RSS Feed (xml)

Change the Permissions Given to ASP.NET Code

ASP.NET code doesn't run under the IIS authenticated user or the anonymous IUSR_[ServerName] account. Part of the reason is that this account usually won't have sufficient privileges for ASP.NET code, which needs to be able to create and delete temporary files to manage the Web page compilation process.

By default, ASP.NET pages run using the local ASPNET account, which has a carefully limited set of privileges. If you need your ASP.NET code to perform something that is not allowed by default for the local account (writing to the server hard drive or the event log, for example), you can explicitly grant these rights to the ASPNET process. You can also change the setting by editing the machine.config file and modifying the <processModel> tag. You can set the userName and password attributes to any arbitrary user, or you can make use of the built-in local ASPNET process (set userName to Machine and password to AutoGenerate) or local system account (set userName to System and password to AutoGenerate). Because the local system has full rights to the computer, using this account is never recommended except for testing purposes. The ASP.NET account settings are global, and all Web applications will share the account that you specify.

You can also change the account used to execute certain applications or specific code by using impersonation. For example, to configure a single Web application to run under a different user account, add the <identity> tag to the Web.config file, as shown here:

<!-- Other settings omitted. -->

<identity impersonate="true" name="domain\user" password="pwd"/>


You can also instruct the Web application to use the identity that was authenticated by IIS, which will be the anonymous IUSR_[ServerName] account if you aren't using Windows authentication. Simply add the <identity> tag without supplying any user credentials:

<identity impersonate="true"/>

Remember, for this type of impersonation to work, the user account will require read/write access to the Temporary ASP.NET Files directory where the compiled ASP.NET files are stored. This directory is located under the path C:\[WindowsDirectory]\Microsoft.NET\Framework\[version]\Temporary ASP.NET Files.

Finally, you can also use impersonation programmatically, to change the account used to execute a particular section of code. The following code snippet shows a brief example that works in conjunction with Windows authentication. Provided IIS has authenticated the user, that user identity will be assumed when the WindowsIdentity.Impersonate method is used. To use this code, you must import the System.Security.Principal namespace.

if (User.GetType() == typeof(WindowsPrincipal)) {

WindowsIdentity id = (WindowsIdentity)User.Identity;
WindowsImpersonationContext impersonate = id.Impersonate();

// (Now perform tasks under the impersonated ID.)

// Revert to the original ID as shown below.
} else {

// User is not Windows authenticated.
// Throw an error to or take other steps.

Variety in the Web World