IIS Application Pool Identity to use Logged On User Windows Identity

1
votes

I'm developing a web app that performs Active Directory updates using LDAP. When I host the app on an IIS 7, I get the Access is denied error at the statement directoryEntry.CommitChanges();.

Then I found out that the application pool is using the identity "IIS APPPOOL\ASP.NET v4.0" to perform the update.

I need the window's account of the user who is using the web application to be the identity of the application pool.

I have done the following:

  1. Add > authentication mode="Windows" in web.config
  2. Disabled anonymous authentication on IIS
  3. Select the built in account "ApplicationPoolIdentity" as the application pool's identity

But haven't still got it to work.

2
asp.netasp.net-mvciis-7

2 Answers

4
votes

the concept you are looking for is called Impersonation
from the documentation:

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
  2. In Features View, double-click Authentication.
  3. On the Authentication page, select ASP.NET Impersonation.
  4. In the Actions pane, click Enable to use ASP.NET Impersonation authentication with the default settings.
  5. Optionally, in the Actions pane, click Edit to set the security principal.
  6. In the Edit ASP.NET Impersonation Settings dialog box, select either Specific user or Authenticated user. Whichever you decide, IIS uses this identity for the security context of the ASP.NET application. By default, IIS 7 is set to impersonate the authenticated user.
  7. Click OK to finish or proceed to the next optional steps to change the identity to impersonate.
  8. Optionally, click Set to change the Specific user identity.
  9. In the Set Credentials dialog box, enter the name of an existing user account in User name, the password associated with that user account in Password, and then the exact same value in Confirm password for a new account IIS should use for anonymous access.
  10. Click OK to close the Set Credentials dialog box.
  11. Click OK to close the Edit ASP.NET Impersonation Settings dialog box.
0
votes

In my case with this configuration it logs with active directory account and the result of System.Security.Principal.WindowsIdentity.GetCurrent().Name is the authenticated session

<identity impersonate="true"/>
<authentication mode="Windows">
  <forms name="Login" loginUrl="Login.aspx" path="/" timeout="10"/>
</authentication>
<authorization>
  <deny users="?"/>
  <allow users="*"/>
</authorization>