0

I have an ASP.NET application whose app pool is running as Network Service which makes a request to SSRS running on a separate server to retrieve a report. The report displays the username (using SSRS's User!UserID parameter). I would have expected it to show the machine account a la MY_DOMAIN\SOME_SERVER_NAME$ but instead it shows NT AUTHORITY\NETWORK SERVICE.

I read the summary of the NTLM flow at https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm which many blogs reference.

  • Is NT AUTHORITY\NETWORK SERVICE the username actually used in the NTLM messages? Or is the real domain + machine name used and it is just translated on the receiving server for display? (It would seem the real machine account would have to be used in the message so the domain controller could look up the right account to validate the message.)
  • Is there a way to get the actual machine account instead of NT AUTHORITY\NETWORK SERVICE? I want to take action based on which server sent the request, whereas just "NT AUTHORITY\NETWORK SERVICE" only tells me that some server within my domain made the request.
user221592
  • 101
  • are the ASP and SSRS co-resident on the server? – markgamache Aug 30 '19 at 20:25
  • Since I don't have access to the SSRS server, I set up an experiment with a couple of ASP.NET apps on another server where one app makes a request to the other, and the target app displays the name of the authenticated user. When I configure IIS to only allow NTLM for the target app, it shows NT AUTHORITY\NETWORK SERVICE but if I configure IIS to only allow Kerberos then it displays as MY_DOMAIN\SOME_SERVER_NAME$. Given that Kerberos is the recommended protocol anyway, hopefully we will be able to switch and thus eliminate the issue that way. – user221592 Aug 30 '19 at 21:55
  • Contrary to my original understanding, the app and SSRS web interface appear to be running on the same server. – user221592 Aug 30 '19 at 21:56
  • With further experimenting, I found that the userid only appears as NT AUTHORITY\NETWORK SERVICE when both the app making the request and the target app are on the same server. Otherwise the name is in the MY_DOMAIN\SOME_SERVER_NAME$ form. So I am able to determine the sender clearly. But I'm still curious why NTLM uses the pseudonym instead of the actual name of the domain account for on-server authentication. – user221592 Sep 04 '19 at 18:29

0 Answers0