IIS and ASP.NET authentication

[KDV]

I was playing around with IIS and ASP.NET authentication. I understood
Basic,Digest and Integrated Windows authentication provided by IIS. When I
use either of these mode and use Windows authentication in ASP.NET then
ASP.NET automatically constructs Windows principal which is available in any
APS.NET page. My question is that when IIS is set to anonymous and account is
defined (rather than IIS control the password) why ASP.NET does not construct
Windows principal. After all each request coming to IIS is authenticated
automatically using the account defined. My understanding is that there is no
difference between anonymous and other type of authentication except that in
anonymous every request uses IUSER_machine account or the account set
explictly in inetmgr console. eg if I use username as test and password as
test (test account is created) in anonymous setting then ASP.NET should
construct windows principal using test account. Where I am misunderstanding ?
Can anyone clear it out ?

Thanks in advance

 

[Dominick Baier [DevelopMentor]]

Hello KDV,

when you use IIS authentication - your users are always based on windows
accounts - that's why you end up with a WindowsPrincipal/WindowsIdentity
in ASP.NET
when you choose anonymous - you won't get that information. This scenario
is designed to do your own authentication, e.g. via ASP.NET Forms Authentication

the anonymous account is only used if you access non ASP.NET resources like
jpg or gif.

The ASP.NET app will always run under the worker process identity.

HTH

 

[KDV]

Thanks for the reply. But my confusion was that IIS anonymous setting still
uses an account to access the resources. This means while accessing resources
IIS uses either its built in account or the account which is set in console
window. That means account still exists in Windows. eg example if I set any
user name whose account does not exist in Windows IIS will refuse the
request. That means it is doing authentication. If anyone is allowed to
access the resource under anonymous setting then all requests should pass no
matter which account I used. I still do not understand if IIS passes any
authenticated/authorized token to ASP.NET in anonymous. If I blindly accept
that under anonymous setting there is no authentication then I can give up

Can u clear it?

 

[Dominick Baier [DevelopMentor]]

Hello KDV,

ok -

the anonymous account is used to access static files like gif or jpg...
it is possible that IIS generally refuses requests if the anon account is
wrong (haven't tried that)

if you access an asp.net file (aspx, asmx...) - IIS passes this request on
to the ASP.NET runtime.

The asp.net worker process runs under a configured identity (<processModel>
element under IIS5/5.1 or app pool configuration under IIS6). This account
is used to access and process the files. you can access that account programmatically
using WindowsIdentity.GetCurrent() in an aspx file.

if you have configured auth in IIS - IIS will pass the resulting token to
ASP.NET which you can access via Page.User (Thread.CurrentPrincipal) - if
anon is selected this will be empty.

does that clear it up?

 

[KDV]

It is good discussion. Let me explain a simple scenario what I did.

I am doing no authentication in ASP.NET so I set
<authentication mode="None">
</authentication>

in config file.

In IIS I set anonymous and using an account test/test. There I intentially
set wrong password. I tried to access aspx file as follow

http://localhost/WebApplication2/WebForm1.aspx

because password is wrong so IIS refuses this request. I understand all
combinations of IIS and ASP.NET authentication except anonymous which I could
not find anywhere where it is clearly explained. Do u think that IIS passes
token to ASP.NET if anonymous is enabled? I think we have gone a long
discussion but still my mind is not very clear. Or I can undrstand this way
that if anonymous is enabled then IIS just does its own authentication but
does not pass any token to ASP.NET

Looks like more research I have to make.
Thanks for ur help

 

[Dominick Baier [DevelopMentor]]

Hello KDV,

if in IIS anon is enabled there will be no token passed to ASP.NET - at least
no token that is accessible via Page.User.


the normal scenario for anonymous access is : you enable anon in IIS and
<authentication="Windows" /> in ASP.NET

to be honest i never used <authentication="None" />

if you want to enable forms auth : you choose anon in IIS and <authentication="Forms"
/>

 

[KDV]

Thanks for the reply. I think I understood what is going on behind the seen
when diff. combinations of IIS and ASP.NET security settngs are used.
Actually I forgot to keep in mind that there are two kinds of security
attached to thread ie the underlying operating system token inherited from
process identity and the .NET principal security. Well this discussion helped
me to explore and understand all that.

Thanks
KDV

 

[Dominick Baier [DevelopMentor]]

Hello KDV,

a great tool to explore the settings is : http://www.develop.com/technology/resourcedetail.aspx?id=00e7be6c-69a1-44a5-8790-7969ea94df4d

 

[KDV]

Thanks. It helped to understand further.

KDV

Hello KDV,

a great tool to explore the settings is : http://www.develop.com/technology/resourcedetail.aspx?id=00e7be6c-69a1-44a5-8790-7969ea94df4d