Solved

Why impersonate?

Posted on 2006-11-22
9
631 Views
Last Modified: 2008-02-01
If I set an IIS virtual dir to anon access and specify a username and password to use (so it can get access to DB) then why do I have to specify indentity impersonate="true" in my web.config so I don't get the error
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'

IIS set to anon access and using domain/user account.
Same domain/user has required access to DB
0
Comment
Question by:QPR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Nightman
ID: 18002005
You shouldn't have to. Please post your database connection string here.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004364
<connectionStrings>
  <add name="ActionItemsConnectionString" connectionString="Data Source=DEV-ABC;Initial Catalog=ActionItems;Integrated Security=True"
   providerName="System.Data.SqlClient" />
 </connectionStrings>


This is auto generated in the web.config when I create a connection via the drop downs smart tag.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004375
If I don't include this
    <authentication mode="Windows" />
    <identity impersonate ="true"/>
then I get a Login failed for user 'NT AUTHORITY\NETWORK SERVICE' in Internet Explorer and after 3 times the account I used in IIS will be locked out.
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 29

Expert Comment

by:Nightman
ID: 18004416
The ASP.NET worker process doesn't use the IUSR account for anonymous access, it runs under the NT AUTHORITY\NETWORK SERVICE account. Setting 'impersonate=true" works for Windows Authentication, and will then attempt to authenticate using this account (which will probably fail) or the account of the authenticated windows user.

If you want to impersonate a specific account, do this in the web.config like this:

<system.web>
<identity impersonate="true" userName="WindowsDomain\YourUserName" password="YourPassword" />
</system.web>

This will then connect in the context of the user defined in the web.config.
0
 
LVL 29

Expert Comment

by:Nightman
ID: 18004422
Have a look at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp for a useful matrix on how the authentication options work.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004461
Am I misreading? it seems to say that what I have is correct and needed....
 
<identity impersonate="true"/>
<authentication mode="Windows" />  = HttpContext WindowsIdentity Thread = MACHINE\IUSR_MACHINE

Only difference being that I have specified an account to use in IIS (anon) as opposed to using the built in anon account.
0
 
LVL 29

Expert Comment

by:Nightman
ID: 18004481
You are reading that right - it doesn't appear to apply though (I will do some digging). Add the specific identity impersonation as I suggested, restart the asp_net worker process and give it a shot.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004676
Just to clarify, I have no problem with what I currently have, I just couldn't understand why impersonate was required if IIS was handling the "anon as this account" bit. But then I haven't read up much on this so it could just be me.

It is only if I remove impersonate from web.config that it fails. So.... I won't remove it.
0
 
LVL 29

Accepted Solution

by:
Nightman earned 125 total points
ID: 18004698
Oh - in that case I will stop digging, as it appears to work correctly ;)

Without impersonation, it will connect as network service to the SQL database (instead of the IUSR account). Because network service has no permissions it will fail. With impersonation, it will use the specified account to access network resources INSTEAD of the network service account, so it will work.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses the ASP.NET AJAX ModalPopupExtender control. In this article we will show how to use the ModalPopupExtender control, how to display/show/call the ASP.NET AJAX ModalPopupExtender control from javascript, how to show/display/cal…
In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question