Tuesday, February 13, 2007

How ASP.NET Impersonation Works

ASP.NET Impersonation

Before delving into the details of ASP.NET impersonation, we need to be clear about a few concepts. Actually there is one instance of aspnet_wp.exe per processor that serves all the Web applications hosted on a box. This worker process always runs under the security context defined by the tag. The aspnet_wp.exe creates a separate thread, called worker thread, for servicing each client request. We have to distinguish between the server process and the worker threads in order to understand the impersonation and security details of ASP.NET.

With ASP.NET impersonation, the thread servicing the client request can optionally execute with the identity of the client. Let me explain it in detail.


IIS always maps a user request to some Windows account; in case of anonymous access, this is IUSR_machinename account or any other account that has been defined to be used with anonymous access; in the case of Windows authentication, this is the account whose credentials are provided by the Web site user. After successful authentication, IIS forwards this logged-in user's identity to the ASP.NET worker thread. Now the ASP.NET worker thread has the following three options:

  1. It can run under the identity defined by the tag.
  2. It can run under the client identity passed to it by IIS.
  3. It can run under the identity of the user whose credentials have been listed for impersonation.

Now the decision depends on the impersonation settings for the ASP.NET application.

  1. If impersonation is not enabled, then the ASP.NET worker thread runs under the identity of the ASP.NET worker process (which has been defined by using the tag in the Web.config file)
  2. If impersonation is enabled and any specific Windows account has not been listed in the Web.config file for impersonation, then the ASP.NET worker thread runs under the client identity passed to it by IIS.
  3. If impersonation is enabled and a specific Windows account has been listed in the Web.config file for impersonation, then the ASP.NET worker thread runs under the identity generated using that account.

Impersonation for ASP.NET applications can be set up by using the tag in the Web.config file. We can specify impersonation in the following three ways:

  1. This means impersonation for the ASP.NET worker thread is enabled.
  2. This means impersonation for the ASP.NET worker thread is enabled, but the worker thread will run under the identity that will be generated by using the credentials specified by username and password attributes.
  3. This means impersonation for the ASP.NET worker thread is not enabled.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)