August 12, 2015 08:50 by Jervis
ASP.NET applications running on IIS7 and IIS8 use the NETWORK SERVICE account by default to access resources on the computer. This post explains how to enable impersonation to have ASP.NET use a different account.
When an anonymous request arrives (ie not using Windows Authentication), IIS will by default tag the request as coming from the built in account IUSR. This behaviour is defined in applicationHost.config:
<anonymousAuthentication enabled="true" userName="IUSR" />
IIS then passes the request to ASP.NET where Forms Authentication can be used to independently authenticate the user (note that IIS can still use "anonymous" authentication, even though ASP.NET later applies Forms Authentication).
ASP.NET itself then makes requests for system resources using the NETWORK SERVICE account, by default. The account used is determined by the Application Pool that the web site belongs to, where all application pools are initially configured to use NETWORK SERVICE as determined in applicationHost.config:
<processModel identityType="NetworkService" />
If we want ASP.NET to use a different account instead of NETWORK SERVICE, we can tell it to use impersonation by adding the following to the web application's web.config:
<identity impersonate="true" />
In our scenario, this will then impersonate the account IUSR, since this is the identity IIS provided for the request.
If IIS was using Windows Authentication (instead of anonymous authentication) then this would allow us to make resource requests from ASP.NET while impersonating the Windows identity of whoever was logged on. This might be necessary to give access to specific resources restricted to that user.
Alternatively, regardless of what mode of authentication IIS was using, we could provide a valid Windows identity to be used for all requests, by adding the following to web.config:
<identity impersonate="true" userName="DOMAIN\UserName" password="Password" />
IIS Config File
The Internet Information Services Manager lets you configure IIS, but the configuration is ultimately stored in the file: