ASP.NET worker process context and SQL authentication

[Dave Mehrtens]

I am trying to configure my ASP.NET application and have come across
something unexpected.

First, I understand that all ASP.NET applications running on a single server
will utilize a single aspnet_wp.exe process. And that this process, by
default, runs under the context of the ASPNET username.

I would rather use a trusted connection to connect to SQL Server to avoid
having to put a username and password in a config file. However, if I use a
trusted connection, all of my databases will have to be configured to use
ASPNET as the user. Is this true.

In another post, I read that the aspnet_wp.exe process would impersonate the
caller? Is this IIS or the ISAPI filter? Is this possible? If so, then it
would be possible to use a trusted connection to SQL and that user would be
the user that is configured to run the IIS application, correct?

Thank you for your help,

Dave

 

[Rick Strahl [MVP]]

Hi Dave,

First, I understand that all ASP.NET applications running on a single server
will utilize a single aspnet_wp.exe process. And that this process, by
default, runs under the context of the ASPNET username.

No this isn't entirely correct. In Windows 2000 the Application Isolation
determines how many instances of the process are started. If you use the
default of medium there is only a single instance. But if you use High then
each virtual defined as such runs its own process and spans a new instance
of the ASPNet client process.

In Windows 2003 you can set up an Application pool which can be assigned to
a virtual directory and each application pool runs in its own process.

If you have a multi-homed Web server using integrated authentication is
probably a bad idea because you can only have a single user that runs all
these applications as configured in Machine.config's ProcessModel|Username
setting. In Windows 2003 you have more control as you can assign a username
and password for each application pool.

To impersonate the calling user account you can use <identity
impersonate="true"/> in web.config. This would be an anonymous user (IUSR_
most likely) or the user that is authenticated if the page is protected by
file/directory security. This may work well for an extranet internal app,
but is probably a bad choice for public apps...

Hope this helps,

+++ Rick ---







--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/wwHelp

 

[Dave Mehrtens]

Thanks for the reply. I got it working.

I did not question about application isolation. I was more concerned with
the account that was used to connect to SQL SErver from the aspnet_wp
process. It kept connecting as ASPNET, and I wanted to control it more. I
wanted it to impersonate the user of the IIS application, which is
configurable per app.

Thank You,

Dave

 

[Dave Mehrtens]

The IIS virtual directory uses IUSR_AAA as the logon for anonymous access.

In the web.config file for the asp.net application, I use <identity
impersonate="true"/>. I DO NOT supply a username and password as part of
this. This causes, I think, the aspnet_wp.exe process to impersonate the
calling app which is IIS.

Then I use a trusted connection to connect to the database, which uses the
IIS logon info.

Dave

 

[Rick Strahl [MVP]]

With Impersonation you get the calling user's security context. This is the
way ASP worked prior to ASP.Net...

So it's IUSR_ when not logged in or whatever accuont when you are via file
permissions.

+++ Rick ---

--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/wwHelp