<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Impersonation in .Net With IIS Settings

Published on
9,146 Points
3,146 Views
Last Modified:
Approved
We can implement the Impersonation in an ASP.Net application based on the requirement for running an request under specific account else only the piece of business logic under specifc account (i.e Mainly used to access the network resources at runtime) other than the service account.
 
Implementation of the impersonation in an application can be achieved by configutaion at the application level (Web.Config , IIS) else code level (.CS , .VB etc files) implementation using the WindowsIdentity.Impersonate method to switch for specific account at runtime and return back to the account it’s switched to the process the request.

In general, ASP.Net application runs under “Network Service” account which is the configured in the Identity section of the application pool to which the virtual directory or web site configured.

Fig 1
Fig : 1

In the above picture it’s defined to run under “Network Service” and the same can be configured to use the different account and the pre-condition it needs is that the Account have to be under the “IIS_WPG” user group of the machine and “Network Servcie” is added to the group by default.

Fig 2
Fig : 2

ASP.NET does not use impersonation by default and code runs using the ASP.NET application's process identity. We can use the delegation to use impersonation token to access network resources and the ability to use delegation depends on your selected authentication mechanism and appropriate account configuration.

We are enabling the access to the resource through an account, it is mandatory to check with the privileages provided to the account on accessing the resources across the network, It will give access to the unauthorized users and make sure the access control list (ACL) have identified for the account to that grants access to the process identity.

It's important to understand the Access privileges needed for the account which runs the show of the Asp.Net application from the below link, here the details list of permission needed for the ASP.NET account for the file and folder permissions to function properly.

Permissions are required only by the account that the ASP.NET process is running as, while others are required by any impersonated account also

ASP.NET Required Access Control Lists (ACLs)

64bit OS
if you're running on the 64bit OS. It's mandatory that the account should have the permission to folder "%SystemRoot%\Microsoft.NET\Framework64\" in addition to the "%SystemRoot%\Microsoft.NET\Framework\" folder.

For further and indepth reading, suggest : http://msdn.microsoft.com/en-us/library/xh507fc5(v=vs.100).aspx along with the various links.
Impersonation-in-.Net-With-IIS-S.docx
0
Comment
1 Comment
LVL 15

Author Comment

by:santhimurthyd
Sure Mark , Please procced.
0

Featured Post

Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Join & Write a Comment

Overview of OneDrive and collaboration.
Learn the basics of Skype For Business in office 365

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month