Support us .Net Basics C# SQL ASP.NET Aarvi MVC Slides C# Programs Subscribe Download

Anonymous authentication and impersonation - Part 86

Suggested Videos
Part 83 - Applications isolation using application pools
Part 84 - Application pools in IIS Security
Part 85 - Anonymous authentication

Please watch Part 85, before watching this video. In Part 85, we discussed that IIS provides anonymous access to resources using IUSR account. Once the request is handed over to, the application code is executed using the application pool identity.

In this video, we will discuss the effects of turning impersonation on, with anonymous access.

In "C:\Data" folder, create an XML file with name Countries.xml. 
<?xml version="1.0" encoding="utf-8" ?>
    <Continent>North America</Continent>

Create an web application. Drag and drop a gridview control and a button control on the webform. Copy and paste the following code in WebForm1.aspx.cs
protected void Page_Load(object sender, EventArgs e)
    Response.Write("Application code executed using ");
    Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name + "<br/>");

    Response.Write("Is User Authenticated: ");
    Response.Write(User.Identity.IsAuthenticated.ToString() + "<br/>");

    Response.Write("Authentication Type, if Authenticated: ");
    Response.Write(User.Identity.AuthenticationType + "<br/>");

    Response.Write("User Name, if Authenticated: ");
    Response.Write(User.Identity.Name + "<br/>");

protected void Button1_Click(object sender, EventArgs e)
    DataSet ds = new DataSet();
    GridView1.DataSource = ds;

To enable impersonation, set impersonate="true" for the identity element in web.config. 
  <identity impersonate="true" />

Impersonation can also be enabled or disabled from IIS. 
1. Select the web application in IIS
2. Double click on "Authentication" icon
3. Select ASP.NET Impersonation
4. Click "Disable" or "Enable" link under actions in the right hand side panel in IIS. 
5. This will automatically change the web.config file.

At this point, if you run the application, you may get an error stating 
HTTP Error 500.24 - Internal Server Error
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode.

To correct this, we need to set the "Managed pipeline mode" of the DefaultAppPool to "Classic".

Run the application, and notice that, the application code, is now executed, using 'NT AUTHORITY\IUSR' account, instead of 'IIS APPPOOL\DefaultAppPool'

So, when the application uses anonymous authentication and
1. If IMPERSONATION is disabled, then, the application pool identity is used to execute the application code
2. If IMPERSONATION is enabled, then, 'NT AUTHORITY\IUSR' account is used to execute the application code

When to use Application Pool Identity over IUSR
If there are 2 or more websites hosted on a machine, with IUSR as the anonymous account, then they can access each other's content. If we want to isolate, each applications content, the applications can be deployed to different application pools, and the NTFS file permissions can be set for the respective application pool identity. In fact, we have discussed about this in Part 84 - Application pools in IIS Security.

No comments:

Post a Comment

It would be great if you can help share these free resources