13 May 2004

ASP.NET Impersonation

I met problems on trying to run ASP.NET Web App on a Windows domain controller earlier on and here is why this happened.
First let’s have a look at the ASP.NET Impersonation model.
With IIS anonymous access enabled, depends on whether ASP.NET impersonation is enabled, an impersonated account is used. In machine.config file:


// impersonation enabled, will impersonate using account pass by IIS
<identity impersonate="true"/>
// authentication enabled and user account specified
<identity impersonate="true" name="domain\user" password="pwd"/>
// authentication disabled
<identity impersonate="false" />

1)If it is not, requests are made using the system-level process account. This account is configured in the element of the machine.config file.
2)If ASP.NET impersonation is enabled, requests are made either using the IIS anonymous access account (localmachine\IUSR_machinename by default) or using a user account specified in the element of the section. In addition, if no account is specified in the element of the section, then permissions for user accounts may be specified in the element of the section.
All accounts on a domain controller are domain accounts and local accounts- localmachinename\(accountName) does not exist. Therefore ASP.NET cannot be started. To overcome this, you can use the system account or you will need to explicitly define an account configured in the element of the machine.config file.

No comments: