Solved

Why impersonate?

Posted on 2006-11-22
9
604 Views
Last Modified: 2008-02-01
If I set an IIS virtual dir to anon access and specify a username and password to use (so it can get access to DB) then why do I have to specify indentity impersonate="true" in my web.config so I don't get the error
Login failed for user 'NT AUTHORITY\NETWORK SERVICE'

IIS set to anon access and using domain/user account.
Same domain/user has required access to DB
0
Comment
Question by:QPR
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Nightman
Comment Utility
You shouldn't have to. Please post your database connection string here.
0
 
LVL 29

Author Comment

by:QPR
Comment Utility
<connectionStrings>
  <add name="ActionItemsConnectionString" connectionString="Data Source=DEV-ABC;Initial Catalog=ActionItems;Integrated Security=True"
   providerName="System.Data.SqlClient" />
 </connectionStrings>


This is auto generated in the web.config when I create a connection via the drop downs smart tag.
0
 
LVL 29

Author Comment

by:QPR
Comment Utility
If I don't include this
    <authentication mode="Windows" />
    <identity impersonate ="true"/>
then I get a Login failed for user 'NT AUTHORITY\NETWORK SERVICE' in Internet Explorer and after 3 times the account I used in IIS will be locked out.
0
 
LVL 29

Expert Comment

by:Nightman
Comment Utility
The ASP.NET worker process doesn't use the IUSR account for anonymous access, it runs under the NT AUTHORITY\NETWORK SERVICE account. Setting 'impersonate=true" works for Windows Authentication, and will then attempt to authenticate using this account (which will probably fail) or the account of the authenticated windows user.

If you want to impersonate a specific account, do this in the web.config like this:

<system.web>
<identity impersonate="true" userName="WindowsDomain\YourUserName" password="YourPassword" />
</system.web>

This will then connect in the context of the user defined in the web.config.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 29

Expert Comment

by:Nightman
Comment Utility
Have a look at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp for a useful matrix on how the authentication options work.
0
 
LVL 29

Author Comment

by:QPR
Comment Utility
Am I misreading? it seems to say that what I have is correct and needed....
 
<identity impersonate="true"/>
<authentication mode="Windows" />  = HttpContext WindowsIdentity Thread = MACHINE\IUSR_MACHINE

Only difference being that I have specified an account to use in IIS (anon) as opposed to using the built in anon account.
0
 
LVL 29

Expert Comment

by:Nightman
Comment Utility
You are reading that right - it doesn't appear to apply though (I will do some digging). Add the specific identity impersonation as I suggested, restart the asp_net worker process and give it a shot.
0
 
LVL 29

Author Comment

by:QPR
Comment Utility
Just to clarify, I have no problem with what I currently have, I just couldn't understand why impersonate was required if IIS was handling the "anon as this account" bit. But then I haven't read up much on this so it could just be me.

It is only if I remove impersonate from web.config that it fails. So.... I won't remove it.
0
 
LVL 29

Accepted Solution

by:
Nightman earned 125 total points
Comment Utility
Oh - in that case I will stop digging, as it appears to work correctly ;)

Without impersonation, it will connect as network service to the SQL database (instead of the IUSR account). Because network service has no permissions it will fail. With impersonation, it will use the specified account to access network resources INSTEAD of the network service account, so it will work.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

AJAX ModalPopupExtender has a required property "TargetControlID" which may seem to be very confusing to new users. It means the server control that will be extended by the ModalPopup, for instance, if when you click a button, a ModalPopup displays,…
In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now