ASP.NET impersonates NT AUTHORITY\IUSR but impersonation is disabled. ASP.NET bug? ASP.NET impersonates NT AUTHORITY\IUSR but impersonation is disabled. ASP.NET bug? asp.net asp.net

ASP.NET impersonates NT AUTHORITY\IUSR but impersonation is disabled. ASP.NET bug?


Most likely, the settings for your server, site or application are set so that "Anonymous Authentication" mode causes page requests to be handled as the IUSR user. It doesn't matter that your application is not requesting impersonation; IIS is forcing it. (By the way, "impersonation" is generic term in Windows-land for assuming another user's credentials. It is not specific to ASP.NET.)

A bit of background:

For security reasons, IIS allows your server to field "anonymous" and "authenticated" requests under different system credentials.

Now, in IIS 7.5, if you have both anonymous authentication and Forms authentication enabled (which is typical), before your website user logs in via Forms, it considers your user "anonymous". After your user logs in with Forms Auth, it considers your user "authenticated."

I found this behavior confusing at first because it's a change from IIS 6.0, which wasn't aware of Forms auth, and considered all Forms-Authenticated users to be anonymous!

If you want, you can change the identity under which anonymous requests are fielded. My preference (and it sounds like yours too) is that they run under the same system credentials as my site's app pool. To make IIS do that, do the following:

  1. Open the IIS Manager (inetmgr)
  2. In the "Connections" panel, drill down to your site's node and select it
  3. In the right-hand panel, under the "IIS" group, double click the "Authentication" icon.
  4. Right-click on "Anonymous Authentication" and choose "Edit..." from the context menu.
  5. In the popup dialog, select the "Application pool identity" radio button.
  6. Click OK.

Step 5 also confused me at first, because I thought "application pool identity" meant "the application pool pseudo-account" (another new feature in IIS 7.5). What it really means, of course, is "the same account the app pool is configured to run under, whatever that is."

If you want this behavior by default for all of your websites on that server, or even just single application under a particular site, you can configure the authentication options at those levels too. Just select the node you want to configure in the Connections pane, then repeat steps 3-6.


Why would the application attempt to log in as "NT AUTHORITY\IUSR" even though the application is (probably) not using impersonation?

If you do

<identity impersonate="true"/>

it will impersonate the logged in user

If you do

<identity impersonate="true" userName="contoso\Jane" password="pass"/>

it will impersonate the user set above.

But if you don't impersonate at all and use windows authentication, it would make sense that it uses a default system account.

I do not know why it makes the first attempt as IUSR and then automatically switches to NETWORK SERVICE on subsequent requests. But I do know that when you jump from one server to another, the application pool credenticals are NOT used. Unless you set an impersonated user as shown below, NETWORK SERVICE is default account that is used to fetch resources outside the server.

    <connectionStrings>        <add name="myConnectionString" connectionString="Data Source=MyServerName;Initial Catalog=MyDataBaseName;Integrated Security=True;"          providerName="System.Data.SqlClient" />      </connectionStrings><identity impersonate="true" userName="contoso\Jane" password="pass"/>