5

I'm using the following code to authenticate via Kerberos. 

IntPtr logonToken = WindowsIdentity.GetCurrent().Token;
string authenticationType = "WindowsAuthentication";
WindowsIdentity windowsIdentity = new WindowsIdentity(logonToken, authenticationType);

//windowsIdentity.Name == equals "IIS APPPOOL\Classic .NET AppPool" when I want it to be the user

This only happens when I try and run my .NET application the Web Server. If I run the code locally on my machine for debugging, it shows my userid in the Name property. Any suggestions on how to get this working on a web server?

Eric
  • 91
  • 1
  • 4

2 Answers2

3

You need to enable impersonation in web.config:

To configure ASP.NET to impersonate the Windows identity supplied by IIS as the WindowsIdentity for the ASP.NET application, edit the Web.config file for the application and set the impersonate attribute of the identity configuration element to true, as shown in the following example.

<configuration>
  <system.web>
    <identity impersonate="true" />
  </system.web>
</configuration>

When you run the code locally for debugging you're probably using the web dev server that runs as your logged-in user, which is why you'll see the correct user in debug.

Rup
  • 33,765
  • 9
  • 83
  • 112
  • Thanks again. Is there anything else I need to change in my code or on IIS for this to work? The user now shows up as: "NT AUTHORITY\IUSR" – Eric May 19 '11 at 16:18
  • Oops, sorry. I haven't done this for a while - I'll skim my old project code to see if I can spot anything else. The MSDN page says it's [HttpContext.User](http://msdn.microsoft.com/en-us/library/system.web.httpcontext.user.aspx) that it changes, though. – Rup May 19 '11 at 16:29
  • Okay. Whenever you get a chance that would be greatly appreciated. Thanks! – Eric May 19 '11 at 17:05
  • Your comment on using `HttpContext.User` is better, but still not quite correct as `HttpContext` can be `null` in certain cases. You should edit this answer (as impersonation won't change `WindowsIdentity.GetCurrent()`). – Lex Li Feb 25 '20 at 13:48
  • @LexLi Yes, you're right, impersonation isn't needed here. I'm not sure what the certain cases are when HttpContext can be null though, so feel free to post your own answer. – Rup Feb 25 '20 at 16:03
1

Your problem is, your IIS server runs under its own identity, not yours. Therefore, WindowsIdentity.GetCurrent().Token returns IIS work process' identity.

You can configure your website to run under different identity (including yours) using IIS Manager console: enter image description here

Zruty
  • 8,377
  • 1
  • 25
  • 31
  • Thanks. But how do I make it so that it recognizes the person who is hitting the site? I don't want to associate it just one person, it should be associated to whoever the user is. At least that's what my ultimate goal is. – Eric May 19 '11 at 16:04
  • Then you need to read on Windows Authentication provider: http://msdn.microsoft.com/en-us/library/907hb5w9.aspx Your approach is NOT for users, `WindowsIdentity.Currect()` is the running **process** identity – Zruty May 19 '11 at 16:39