Which account is used when a user navigates to a A

2019-09-04 01:18发布

问题:

When a user browses to a ASP.NET website, is the user impersonating the ASPNET account or the account specified in IIS->Directory Security->Account used for anonymous access (EX: IUSR_XXX)

My website writes files to the disk and I was wondering which of these accounts need write access to the folder? Also, can someone explain how the impersonate element in the web.config ties into all this?

Thanks!

回答1:

If impersonation is enabled in an ASP.NET application then:

  • If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.
  • If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
  • In either case, permissions for the account are checked in the Windows Access Control List (ACL) for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.

If impersonation is disabled in an ASP.NET application then:

  • If anonymous access is enabled in IIS, the request is made using the system-level process account.
  • If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
  • In either case, permissions for the account are checked in the Windows ACL for the resource(s) that a user requests, and a resource is only available if the account they are
    running under is valid for that resource.

Source: Understanding Impersonation in ASP.NET



回答2:

By default the identity is MachineName\ASPNET, you can change this behavior by turning on identity impersonation in the web.config