ASP.NET User.Identity.Name returns wrong user

I currently have an ASP.NET web application which uses the User.Identity.Name property to retrieve the currently authenticated user's name DOMAIN\username.  I then look this value up in a database table to retreive related information about that user to be used in the web site.  This works perfectly fine.

When I get many simultaneous requests, sometimes users get a different user's information back.  It is like the requests are getting mixed up with each other.  

I realize that this could possibly be a sql server issue, but I figured I would start here.  Has anyone seen this issue before or can you point me in a direction for a fix?

Environment: Windows 2000 SP4, .NET Framework 1.1, IIS 5.0.

P.S.  I have also tried using Request.ServerVariables("AUTH_USER") to get the user name and it produces the same result.

Thanks in advance for any help you can provide.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you post a few bits of code?
I imagine the problem probably lies in your code related to SQL connections.

The DOMAIN\username isn't changing, but the data you are getting back from the SQL requests that doesn't properly match the HttpContext.Current.User.Identity.Name (or Request.ServerVariables("AUTH_USER")), correct?

do you need to log the user out before logging in as another user?


had the same problem.
Seems to be related with the time it takes to send the data.

Just add a double check for User.Identity.Name <-> db in the page after recieving the data.
If <> then request details again
if = then proceed
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

ts96gtAuthor Commented:
  Your assumption is correct.  The User.Identity.Name remains constant, but the info coming back from the database is for another user that has attempted to access the same application at the same time.

I have a "person" class.  The constructor takes an NT Login as the parameter and uses a SQLConnection and SQLCommand object to execute a stored procedure into a SQLDataReader object to load pertinent information into it's class members.

The connection string is accessed from the web.config file and is posted below:
Data Source=SERVER,1433;Network Library=DBMSSOCN;Initial Catalog=DBNAME;User ID=DBUSER;Password=DBUSERPASSWORD;Application Name=APPNAME;

Stored procedure code:
  table1 [a],
  table2 [b],
  table3 [c]
  [a].nt_login = @nt_login
  and [a].nt_login = [b].ntlogin
  and [b].ntlogin = [c].nt_login

  I am not using forms authentication, it is more just getting info about a user, not logging them in to the app.  Kind of like an auto-login I guess.

  That seems like a logical solution, but does not seem practical from a performance perspective.  I have about 5,000 users on this application and at any given time could have 1,500 - 2,000 concurrent, this would greatly increase the amount of database accesses necessary for the application to function correctly.  This may be something I implement in the interim, but I am looking for more of a long term solution because I have quite a few other applications on my development schedule that will have the same user base.  I will allocate points accordingly depending on subsequent comments.
ts96gtAuthor Commented:
  I tried the code that avidya suggested and the validation test passes every time.  It seems that I am getting the wrong user context from the User.Identity.Name.  When requests are submitted at the same time, I get the context of another user that submitted their request at the same time as me.  Could this be an issue with IIS authentication?
ts96gtAuthor Commented:
I have Integrated Windows Authentication setting set for this web site in IIS.

very strange indeed.
Few notes:
- does the eventviewer has anything to say?
- Do you get also the wrong user when not using the sql request?
(You can check if the wrong user is assigned by displaying it)

This one explains ASP.NET Identity Matrix:

This might help in general, so you better understand the model:

This one explains a lot about IIS and AD
ts96gtAuthor Commented:
Those are good articles.  The strange part is that the model holds true in my scenario during regular usage.  The strange (scarey) part is that when I get three or four peope to hit this link simultaneously at a rapid pace (20-30 hits each), user's sometimes get different people's context.  I display the user name and shows the wrong user's name.

Event viewer had nothing.  

I tried using "impersontaion = true" in the web.config with "Integrated Windows Authentication" set on the application directory in IIS and still produces the same result.
ts96gtAuthor Commented:
I tried to break this issue down to a bear bones test.  I created a simple aspx page with one line of code in the page load event.


When I get two or three people to try to hit the page simultaneously, I/they get a different context returned to the screen other than theirs.  This seems to definitely be an issue related to ISS/Impersonation/Windows Autentication?  I am not sure.  

  I don't know if stress testing it through that method would really tell me anything.  I know what the issue is, I just don't know why it is happening or how to fix it.  

Things I have tried:
  * Set the application directory priority to "High" in IIS so that it would run under it's own process thread (trying to isolate the app)
  * Setup impersonation in the web.config file and used System.Environment.Username to get the username.  Same issue still occurs.

I have used Request.ServerVariables("AUTH_USER"),, System.Environment.Username (with impersontation) all providing the same results.

Anyone have any other ideas?  I will award more points if anyone can get me a resolution...

I appreciate all of your help thus far.
Hi ts,

I agree, it remains verry strange...

Since you now can reproduce the problem, I would contact Microsoft and ask their advise.

In the mean time...

Did you do the test as following?

aspx page test 1
Response.Write(User.Identity.Name) &" = UserIdentityName"

aspx page test 2
Response.Write(System.Environment.Username) &" = SystemEnvironmentUsername"

aspxpage test 3
Response.Write(AUTH_USER)  &" = AUTH_USER"

Maybe it's also an idea to set up an clean testweb with ISS set to authirized an only Windows authentification and test again with the aspx pages?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ts96gtAuthor Commented:
Yes.  I had tried all three of those tests to no avail.  

I figured I would end up going to Microsoft, just wanted to save a couple hundred dollars.  If I could.

I gave you half the points now and if no other responses come in, you get the rest.  

I appreciate your help with this.
Hi ts,

maybe this helps saving the bucks?

This aticle explains step by step how to setup authentification:;en-us;315736

This is a Microsoft community Website, which was created to promote open collaboration between you, the .NET developer, and the .NET Framework team
I'm think I'm seeing something similiar, did Microsoft have any idead?

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.