[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


ASP.NET User.Identity.Name returns wrong user

Posted on 2004-08-24
Medium Priority
Last Modified: 2012-08-13
I currently have an ASP.NET web application which uses the User.Identity.Name property to retrieve the currently authenticated user's name DOMAIN\username.  I then look this value up in a database table to retreive related information about that user to be used in the web site.  This works perfectly fine.

When I get many simultaneous requests, sometimes users get a different user's information back.  It is like the requests are getting mixed up with each other.  

I realize that this could possibly be a sql server issue, but I figured I would start here.  Has anyone seen this issue before or can you point me in a direction for a fix?

Environment: Windows 2000 SP4, .NET Framework 1.1, IIS 5.0.

P.S.  I have also tried using Request.ServerVariables("AUTH_USER") to get the user name and it produces the same result.

Thanks in advance for any help you can provide.

Question by:ts96gt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 11887420
Can you post a few bits of code?
I imagine the problem probably lies in your code related to SQL connections.

The DOMAIN\username isn't changing, but the data you are getting back from the SQL requests that doesn't properly match the HttpContext.Current.User.Identity.Name (or Request.ServerVariables("AUTH_USER")), correct?


Expert Comment

ID: 11887573
do you need to log the user out before logging in as another user?

LVL 10

Expert Comment

ID: 11887955

had the same problem.
Seems to be related with the time it takes to send the data.

Just add a double check for User.Identity.Name <-> db in the page after recieving the data.
If <> then request details again
if = then proceed
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?


Author Comment

ID: 11891221
  Your assumption is correct.  The User.Identity.Name remains constant, but the info coming back from the database is for another user that has attempted to access the same application at the same time.

I have a "person" class.  The constructor takes an NT Login as the parameter and uses a SQLConnection and SQLCommand object to execute a stored procedure into a SQLDataReader object to load pertinent information into it's class members.

The connection string is accessed from the web.config file and is posted below:
Data Source=SERVER,1433;Network Library=DBMSSOCN;Initial Catalog=DBNAME;User ID=DBUSER;Password=DBUSERPASSWORD;Application Name=APPNAME;

Stored procedure code:
  table1 [a],
  table2 [b],
  table3 [c]
  [a].nt_login = @nt_login
  and [a].nt_login = [b].ntlogin
  and [b].ntlogin = [c].nt_login

  I am not using forms authentication, it is more just getting info about a user, not logging them in to the app.  Kind of like an auto-login I guess.

  That seems like a logical solution, but does not seem practical from a performance perspective.  I have about 5,000 users on this application and at any given time could have 1,500 - 2,000 concurrent, this would greatly increase the amount of database accesses necessary for the application to function correctly.  This may be something I implement in the interim, but I am looking for more of a long term solution because I have quite a few other applications on my development schedule that will have the same user base.  I will allocate points accordingly depending on subsequent comments.

Author Comment

ID: 11891578
  I tried the code that avidya suggested and the validation test passes every time.  It seems that I am getting the wrong user context from the User.Identity.Name.  When requests are submitted at the same time, I get the context of another user that submitted their request at the same time as me.  Could this be an issue with IIS authentication?

Author Comment

ID: 11891603
I have Integrated Windows Authentication setting set for this web site in IIS.
LVL 10

Expert Comment

ID: 11895209

very strange indeed.
Few notes:
- does the eventviewer has anything to say?
- Do you get also the wrong user when not using the sql request?
(You can check if the wrong user is assigned by displaying it)

This one explains ASP.NET Identity Matrix:

This might help in general, so you better understand the model:

This one explains a lot about IIS and AD

Author Comment

ID: 11896172
Those are good articles.  The strange part is that the model holds true in my scenario during regular usage.  The strange (scarey) part is that when I get three or four peope to hit this link simultaneously at a rapid pace (20-30 hits each), user's sometimes get different people's context.  I display the user name and shows the wrong user's name.

Event viewer had nothing.  

I tried using "impersontaion = true" in the web.config with "Integrated Windows Authentication" set on the application directory in IIS and still produces the same result.

Author Comment

ID: 12111719
I tried to break this issue down to a bear bones test.  I created a simple aspx page with one line of code in the page load event.


When I get two or three people to try to hit the page simultaneously, I/they get a different context returned to the screen other than theirs.  This seems to definitely be an issue related to ISS/Impersonation/Windows Autentication?  I am not sure.  

  I don't know if stress testing it through that method would really tell me anything.  I know what the issue is, I just don't know why it is happening or how to fix it.  

Things I have tried:
  * Set the application directory priority to "High" in IIS so that it would run under it's own process thread (trying to isolate the app)
  * Setup impersonation in the web.config file and used System.Environment.Username to get the username.  Same issue still occurs.

I have used Request.ServerVariables("AUTH_USER"), System.Indentity.User.name, System.Environment.Username (with impersontation) all providing the same results.

Anyone have any other ideas?  I will award more points if anyone can get me a resolution...

I appreciate all of your help thus far.
LVL 10

Accepted Solution

avidya earned 1500 total points
ID: 12114898
Hi ts,

I agree, it remains verry strange...

Since you now can reproduce the problem, I would contact Microsoft and ask their advise.

In the mean time...

Did you do the test as following?

aspx page test 1
Response.Write(User.Identity.Name) &" = UserIdentityName"

aspx page test 2
Response.Write(System.Environment.Username) &" = SystemEnvironmentUsername"

aspxpage test 3
Response.Write(AUTH_USER)  &" = AUTH_USER"

Maybe it's also an idea to set up an clean testweb with ISS set to authirized an only Windows authentification and test again with the aspx pages?

Author Comment

ID: 12114969
Yes.  I had tried all three of those tests to no avail.  

I figured I would end up going to Microsoft, just wanted to save a couple hundred dollars.  If I could.

I gave you half the points now and if no other responses come in, you get the rest.  

I appreciate your help with this.
LVL 10

Expert Comment

ID: 12115117
Hi ts,

maybe this helps saving the bucks?

This aticle explains step by step how to setup authentification:

This is a Microsoft community Website, which was created to promote open collaboration between you, the .NET developer, and the .NET Framework team

Expert Comment

ID: 12449146
I'm think I'm seeing something similiar, did Microsoft have any idead?


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Color can increase conversions, create feelings of warmth or even incite people to get behind a cause. If you want your website to really impact site visitors, then it is vital to consider the impact color has on them.
When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question