Identities for different IIS7 Authentication Configurations January, 2009
A few notes about identities from the standpoint of ASP.NET:
WindowsIdentity.GetCurrent() - This WindowsIdentity represents the OS thread identity or more specifically an account token (Not to be confused with Thread.CurrentPrincipal.Identity which is just a simple container for your convenience). This token represents a LSA (Local Security Authority) or Active Directory account. This will always be the process identity set in the App Pool configuration (AKA the App Pool identity) unless you are doing impersonation. This is the actual identity (Or Windows account token) that code runs as. As far as Windows Security is concerned this is the only identity that matters. The only way to "change" this is to do impersonation which is done on a thread by thread basis and should be reverted ASAP to the original identity to avoid a security hole (And resource leak because of unclosed handles). New threads always inherit the process token regardless of if the creating thread is impersonating another user (Something to remember when doing async calls in ASP.NET while impersonating).
Thread.CurrentPrinciple.Identity & HttpContext.Current.User.Identity - These are set by ASP.NET during the authentication phase and will either be...
- ...an Anonymous WindowsIdentity when doing just anonymous auth
- ...a GenericIdentity when doing forms auth (Which implies anon auth).
- ...a custom identity when doing custom auth (Which implies anon auth).
- ...a WindowsIdentity representing the authenticating user when doing any other types of auth such as Basic, Windows or Challenge-Response. These two properties actually point to the same instance of the identity. This will be the same as the OS thread only when you are doing impersonation.
Request.LogonUserIdentity - This is a WindowsIdentity representing the authenticating user, regardless of the authentication type. This will be the same as the OS thread only when you are doing impersonation. It will be the same as Thread.CurrentPrinciple.Identity & HttpContext.Current.User.Identity only when you are not doing anonymous authentication.
Here is a listing of the identities set by IIS7 auth in a number of configurations. They remained the same in both integrated and classic pipeline modes.
Anonymous (Specific User, which happens to be IUSR)
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | NT AUTHORITY\NETWORK SERVICE |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | NT AUTHORITY\IUSR |
Anonymous (Specific User, which happens to be IUSR), Impersonation
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | NT AUTHORITY\IUSR |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | NT AUTHORITY\IUSR |
Anonymous (App Pool Identity, which happens to be NETWORK SERVICE)
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | NT AUTHORITY\NETWORK SERVICE |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | NT AUTHORITY\NETWORK SERVICE |
Anonymous (App Pool Identity, which happens to be NETWORK SERVICE), Impersonation
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | NT AUTHORITY\NETWORK SERVICE |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | NT AUTHORITY\NETWORK SERVICE |
Anonymous, Physical Path Credentials, LSA User
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | NT AUTHORITY\NETWORK SERVICE |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | HOST\username |
Anonymous, Impersonation, Physical Path Credentials, LSA User
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | NTLM | HOST\username |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | ||
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | HOST\username |
Basic, LSA User (Same for AD user)
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | NT AUTHORITY\NETWORK SERVICE |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Basic | HOST\username |
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Basic | HOST\username |
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | Basic | HOST\username |
Impersonation, Basic Auth, and LSA User (Classic Pipeline Mode or Integrated Pipeline and validateIntegratedModeConfiguration=false)
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | NTLM | HOST\username |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Basic | HOST\username |
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Basic | HOST\username |
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | Basic | HOST\username |
Impersonation, Basic Auth, and AD User (Classic Pipeline Mode or Integrated Pipeline and validateIntegratedModeConfiguration=false)
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Kerberos | DOMAIN\username |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Basic | DOMAIN\username |
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Basic | DOMAIN\username |
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | Basic | DOMAIN\username |
Forms, Anonymous Auth
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | NT AUTHORITY\NETWORK SERVICE |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.GenericIdentity | ||
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.GenericIdentity | ||
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | NT AUTHORITY\IUSR |
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | NT AUTHORITY\NETWORK SERVICE |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Negotiate | HOST\username |
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Negotiate | HOST\username |
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | HOST\username |
Impersonation, Windows Auth, and LSA User (Classic Pipeline Mode or Integrated Pipeline and validateIntegratedModeConfiguration=false)
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | NTLM | HOST\username |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Negotiate | HOST\username |
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Negotiate | HOST\username |
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | HOST\username |
Impersonation, Windows Auth, and AD User (Classic Pipeline Mode or Integrated Pipeline and validateIntegratedModeConfiguration=false)
Source | Type | Return Type | Authentication Type | Identity Name |
---|---|---|---|---|
WindowsIdentity.GetCurrent() | WindowsIdentity | System.Security.Principal.WindowsIdentity | Kerberos | DOMAIN\username |
Thread.CurrentPrincipal.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Negotiate | DOMAIN\username |
HttpContext.Current.User.Identity | IIdentity | System.Security.Principal.WindowsIdentity | Negotiate | DOMAIN\username |
Request.LogonUserIdentity | WindowsIdentity | System.Security.Principal.WindowsIdentity | Negotiate | DOMAIN\username |