ASP.NET User.Identity.Name returns wrong user

Posted on 2004-08-24
Last Modified: 2012-08-13
I currently have an ASP.NET web application which uses the User.Identity.Name property to retrieve the currently authenticated user's name DOMAIN\username.  I then look this value up in a database table to retreive related information about that user to be used in the web site.  This works perfectly fine.

When I get many simultaneous requests, sometimes users get a different user's information back.  It is like the requests are getting mixed up with each other.  

I realize that this could possibly be a sql server issue, but I figured I would start here.  Has anyone seen this issue before or can you point me in a direction for a fix?

Environment: Windows 2000 SP4, .NET Framework 1.1, IIS 5.0.

P.S.  I have also tried using Request.ServerVariables("AUTH_USER") to get the user name and it produces the same result.

Thanks in advance for any help you can provide.

Question by:ts96gt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 11887420
Can you post a few bits of code?
I imagine the problem probably lies in your code related to SQL connections.

The DOMAIN\username isn't changing, but the data you are getting back from the SQL requests that doesn't properly match the HttpContext.Current.User.Identity.Name (or Request.ServerVariables("AUTH_USER")), correct?


Expert Comment

ID: 11887573
do you need to log the user out before logging in as another user?

LVL 10

Expert Comment

ID: 11887955

had the same problem.
Seems to be related with the time it takes to send the data.

Just add a double check for User.Identity.Name <-> db in the page after recieving the data.
If <> then request details again
if = then proceed
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.


Author Comment

ID: 11891221
  Your assumption is correct.  The User.Identity.Name remains constant, but the info coming back from the database is for another user that has attempted to access the same application at the same time.

I have a "person" class.  The constructor takes an NT Login as the parameter and uses a SQLConnection and SQLCommand object to execute a stored procedure into a SQLDataReader object to load pertinent information into it's class members.

The connection string is accessed from the web.config file and is posted below:
Data Source=SERVER,1433;Network Library=DBMSSOCN;Initial Catalog=DBNAME;User ID=DBUSER;Password=DBUSERPASSWORD;Application Name=APPNAME;

Stored procedure code:
  table1 [a],
  table2 [b],
  table3 [c]
  [a].nt_login = @nt_login
  and [a].nt_login = [b].ntlogin
  and [b].ntlogin = [c].nt_login

  I am not using forms authentication, it is more just getting info about a user, not logging them in to the app.  Kind of like an auto-login I guess.

  That seems like a logical solution, but does not seem practical from a performance perspective.  I have about 5,000 users on this application and at any given time could have 1,500 - 2,000 concurrent, this would greatly increase the amount of database accesses necessary for the application to function correctly.  This may be something I implement in the interim, but I am looking for more of a long term solution because I have quite a few other applications on my development schedule that will have the same user base.  I will allocate points accordingly depending on subsequent comments.

Author Comment

ID: 11891578
  I tried the code that avidya suggested and the validation test passes every time.  It seems that I am getting the wrong user context from the User.Identity.Name.  When requests are submitted at the same time, I get the context of another user that submitted their request at the same time as me.  Could this be an issue with IIS authentication?

Author Comment

ID: 11891603
I have Integrated Windows Authentication setting set for this web site in IIS.
LVL 10

Expert Comment

ID: 11895209

very strange indeed.
Few notes:
- does the eventviewer has anything to say?
- Do you get also the wrong user when not using the sql request?
(You can check if the wrong user is assigned by displaying it)

This one explains ASP.NET Identity Matrix:

This might help in general, so you better understand the model:

This one explains a lot about IIS and AD

Author Comment

ID: 11896172
Those are good articles.  The strange part is that the model holds true in my scenario during regular usage.  The strange (scarey) part is that when I get three or four peope to hit this link simultaneously at a rapid pace (20-30 hits each), user's sometimes get different people's context.  I display the user name and shows the wrong user's name.

Event viewer had nothing.  

I tried using "impersontaion = true" in the web.config with "Integrated Windows Authentication" set on the application directory in IIS and still produces the same result.
LVL 10

Expert Comment

ID: 11897642

Author Comment

ID: 12111719
I tried to break this issue down to a bear bones test.  I created a simple aspx page with one line of code in the page load event.


When I get two or three people to try to hit the page simultaneously, I/they get a different context returned to the screen other than theirs.  This seems to definitely be an issue related to ISS/Impersonation/Windows Autentication?  I am not sure.  

  I don't know if stress testing it through that method would really tell me anything.  I know what the issue is, I just don't know why it is happening or how to fix it.  

Things I have tried:
  * Set the application directory priority to "High" in IIS so that it would run under it's own process thread (trying to isolate the app)
  * Setup impersonation in the web.config file and used System.Environment.Username to get the username.  Same issue still occurs.

I have used Request.ServerVariables("AUTH_USER"),, System.Environment.Username (with impersontation) all providing the same results.

Anyone have any other ideas?  I will award more points if anyone can get me a resolution...

I appreciate all of your help thus far.
LVL 10

Accepted Solution

avidya earned 500 total points
ID: 12114898
Hi ts,

I agree, it remains verry strange...

Since you now can reproduce the problem, I would contact Microsoft and ask their advise.

In the mean time...

Did you do the test as following?

aspx page test 1
Response.Write(User.Identity.Name) &" = UserIdentityName"

aspx page test 2
Response.Write(System.Environment.Username) &" = SystemEnvironmentUsername"

aspxpage test 3
Response.Write(AUTH_USER)  &" = AUTH_USER"

Maybe it's also an idea to set up an clean testweb with ISS set to authirized an only Windows authentification and test again with the aspx pages?

Author Comment

ID: 12114969
Yes.  I had tried all three of those tests to no avail.  

I figured I would end up going to Microsoft, just wanted to save a couple hundred dollars.  If I could.

I gave you half the points now and if no other responses come in, you get the rest.  

I appreciate your help with this.
LVL 10

Expert Comment

ID: 12115117
Hi ts,

maybe this helps saving the bucks?

This aticle explains step by step how to setup authentification:;en-us;315736

This is a Microsoft community Website, which was created to promote open collaboration between you, the .NET developer, and the .NET Framework team

Expert Comment

ID: 12449146
I'm think I'm seeing something similiar, did Microsoft have any idead?


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"In order to have an organized way for empathy mapping, we rely on a psychological model and trying to model it in a simple way, so we will split the board to three section for each persona and a scenario and try to see what those personas would Do,…
Any business that wants to seriously grow needs to keep the needs and desires of an international audience of their websites in mind. Making a website friendly to international users isn’t prohibitively expensive and can provide an incredible return…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question