Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Why impersonate?

Posted on 2006-11-22
9
Medium Priority
?
656 Views
Last Modified: 2008-02-01
If I set an IIS virtual dir to anon access and specify a username and password to use (so it can get access to DB) then why do I have to specify indentity impersonate="true" in my web.config so I don't get the error
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'

IIS set to anon access and using domain/user account.
Same domain/user has required access to DB
0
Comment
Question by:QPR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Nightman
ID: 18002005
You shouldn't have to. Please post your database connection string here.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004364
<connectionStrings>
  <add name="ActionItemsConnectionString" connectionString="Data Source=DEV-ABC;Initial Catalog=ActionItems;Integrated Security=True"
   providerName="System.Data.SqlClient" />
 </connectionStrings>


This is auto generated in the web.config when I create a connection via the drop downs smart tag.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004375
If I don't include this
    <authentication mode="Windows" />
    <identity impersonate ="true"/>
then I get a Login failed for user 'NT AUTHORITY\NETWORK SERVICE' in Internet Explorer and after 3 times the account I used in IIS will be locked out.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 29

Expert Comment

by:Nightman
ID: 18004416
The ASP.NET worker process doesn't use the IUSR account for anonymous access, it runs under the NT AUTHORITY\NETWORK SERVICE account. Setting 'impersonate=true" works for Windows Authentication, and will then attempt to authenticate using this account (which will probably fail) or the account of the authenticated windows user.

If you want to impersonate a specific account, do this in the web.config like this:

<system.web>
<identity impersonate="true" userName="WindowsDomain\YourUserName" password="YourPassword" />
</system.web>

This will then connect in the context of the user defined in the web.config.
0
 
LVL 29

Expert Comment

by:Nightman
ID: 18004422
Have a look at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp for a useful matrix on how the authentication options work.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004461
Am I misreading? it seems to say that what I have is correct and needed....
 
<identity impersonate="true"/>
<authentication mode="Windows" />  = HttpContext WindowsIdentity Thread = MACHINE\IUSR_MACHINE

Only difference being that I have specified an account to use in IIS (anon) as opposed to using the built in anon account.
0
 
LVL 29

Expert Comment

by:Nightman
ID: 18004481
You are reading that right - it doesn't appear to apply though (I will do some digging). Add the specific identity impersonation as I suggested, restart the asp_net worker process and give it a shot.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004676
Just to clarify, I have no problem with what I currently have, I just couldn't understand why impersonate was required if IIS was handling the "anon as this account" bit. But then I haven't read up much on this so it could just be me.

It is only if I remove impersonate from web.config that it fails. So.... I won't remove it.
0
 
LVL 29

Accepted Solution

by:
Nightman earned 500 total points
ID: 18004698
Oh - in that case I will stop digging, as it appears to work correctly ;)

Without impersonation, it will connect as network service to the SQL database (instead of the IUSR account). Because network service has no permissions it will fail. With impersonation, it will use the specified account to access network resources INSTEAD of the network service account, so it will work.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question