Solved

Why impersonate?

Posted on 2006-11-22
9
613 Views
Last Modified: 2008-02-01
If I set an IIS virtual dir to anon access and specify a username and password to use (so it can get access to DB) then why do I have to specify indentity impersonate="true" in my web.config so I don't get the error
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'

IIS set to anon access and using domain/user account.
Same domain/user has required access to DB
0
Comment
Question by:QPR
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Nightman
ID: 18002005
You shouldn't have to. Please post your database connection string here.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004364
<connectionStrings>
  <add name="ActionItemsConnectionString" connectionString="Data Source=DEV-ABC;Initial Catalog=ActionItems;Integrated Security=True"
   providerName="System.Data.SqlClient" />
 </connectionStrings>


This is auto generated in the web.config when I create a connection via the drop downs smart tag.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004375
If I don't include this
    <authentication mode="Windows" />
    <identity impersonate ="true"/>
then I get a Login failed for user 'NT AUTHORITY\NETWORK SERVICE' in Internet Explorer and after 3 times the account I used in IIS will be locked out.
0
 
LVL 29

Expert Comment

by:Nightman
ID: 18004416
The ASP.NET worker process doesn't use the IUSR account for anonymous access, it runs under the NT AUTHORITY\NETWORK SERVICE account. Setting 'impersonate=true" works for Windows Authentication, and will then attempt to authenticate using this account (which will probably fail) or the account of the authenticated windows user.

If you want to impersonate a specific account, do this in the web.config like this:

<system.web>
<identity impersonate="true" userName="WindowsDomain\YourUserName" password="YourPassword" />
</system.web>

This will then connect in the context of the user defined in the web.config.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 29

Expert Comment

by:Nightman
ID: 18004422
Have a look at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp for a useful matrix on how the authentication options work.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004461
Am I misreading? it seems to say that what I have is correct and needed....
 
<identity impersonate="true"/>
<authentication mode="Windows" />  = HttpContext WindowsIdentity Thread = MACHINE\IUSR_MACHINE

Only difference being that I have specified an account to use in IIS (anon) as opposed to using the built in anon account.
0
 
LVL 29

Expert Comment

by:Nightman
ID: 18004481
You are reading that right - it doesn't appear to apply though (I will do some digging). Add the specific identity impersonation as I suggested, restart the asp_net worker process and give it a shot.
0
 
LVL 29

Author Comment

by:QPR
ID: 18004676
Just to clarify, I have no problem with what I currently have, I just couldn't understand why impersonate was required if IIS was handling the "anon as this account" bit. But then I haven't read up much on this so it could just be me.

It is only if I remove impersonate from web.config that it fails. So.... I won't remove it.
0
 
LVL 29

Accepted Solution

by:
Nightman earned 125 total points
ID: 18004698
Oh - in that case I will stop digging, as it appears to work correctly ;)

Without impersonation, it will connect as network service to the SQL database (instead of the IUSR account). Because network service has no permissions it will fail. With impersonation, it will use the specified account to access network resources INSTEAD of the network service account, so it will work.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sending E-mail ASP.Net 3 57
Hidden Field Value 10 62
Why don't I see this table in EDMX file? 2 24
Adware on IIS hosted asp.net website 1 20
I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now