Solved

ASP.NET User.Identity.Name returns wrong user

Posted on 2004-08-24
14
2,979 Views
Last Modified: 2012-08-13
I currently have an ASP.NET web application which uses the User.Identity.Name property to retrieve the currently authenticated user's name DOMAIN\username.  I then look this value up in a database table to retreive related information about that user to be used in the web site.  This works perfectly fine.

When I get many simultaneous requests, sometimes users get a different user's information back.  It is like the requests are getting mixed up with each other.  

I realize that this could possibly be a sql server issue, but I figured I would start here.  Has anyone seen this issue before or can you point me in a direction for a fix?

Environment: Windows 2000 SP4, .NET Framework 1.1, IIS 5.0.

P.S.  I have also tried using Request.ServerVariables("AUTH_USER") to get the user name and it produces the same result.

Thanks in advance for any help you can provide.

0
Comment
Question by:ts96gt
14 Comments
 
LVL 2

Expert Comment

by:lgawlik
Comment Utility
Can you post a few bits of code?
I imagine the problem probably lies in your code related to SQL connections.

The DOMAIN\username isn't changing, but the data you are getting back from the SQL requests that doesn't properly match the HttpContext.Current.User.Identity.Name (or Request.ServerVariables("AUTH_USER")), correct?

LGawlik
0
 
LVL 8

Expert Comment

by:trevorhartman
Comment Utility
do you need to log the user out before logging in as another user?

FormsAuthentication.SignOut()
0
 
LVL 10

Expert Comment

by:avidya
Comment Utility
Hi,

had the same problem.
Seems to be related with the time it takes to send the data.

Just add a double check for User.Identity.Name <-> db in the page after recieving the data.
If <> then request details again
if = then proceed
0
 

Author Comment

by:ts96gt
Comment Utility
lgawlik,
  Your assumption is correct.  The User.Identity.Name remains constant, but the info coming back from the database is for another user that has attempted to access the same application at the same time.

I have a "person" class.  The constructor takes an NT Login as the parameter and uses a SQLConnection and SQLCommand object to execute a stored procedure into a SQLDataReader object to load pertinent information into it's class members.

The connection string is accessed from the web.config file and is posted below:
Data Source=SERVER,1433;Network Library=DBMSSOCN;Initial Catalog=DBNAME;User ID=DBUSER;Password=DBUSERPASSWORD;Application Name=APPNAME;

Stored procedure code:
select
  [a].first_name,
  [a].last_name
from
  table1 [a],
  table2 [b],
  table3 [c]
where
  [a].nt_login = @nt_login
  and [a].nt_login = [b].ntlogin
  and [b].ntlogin = [c].nt_login

trevorhartman,
  I am not using forms authentication, it is more just getting info about a user, not logging them in to the app.  Kind of like an auto-login I guess.

avidya,
  That seems like a logical solution, but does not seem practical from a performance perspective.  I have about 5,000 users on this application and at any given time could have 1,500 - 2,000 concurrent, this would greatly increase the amount of database accesses necessary for the application to function correctly.  This may be something I implement in the interim, but I am looking for more of a long term solution because I have quite a few other applications on my development schedule that will have the same user base.  I will allocate points accordingly depending on subsequent comments.
0
 

Author Comment

by:ts96gt
Comment Utility
ISSUE UPDATE:
  I tried the code that avidya suggested and the validation test passes every time.  It seems that I am getting the wrong user context from the User.Identity.Name.  When requests are submitted at the same time, I get the context of another user that submitted their request at the same time as me.  Could this be an issue with IIS authentication?
0
 

Author Comment

by:ts96gt
Comment Utility
I have Integrated Windows Authentication setting set for this web site in IIS.
0
 
LVL 10

Expert Comment

by:avidya
Comment Utility

very strange indeed.
Few notes:
- does the eventviewer has anything to say?
- Do you get also the wrong user when not using the sql request?
(You can check if the wrong user is assigned by displaying it)

This one explains ASP.NET Identity Matrix:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod38.asp

This might help in general, so you better understand the model:
http://search.microsoft.com/search/results.aspx?qu=IIS+asp.net+user&View=msdn&st=b&c=4&s=1&swc=4

This one explains a lot about IIS and AD
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:ts96gt
Comment Utility
Those are good articles.  The strange part is that the model holds true in my scenario during regular usage.  The strange (scarey) part is that when I get three or four peope to hit this link simultaneously at a rapid pace (20-30 hits each), user's sometimes get different people's context.  I display the user name and shows the wrong user's name.

Event viewer had nothing.  

I tried using "impersontaion = true" in the web.config with "Integrated Windows Authentication" set on the application directory in IIS and still produces the same result.
0
 
LVL 10

Expert Comment

by:avidya
Comment Utility
0
 

Author Comment

by:ts96gt
Comment Utility
I tried to break this issue down to a bear bones test.  I created a simple aspx page with one line of code in the page load event.

Response.Write(User.Identity.Name)

When I get two or three people to try to hit the page simultaneously, I/they get a different context returned to the screen other than theirs.  This seems to definitely be an issue related to ISS/Impersonation/Windows Autentication?  I am not sure.  

avidya,
  I don't know if stress testing it through that method would really tell me anything.  I know what the issue is, I just don't know why it is happening or how to fix it.  

Things I have tried:
  * Set the application directory priority to "High" in IIS so that it would run under it's own process thread (trying to isolate the app)
  * Setup impersonation in the web.config file and used System.Environment.Username to get the username.  Same issue still occurs.

I have used Request.ServerVariables("AUTH_USER"), System.Indentity.User.name, System.Environment.Username (with impersontation) all providing the same results.

Anyone have any other ideas?  I will award more points if anyone can get me a resolution...

I appreciate all of your help thus far.
0
 
LVL 10

Accepted Solution

by:
avidya earned 500 total points
Comment Utility
Hi ts,

I agree, it remains verry strange...

Since you now can reproduce the problem, I would contact Microsoft and ask their advise.

In the mean time...

Did you do the test as following?

aspx page test 1
Response.Write(User.Identity.Name) &" = UserIdentityName"

aspx page test 2
Response.Write(System.Environment.Username) &" = SystemEnvironmentUsername"

aspxpage test 3
Response.Write(AUTH_USER)  &" = AUTH_USER"

Maybe it's also an idea to set up an clean testweb with ISS set to authirized an only Windows authentification and test again with the aspx pages?
0
 

Author Comment

by:ts96gt
Comment Utility
Yes.  I had tried all three of those tests to no avail.  

I figured I would end up going to Microsoft, just wanted to save a couple hundred dollars.  If I could.

I gave you half the points now and if no other responses come in, you get the rest.  

I appreciate your help with this.
0
 
LVL 10

Expert Comment

by:avidya
Comment Utility
Hi ts,

maybe this helps saving the bucks?

This aticle explains step by step how to setup authentification:
http://support.microsoft.com/default.aspx?scid=kb;en-us;315736

This is a Microsoft community Website, which was created to promote open collaboration between you, the .NET developer, and the .NET Framework team
http://www.gotdotnet.com/
0
 
LVL 2

Expert Comment

by:sfotex
Comment Utility
I'm think I'm seeing something similiar, did Microsoft have any idead?

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now