IIS 7.5 Integrated Authentication NTFS Folder Permissions without Impersonation

Question

This is a similar question to many that I have seen before but I have not found a clear answer yet so I will try to be very specific here to avoid duplication.

We are running IIS7.5 on 2008R2 with only windows authentication turned on (no anonymous) and no impersonation. There is a network account specified for the application pool user.

When I check the WindowsIdentity.GetCurrent() of the currently executing page I get the expected (App-pool) user based on our configuration.

http://www.mikeobrien.net/blog/identities-for-different-iis7/

This matches the expectations nicely. However, it appears that NTFS folder permissions on our application are being checked against the identity of the authenticated user.

This seems to contradict most of the documentation I have found. The above link as well as

http://msdn.microsoft.com/en-us/library/kwzs111e(v=vs.100).aspx

http://msdn.microsoft.com/en-us/library/3yfs7yc7(v=vs.100).aspx

http://msdn.microsoft.com/en-us/library/gg703322%28v=vs.98%29.aspx

How is IIS checking the authenticated user's identity in folder ACLs when .Net is clearly indicating that the WindowsIdentity in play is that of the App-Pool?

The only theory I have so far is that the file authorization module is utilized with integrated authentication automatically and it is explicitly checking this... but it still seems to go against the documented expectation.

http://msdn.microsoft.com/en-us/library/gg703322%28v=vs.98%29.aspx

This article, for example, seems to document both expectations.

When Windows authentication is enabled but impersonation is disabled, ASP.NET performs file access checks in the file authorization module using the credentials that are sent from the browser. Impersonation does not need to be enabled, because the FileAuthorizationModule module ensures that the requesting user is allowed read access or write access to the resource, depending on the request verb (for example, GET or POST) before executing the request.

Followed a few lines later by

Windows authentication without impersonation. This is the default setting. ASP.NET performs operations and accesses resources by using your application's process identity, which by default is the application pool identity on Windows 7 and Windows 2008 R2. For more information, see Application Pool Identities.

Windows authentication with impersonation. With this approach, the Web application impersonates the authenticated user and uses that identity to perform operations and access local resources. When you configure your application for impersonation, an impersonation token for the authenticated user is attached to the Web request thread. As a result, all local resource access is performed using the caller's identity.

My question:

What identity should be used when file system ACL checks are performed? (My understanding was App-Pool when impersonation = off) and what settings might affect which identity is used outside of impersonation?

This is very similar to this question:

Does an IIS 7.5 web app with windows authentication require end users to have file permissions?

The marked answer on this question does not address my concern. Authorizing 'authenticated users' group should not be required as the identity being used should not rely on the set of end-users being authorized. My question is much more specifically, which identity and how is this controlled?

Answer 1

"NEW IN IIS 7.5

IIS 7.5 added the authenticatedUserOverride attribute to the element, which configures whether the IIS 7 server runtime will provide the authenticated user's identity or the worker process identity in the IHttpUser::GetPrimaryToken and IHttpUser::GetImpersonationToken methods. This attribute can be set to UseAuthenticatedUser or UseWorkerProcessUser, and these values respectively specify whether the IIS 7 server runtime will provide the authenticated user's identity or the worker process identity for any module that is using impersonation."

Source