User.Identity.Name and annoymous access account

[martin]

Hi,

I have a website that runs under Annotmous access.
I am trying to find out the account that the page is running under

the line
Response.Write("<hr>" & Page.User.Identity.Name & "<hr>")

does not write out the name of the account that the website is running under
when it is running under annoymous access, however when the same page is run
under integrated security it does.

basically I am trying to give permission to a page (that is running under
annoymous access) permission to start / stop windows services.

I added "IUSR_MACINENAME" and "ASPNET" to the administator group on my local
machine but this has not solved the problem.

if the same page runs under integrated security, then I can start and stop
the service no problem.

can anybody offer any advice???

cheers

martin.

 

[Pieter Jansen van Vuuren]

This is scary man, giving IUSR_<Machine Name> and ASPNET Admin rights. Big
no no!

If you want any user to stop and start an windows service, use impersonation
when using annonymous access.

If you need to know who the user is that is logging on then use form
authentication or better still integrated security.

 

[martin]

why do I have to use impersonation???
I totally agree that I should not put the IUSR and ASP.NET in the local
admin group.
why can't I just use integrated security and place all of the user accounts
that will access the site in an AD group and give that group the right to
start / stop services.
I don't want to hard code a username / password in my web config file.

I don't want to get into a security debate here,

all I wish to do is have the account that is running the website (be it
integrated or annoymous) have the right to start / stop windows services.
If you can give me any advice then I would appreciate it.

Thanks for you well intentioned advice

cheers

martin.

 

[Paul Clement]

¤ why do I have to use impersonation???
¤ I totally agree that I should not put the IUSR and ASP.NET in the local
¤ admin group.
¤ why can't I just use integrated security and place all of the user accounts
¤ that will access the site in an AD group and give that group the right to
¤ start / stop services.
¤ I don't want to hard code a username / password in my web config file.
¤
¤ I don't want to get into a security debate here,
¤
¤ all I wish to do is have the account that is running the website (be it
¤ integrated or annoymous) have the right to start / stop windows services.
¤ If you can give me any advice then I would appreciate it.
¤
¤ Thanks for you well intentioned advice
¤

If you don't enable impersonation, the default identity is ASPNET (NetworkService under Windows
2003), regardless of the authentication level you use.

ASPNET is a least privileged local account and probably doesn't have sufficient permissions to do
what you need. If you enable Integrated Windows Security you can pass on an authenticated user's
credentials by enabling impersonation.


Paul
~~~~
Microsoft MVP (Visual Basic)