?
Solved

ASP.NET User.Identity.Name returns wrong user

Posted on 2004-08-24
14
Medium Priority
?
3,309 Views
Last Modified: 2012-08-13
I currently have an ASP.NET web application which uses the User.Identity.Name property to retrieve the currently authenticated user's name DOMAIN\username.  I then look this value up in a database table to retreive related information about that user to be used in the web site.  This works perfectly fine.

When I get many simultaneous requests, sometimes users get a different user's information back.  It is like the requests are getting mixed up with each other.  

I realize that this could possibly be a sql server issue, but I figured I would start here.  Has anyone seen this issue before or can you point me in a direction for a fix?

Environment: Windows 2000 SP4, .NET Framework 1.1, IIS 5.0.

P.S.  I have also tried using Request.ServerVariables("AUTH_USER") to get the user name and it produces the same result.

Thanks in advance for any help you can provide.

0
Comment
Question by:ts96gt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 2

Expert Comment

by:lgawlik
ID: 11887420
Can you post a few bits of code?
I imagine the problem probably lies in your code related to SQL connections.

The DOMAIN\username isn't changing, but the data you are getting back from the SQL requests that doesn't properly match the HttpContext.Current.User.Identity.Name (or Request.ServerVariables("AUTH_USER")), correct?

LGawlik
0
 
LVL 8

Expert Comment

by:trevorhartman
ID: 11887573
do you need to log the user out before logging in as another user?

FormsAuthentication.SignOut()
0
 
LVL 10

Expert Comment

by:avidya
ID: 11887955
Hi,

had the same problem.
Seems to be related with the time it takes to send the data.

Just add a double check for User.Identity.Name <-> db in the page after recieving the data.
If <> then request details again
if = then proceed
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 

Author Comment

by:ts96gt
ID: 11891221
lgawlik,
  Your assumption is correct.  The User.Identity.Name remains constant, but the info coming back from the database is for another user that has attempted to access the same application at the same time.

I have a "person" class.  The constructor takes an NT Login as the parameter and uses a SQLConnection and SQLCommand object to execute a stored procedure into a SQLDataReader object to load pertinent information into it's class members.

The connection string is accessed from the web.config file and is posted below:
Data Source=SERVER,1433;Network Library=DBMSSOCN;Initial Catalog=DBNAME;User ID=DBUSER;Password=DBUSERPASSWORD;Application Name=APPNAME;

Stored procedure code:
select
  [a].first_name,
  [a].last_name
from
  table1 [a],
  table2 [b],
  table3 [c]
where
  [a].nt_login = @nt_login
  and [a].nt_login = [b].ntlogin
  and [b].ntlogin = [c].nt_login

trevorhartman,
  I am not using forms authentication, it is more just getting info about a user, not logging them in to the app.  Kind of like an auto-login I guess.

avidya,
  That seems like a logical solution, but does not seem practical from a performance perspective.  I have about 5,000 users on this application and at any given time could have 1,500 - 2,000 concurrent, this would greatly increase the amount of database accesses necessary for the application to function correctly.  This may be something I implement in the interim, but I am looking for more of a long term solution because I have quite a few other applications on my development schedule that will have the same user base.  I will allocate points accordingly depending on subsequent comments.
0
 

Author Comment

by:ts96gt
ID: 11891578
ISSUE UPDATE:
  I tried the code that avidya suggested and the validation test passes every time.  It seems that I am getting the wrong user context from the User.Identity.Name.  When requests are submitted at the same time, I get the context of another user that submitted their request at the same time as me.  Could this be an issue with IIS authentication?
0
 

Author Comment

by:ts96gt
ID: 11891603
I have Integrated Windows Authentication setting set for this web site in IIS.
0
 
LVL 10

Expert Comment

by:avidya
ID: 11895209

very strange indeed.
Few notes:
- does the eventviewer has anything to say?
- Do you get also the wrong user when not using the sql request?
(You can check if the wrong user is assigned by displaying it)

This one explains ASP.NET Identity Matrix:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod38.asp

This might help in general, so you better understand the model:
http://search.microsoft.com/search/results.aspx?qu=IIS+asp.net+user&View=msdn&st=b&c=4&s=1&swc=4

This one explains a lot about IIS and AD
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp
0
 

Author Comment

by:ts96gt
ID: 11896172
Those are good articles.  The strange part is that the model holds true in my scenario during regular usage.  The strange (scarey) part is that when I get three or four peope to hit this link simultaneously at a rapid pace (20-30 hits each), user's sometimes get different people's context.  I display the user name and shows the wrong user's name.

Event viewer had nothing.  

I tried using "impersontaion = true" in the web.config with "Integrated Windows Authentication" set on the application directory in IIS and still produces the same result.
0
 

Author Comment

by:ts96gt
ID: 12111719
I tried to break this issue down to a bear bones test.  I created a simple aspx page with one line of code in the page load event.

Response.Write(User.Identity.Name)

When I get two or three people to try to hit the page simultaneously, I/they get a different context returned to the screen other than theirs.  This seems to definitely be an issue related to ISS/Impersonation/Windows Autentication?  I am not sure.  

avidya,
  I don't know if stress testing it through that method would really tell me anything.  I know what the issue is, I just don't know why it is happening or how to fix it.  

Things I have tried:
  * Set the application directory priority to "High" in IIS so that it would run under it's own process thread (trying to isolate the app)
  * Setup impersonation in the web.config file and used System.Environment.Username to get the username.  Same issue still occurs.

I have used Request.ServerVariables("AUTH_USER"), System.Indentity.User.name, System.Environment.Username (with impersontation) all providing the same results.

Anyone have any other ideas?  I will award more points if anyone can get me a resolution...

I appreciate all of your help thus far.
0
 
LVL 10

Accepted Solution

by:
avidya earned 1500 total points
ID: 12114898
Hi ts,

I agree, it remains verry strange...

Since you now can reproduce the problem, I would contact Microsoft and ask their advise.

In the mean time...

Did you do the test as following?

aspx page test 1
Response.Write(User.Identity.Name) &" = UserIdentityName"

aspx page test 2
Response.Write(System.Environment.Username) &" = SystemEnvironmentUsername"

aspxpage test 3
Response.Write(AUTH_USER)  &" = AUTH_USER"

Maybe it's also an idea to set up an clean testweb with ISS set to authirized an only Windows authentification and test again with the aspx pages?
0
 

Author Comment

by:ts96gt
ID: 12114969
Yes.  I had tried all three of those tests to no avail.  

I figured I would end up going to Microsoft, just wanted to save a couple hundred dollars.  If I could.

I gave you half the points now and if no other responses come in, you get the rest.  

I appreciate your help with this.
0
 
LVL 10

Expert Comment

by:avidya
ID: 12115117
Hi ts,

maybe this helps saving the bucks?

This aticle explains step by step how to setup authentification:
http://support.microsoft.com/default.aspx?scid=kb;en-us;315736

This is a Microsoft community Website, which was created to promote open collaboration between you, the .NET developer, and the .NET Framework team
http://www.gotdotnet.com/
0
 
LVL 2

Expert Comment

by:sfotex
ID: 12449146
I'm think I'm seeing something similiar, did Microsoft have any idead?

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Color can increase conversions, create feelings of warmth or even incite people to get behind a cause. If you want your website to really impact site visitors, then it is vital to consider the impact color has on them.
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question