0

I have two Windows accounts, my regular user-level one, and an Administrator one. As far as I know, there is no connection between the two in AD, other than my name. I normally log into my dev machine using the user account.

If I run my website locally using VS/IIS Express, I get the following values (as expected):

System.Web.HttpContext.Current.User.Identity.Name = "DOMAIN\\jespaillat"
WindowsIdentity.GetCurrent().Name = "DOMAIN\\jespaillat"

On the deployed site, however, when using both Chrome and IE11, I get the following:

System.Web.HttpContext.Current.User.Identity.Name = "DOMAIN\\admin-jespaillat"
WindowsIdentity.GetCurrent().Name = "IIS APPPOOL\\DefaultAppPool"

Both browsers automatically send my Windows credentials to the server, and do not prompt for login. I get the same behavior when running incognito. I can see in Fiddler that the browser is sending a Kerberos ticket with the request, though the account name is not visible within the base64 string.

So where is it getting the name of the admin account, which I am NOT logged in as? And how are the two accounts even connected?

(Interestingly, Firefox DOES prompt for credentials every time, so I am able to enter the correct value.)

Windows Server 2016, IIS 10, .NET 4.7.2 . Desktop is Windows 7 

<system.web>
  <authentication mode="Windows" />
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>

Only Windows Authentication is enabled in IIS

DelphinusC
  • 83
  • 1
  • 11
  • Are you sure Chrome is not running as your admin account (even if you are not logged into Windows with it)? – Gabriel Luci Jul 26 '19 at 16:58
  • @GabrielLuci Chrome is not running as administrator; the option is not checked on the shortcut. Besides, I don't get the UAC escalation prompt when I start it. FWIW, Chrome Sync (the icon in the upper right) is connected to my personal gmail. Also, I don't use IE at all, I only fired it up to check this error – DelphinusC Jul 26 '19 at 17:37
  • It doesn't necessarily need to be running "as administrator" to be running under your admin account credentials. Use Task Manager to check the credentials it's running with, like [this](https://superuser.com/a/893375/233663). (also, Google Sync can still be connected to your personal account regardless of which Windows account is being used) – Gabriel Luci Jul 26 '19 at 17:42
  • @GabrielLuci Nope. The only process running on my desktop as admin is TaskManager. On the server, there are a few processes running as my admin account, but all of them are related to the remote desktop login; w3wp is NOT one of them (it runs under the app pool account) On a fresh server reboot, without remoting into it, I still get the wrong account. (Like you, I think it's more likely a client/browser issue, but I just want to put that out there for completeness) – DelphinusC Jul 26 '19 at 18:01
  • It's getting it from somewhere. Your accounts aren't "connected". Look for the username anywhere in your code, or look for saved passwords in Chrome. – Gabriel Luci Jul 26 '19 at 18:19
  • @GabrielLuci "somewhere"... yes, that's the issue isn't it? I completely reset settings and cleared all caches on Chrome, same error. IE (which has no saved settings since I hadn't used it before yesterday), same error. Chrome incognito & IE InPrivate, same error. I even just downloaded Opera for the hell of it... same error! – DelphinusC Jul 26 '19 at 18:45
  • Open Command Prompt and type `set username`. What do you see? – Gabriel Luci Jul 26 '19 at 18:53

1 Answers1

1

Credential Manager was the culprit.

Turns out that CM had an entry for every remote drive that I've ever used Explorer to connect to (and yes, I had checked the box to "remember my credentials"). Including the drive on the web server.

All of the browsers (except Firefox) were conflating the username/password used to access a file share on a machine, with the username/password to access the website on the same machine. Once I deleted the CM entry for the web server, it worked.

DelphinusC
  • 83
  • 1
  • 11