- ASP.NET applications run as the ASPNET user.
- ASP.NET 1.1 (with IIS 6) applications run as the NetWorkService user.
- ASP 3.0 applications run as the IIS anonymous user, or they run in the context of the user if the application requires authentication.
Change the Security Context for Anonymous Users
By default, anonymous requests that are handled by ASP.NET are run in the context of the local ASPNET user account ( or in the NetWorkService user account in ASP.NET 1.1 applications that run on IIS 6.0).This account behaves similarly to the IUSR_ComputerName account that IIS 5.0 uses for anonymous requests. You can grant anonymous ASP.NET requests access to the same resources that anonymous ASP 3.0 requests have access to. To do this, add the ASPNET user account ( or the NetWorkService user account in ASP.NET 1.1 applications that run on IIS 6.0) to all access control lists (ACLs) where the IUSR_ComputerName account appears. This may include the NTFS file system permissions and databases.
Alternatively, you can force ASP.NET to use the IUSR_ComputerName account. To do this, disable automatic control of the IIS in the IUSR_ComputerName account. Put both the userName attribute and the password attribute in plain text in the Web.config file.
Note Check to make sure that this meets the security requirements of your organization.
To force ASP.NET to use the IUSR_ComputerName account, follow these steps:
- Run Internet Services Manager from the Administrative Tools folder on the server.
- Right-click the virtual server or the virtual folder and then click Properties.
- In the Properties dialog box, click the Directory Security tab.
- In Anonymous Access And Authentication Control, click Edit.
- In the Authentication Methods dialog box, click Edit next to the Account Used For Anonymous Access label.
- In the Anonymous User Account dialog box, click to clear the Allow IIS To Control Password check box.
- In the Password field, type the new password for the account, click OK, then and the close Internet Services Manager.
- In Computer Manager, reset the password for the IUSR_ComputerName account to the new password that you assigned in the previous step.
- Use a text editor such as Notepad to open the Web.config
file.
Web.config file is located in the root directory of the application. - Add the <processModel> configuration element under the <system.web> element of the Web.config file for the application.
NoteBefore adding <processModel> to Web.config file, the user has to make sure that the allowDefinition property in the <processModel> section of the Machine.config file is Elsewhere. By default, the value of this property is MachineOnly. - Configure the <userName> sub tag
and the <password> sub tag of the <processModel> element.
Use the userName and the password that are assigned to the IUSR_ComputerName account. - Save the Web.config file.
The ASP.NET application automatically restarts.
Enable Impersonation for Authenticated Users
To enable impersonation for authenticated users, three configuration elements in the <system.web> element of the Web.config file for the application must be changed. You must make these changes to mimic the behavior of an ASP 3.0 application that requires authentication and then requests resources by using the authenticated account of the user.- You must set the authentication mode to Windows. When you do this, the browser prompts the user for a Windows userName and password when the user first makes a request to the ASP.NET application. You can set the authentication mode by adding the <authentication> element to the <system.web> element with the attribute mode="Windows".
- The authorization element configures ASP.NET to refuse all unauthenticated users. You must define this by using the <authorization> element and then define the <deny users="?" /> sub tag.
- The identity element configures ASP.NET to impersonate the
authenticated user. By leaving the userName attribute and the password attribute blank, ASP.NET uses the credentials of the
authenticated user when ASP.NET accesses resources. To define all elements to
force authentication and to enable ASP.NET to impersonate the authenticated
users, follow this example:
<system.web> <authentication mode="Windows" /> <authorization> <deny users="?" /> </authorization> <identity impersonate="true" userName="" password=""/> </system.web>