using anonymous authentication, or you
could get the windows credentials of the current user if you are using
windows authentication.
Now you begin to see why that matrix is such a handy little guide...
In general, you want to make sure that you are using a domain account to do
authentication across a network - it's just easier that way I have found. I
typically use anonymous on IIS, set up to use a domain account. I then use
forms authentication on ASP.NET, and set it up to impersonate, so it takes
the IIS identity and passes it in database requests.
As long as you keep in mind that you have two distinct processes, each of
which could be impersonating somebody, then you should be able to figure out
what token is being passed in the end - the identity matrix is a handy guide
in the interim.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
A.M said:
Don't get me wrong, Your reply helped me and I appreciate that; however:
The document you refered me talks about MACHINE\ASPNET and Domain\UserName.
It doesn't says where UserName is being defined. How Aspnet_wp.exe knows
about it.
My complain is I shouldn't be have to spend hours and finally ,after your
reply, dowload process explorer from
www.sysinternals.com (because in
win2000 task manager doesn't shows UID) to figureout Aspnet_wp.exe acts as
DOMAIN\IWAM_LIFELINE-NM34AJ and then give access to IWAM_LIFELINE-NM34AJ.
Does that make sense?
Ali
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp
