Solved

Why impersonate?

Posted on 2006-11-22
9
619 Views
Last Modified: 2008-02-01
If I set an IIS virtual dir to anon access and specify a username and password to use (so it can get access to DB) then why do I have to specify indentity impersonate="true" in my web.config so I don't get the error
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'

IIS set to anon access and using domain/user account.
Same domain/user has required access to DB
0
Comment
Question by:QPR
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Nightman
ID: 18002005
You shouldn't have to. Please post your database connection string here.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004364
<connectionStrings>
  <add name="ActionItemsConnectionString" connectionString="Data Source=DEV-ABC;Initial Catalog=ActionItems;Integrated Security=True"
   providerName="System.Data.SqlClient" />
 </connectionStrings>


This is auto generated in the web.config when I create a connection via the drop downs smart tag.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004375
If I don't include this
    <authentication mode="Windows" />
    <identity impersonate ="true"/>
then I get a Login failed for user 'NT AUTHORITY\NETWORK SERVICE' in Internet Explorer and after 3 times the account I used in IIS will be locked out.
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 
LVL 29

Expert Comment

by:Nightman
ID: 18004416
The ASP.NET worker process doesn't use the IUSR account for anonymous access, it runs under the NT AUTHORITY\NETWORK SERVICE account. Setting 'impersonate=true" works for Windows Authentication, and will then attempt to authenticate using this account (which will probably fail) or the account of the authenticated windows user.

If you want to impersonate a specific account, do this in the web.config like this:

<system.web>
<identity impersonate="true" userName="WindowsDomain\YourUserName" password="YourPassword" />
</system.web>

This will then connect in the context of the user defined in the web.config.
0
 
LVL 29

Expert Comment

by:Nightman
ID: 18004422
Have a look at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp for a useful matrix on how the authentication options work.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004461
Am I misreading? it seems to say that what I have is correct and needed....
 
<identity impersonate="true"/>
<authentication mode="Windows" />  = HttpContext WindowsIdentity Thread = MACHINE\IUSR_MACHINE

Only difference being that I have specified an account to use in IIS (anon) as opposed to using the built in anon account.
0
 
LVL 29

Expert Comment

by:Nightman
ID: 18004481
You are reading that right - it doesn't appear to apply though (I will do some digging). Add the specific identity impersonation as I suggested, restart the asp_net worker process and give it a shot.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004676
Just to clarify, I have no problem with what I currently have, I just couldn't understand why impersonate was required if IIS was handling the "anon as this account" bit. But then I haven't read up much on this so it could just be me.

It is only if I remove impersonate from web.config that it fails. So.... I won't remove it.
0
 
LVL 29

Accepted Solution

by:
Nightman earned 125 total points
ID: 18004698
Oh - in that case I will stop digging, as it appears to work correctly ;)

Without impersonation, it will connect as network service to the SQL database (instead of the IUSR account). Because network service has no permissions it will fail. With impersonation, it will use the specified account to access network resources INSTEAD of the network service account, so it will work.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question