When a user browses to a ASP.NET website, is the user impersonating the ASPNET
account or the account specified in IIS->Directory Security->Account used for anonymous access (EX: IUSR_XXX
)
My website writes files to the disk and I was wondering which of these accounts need write access to the folder? Also, can someone explain how the impersonate element in the web.config ties into all this?
Thanks!
If impersonation is enabled in an ASP.NET application then:
- If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.
- If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
- In either case, permissions for the account are checked in the Windows Access Control List (ACL) for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.
If impersonation is disabled in an ASP.NET application then:
- If anonymous access is enabled in IIS, the request is made using the system-level process account.
- If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
- In either case, permissions for the account are checked in the Windows ACL for the resource(s) that a user requests, and a resource is only available if the account they are
running under is valid for that resource.
Source: Understanding Impersonation in ASP.NET
By default the identity is MachineName\ASPNET, you can change this behavior by turning on identity impersonation in the web.config