web.config, Windows Authentication, and getting the logged-in user's identity

I've been developing an ASP.NET 2.0 web site on my machine (and I love the in-built web server) which accesses an SQL Server 2000 database through an SQL account, but which also passes the current user's Windows login for row-level access. This works fine in development when the web.config file is set up like:

<authentication mode="Windows"/>

In this situation in development, my Windows login is returned when using code like System.Security.Principal.WindowsIdentity.GetCurrent(), which is what I want.

But, when I tested the deployment of the site on Windows Server 2003, the current user always returned NT AUTHORITY! So, after checking all the possible settings in IIS (and comparing settings to sites I *know* get the current user), I discovered the following on a page of PAG documentation on MSDN:

Impersonation Options

You can use Windows authentication with ASP.NET in a number of ways:

  • Windows authentication without impersonation. This is the default setting. ASP.NET performs operations and accesses resources by using your application's process identity, which by default is the Network Service account on Windows Server 2003.
  • Windows authentication with impersonation. With this approach, you impersonate the authenticated user and use that identity to perform operations and access resources.
  • Windows authentication with fixed-identity impersonation. With this approach, you impersonate a fixed Windows account to access resources using a specific identity. On Windows Server 2003, you should avoid this impersonation approach; instead, use a custom application pool with a custom service identity.

The second option was exactly what I wanted, and can be accomplished by simply adding the following line to web.config (I added it after the "authentication" section):

<identity impersonate="true" />

Problem solved! I hope this might help anyone else in the future...and I know I'm probably going to need to refer back too.

posted @ Wednesday, December 07, 2005 9:04 PM

Comments have been closed on this topic.