ASP.NET impersonation problem (part 2)

Question

This is a follow on to a previous post about being unable to impersonate a currently logged in Windows user. There were many good suggestions, but the previous thread was getting messy, so I am resetting with this post. Hopefully with the current state documented below it will be obvious what the issue is. This is a well worn path, so I have to believe all I am missing is a little configuration step.

PROBLEM: I need to have ASP.NET impersonate the currently logged in user. When I run under IIS 7.5, it doesn't work. IIS Express works fine, but I believe that is because the debugging session is running under my user id.

I am using Environment.Username to determine who this user is. There was a suggestion that this property always returns the logged in user name, but from my testing it returns the impersonated user from IIS.

For example, if my web.config has…

    <identity impersonate="true" />

When I run under IIS 7.5 with that setting, Environment.Username returns IUSR. I believe this is the IIS anonymous user account.

If I change web.config to…

    <identity impersonate="true" userName="domain\jlivermore" password="mypassword" />

… then Environment.Username returns jlivemore. However, I need it to return jlivermore without me explicitly setting it in web.config.

Here are my IIS settings…

.NET Authorization Rules

Authentication

One question, if I disable Anonymous Authentication, then I am prompted to login to the site. I thought if you were logged in with an Active Directory account on a domain then this challenge wouldn't appear? Even if I enter my username/password into this prompt, I still don't get the impersonation to work.

Basic Settings

Answer 1

I'm not sure if you've found an answer, but if anyone is having problems with it you will need the following in your web.config file

<authentication mode="Windows"/>
<identity impersonate="true"/>

And in IIS you will need Asp.net Impersonation enabled as well as Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. That should do it. Your site should now be set for Local Intranet apps and using any of the following will work

System.Security.Principal.WindowsIdentity.GetCurrent().Username()
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name

But using Environment.Username will only return the server name, hopefully this helps anyone struggling with this

Answer 2

I had a similar problem as you describe. The basic crux of the matter is that there is a difference between impersonation and delegation. My simple understanding of this is that impersonation will work when the client and server are on the same machine. If however, the client is on a different machine, you need delegation.

MSDN Reference

What is the difference between impersonation and delegation?

Impersonation flows the original caller's identity to back-end resources on the same computer. Delegation flows the original caller's identity to back-end resources on computers other than the computer running the service.

Related SO questions

• Impersonation in ASP.NET MVC
• Starting a console application from asp.net using authenticated user credentials