Microsoft KB Archive/815171

= HOW TO: Configure an ASP.NET Application to Use the Same Credentials as an ASP 3.0 Application =

Article ID: 815171

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft ASP.NET 1.0
 * Microsoft Internet Information Services 5.0
 * Microsoft ASP.NET 1.1
 * Microsoft Internet Information Services 6.0

-



IN THIS TASK

 * SUMMARY
 * Change the Security Context for Anonymous Users
 * Enable Impersonation for Authenticated Users
 * REFERENCES



SUMMARY
This step-by-step article describes how to configure ASP.NET applications to use the same credentials as ASP 3.0 applications use. By default, ASP.NET applications run in a different security context than ASP 3.0 applications:
 * ASP.NET applications run as the ASPNET user.
 * ASP.NET 1.1 (with IIS 6) applications run as the NetWorkService user.
 * ASP 3.0 applications run as the IIS anonymous user, or they run in the context of the user if the application requires authentication.

You can move an application to ASP 3.0 by changing the default security configuration. This permits an ASP.NET application to run in the same security context as an ASP 3.0 application.

back to the top

Change the Security Context for Anonymous Users
By default, anonymous requests that are handled by ASP.NET are run in the context of the local ASPNET user account ( or in the NetWorkService user account in ASP.NET 1.1 applications that run on IIS 6.0).

This account behaves similarly to the IUSR_ComputerName account that IIS 5.0 uses for anonymous requests. You can grant anonymous ASP.NET requests access to the same resources that anonymous ASP 3.0 requests have access to. To do this, add the ASPNET user account ( or the NetWorkService user account in ASP.NET 1.1 applications that run on IIS 6.0) to all access control lists (ACLs) where the IUSR_ComputerName account appears. This may include the NTFS file system permissions and databases.

Alternatively, you can force ASP.NET to use the IUSR_ComputerName account. To do this, disable automatic control of the IIS in the IUSR_ComputerName account. Put both the userName attribute and the password attribute in plain text in the Web.config file.

Note Check to make sure that this meets the security requirements of your organization.

To force ASP.NET to use the IUSR_ComputerName account, follow these steps:
 * 1) Run Internet Services Manager from the Administrative Tools folder on the server.
 * 2) Right-click the virtual server or the virtual folder and then click Properties.
 * 3) In the Properties dialog box, click the Directory Security tab.
 * 4) In Anonymous Access And Authentication Control, click Edit.
 * 5) In the Authentication Methods dialog box, click Edit next to the Account Used For Anonymous Access label.
 * 6) In the Anonymous User Account dialog box, click to clear the Allow IIS To Control Password check box.
 * 7) In the Password field, type the   for the account, click OK, then and the close Internet Services Manager.
 * 8) In Computer Manager, reset the password for the IUSR_ComputerName account to the   that you assigned in the previous step.
 * 9) Use a text editor such as Notepad to open the Web.config file.

Web.config file is located in the root directory of the application.
 * 1) Add the  configuration element under the  element of the Web.config file for the application.

NoteBefore adding  to Web.config file, the user has to make sure that the allowDefinition property in the  section of the Machine.config file is Elsewhere. By default, the value of this property is MachineOnly.
 * 1) Configure the  sub tag and the   sub tag of the  element.

Use the userName and the password that are assigned to the IUSR_ComputerName account.
 * 1) Save the Web.config file.

The ASP.NET application automatically restarts.

back to the top

Enable Impersonation for Authenticated Users
To enable impersonation for authenticated users, three configuration elements in the  element of the Web.config file for the application must be changed. You must make these changes to mimic the behavior of an ASP 3.0 application that requires authentication and then requests resources by using the authenticated account of the user.  You must set the authentication mode to Windows. When you do this, the browser prompts the user for a Windows userName and password when the user first makes a request to the ASP.NET application. You can set the authentication mode by adding the   element to the  element with the attribute mode=&quot;Windows&quot;. The authorization element configures ASP.NET to refuse all unauthenticated users. You must define this by using the   element and then define the  sub tag.  The identity element configures ASP.NET to impersonate the authenticated user. By leaving the userName attribute and the password attribute blank, ASP.NET uses the credentials of the authenticated user when ASP.NET accesses resources. To define all elements to force authentication and to enable ASP.NET to impersonate the authenticated users, follow this example: <system.web> <authentication mode=&quot;Windows&quot; /> <deny users=&quot;?&quot; /> <identity impersonate=&quot;true&quot; userName=&quot;&quot; password=&quot;&quot;/> </system.web> </li></ul>

back to the top

<div class="references_section">