Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-0-7645-9698-8
21222324252627282930
day and the first person in afterwards had lower network privileges, then code inside of Application
_Start
would mysteriously fail. Limiting the security decision to one of process, application imperson-
ation, or UNC identity guarantees stable security credentials each and every time the application starts up.
To highlight this behavior, use a simple ASP.NET application that stores the thread identity when
Application_Start is running and then compares it to the thread identity that is used during a nor-
mal page request.
The sample application here uses the following code in
global.asax to store the name of the authenti-
cated identity that is used when
Application_Start is called:
void Application_Start(Object sender, EventArgs e) {
Application[“WindowsIdentity”] =
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
}
You can then see the differences between the Application_Start identity and the actual identity that
is running for a page request with the following code:
protected void Page_Load(object sender, EventArgs e)
{
Response.Write(“The operating system thread in Application_Start ran as: “
+ Application[“WindowsIdentity”] + “<br/>”);
Response.Write(“The current operating system thread identity is: “ +
System.Security.Principal.WindowsIdentity.GetCurrent().Name);
}
To see the effects of this, the code was run using a local ASP.NET application as well as a separate copy
running remotely from a UNC share. The values for
<identity /> were varied as well, although in
all cases Windows authentication was enabled for the application. The results of running the sample
application in various configurations are shown in the following table:
Configured Running on
Impersonation UNC Share Application_Start Thread Identity
None No NT AUTHORITY\NETWORK SERVICE
Client No NT AUTHORITY\NETWORK SERVICE
Application No The username as configured in
<identity />
None Yes The UNC identity as configured in the IIS MMC
Client Yes The UNC identity as configured in the IIS MMC
Application Yes The username as configured in
<identity />
The results for the non-UNC application make sense: Either the process identity or the application
impersonation identity is used. The UNC case is a little bit trickier, because using application imperson-
ation with a UNC share means that two sets of explicit credentials are floating around and being used by
ASP.NET. When running as the application impersonation identity, some additional rights are needed
for the application to run properly. The special security configurations need to fully enable UNC support
as shown in the following table:
27
Initial Phases of a Web Request
04_596985 ch01.qxp 12/14/05 7:46 PM Page 27