All geek questions in one place

Understanding impersonation rights

I have an ASP.NET web application using Windows authentication and impersonation. Here is the relevant part of web.config:

<authentication mode="Windows"/> <identity impersonate="true"/>

The application code is now trying to access the file ( XDocument.Load ) that an authenticated user has access to. This one worked perfectly fine until we started getting the following exception instead:

 System.UnauthorizedAccessException: Access to the path '...' is denied.

(Obviously, the administrator tells me that "nothing has changed on the server.")

I was able to “fix” the problem by granting it the rights to identify the application pool. However, I do not understand why this fixed the problem.

My question is: If impersonation is used, why is it necessary for the application pool identifier to have access to the files used? Do you need access to username and application pool name? Or just an application pool id? If the latter, what is the meaning of impersonation?

+5
source share
1 answer

The website accesses the disk using the w3wp.exe workflow, which is essentially an application pool. The identifier set for this application pool (for example, IIS Apppool \ Site001) is used in some disk situations.

When using Windows authentication, an application pool identifier (for example, IIS Apppool \ Site001) is used for some access, but a Windows account (for example, User1) is used for other access. It depends on the personalization of the settings of your application or the framework that you are using. Therefore, you usually need to provide access to the application pool identifier, as well as each Windows account (for example, User1, User2, User99) who need access to your site.

Here are some quotes from an article by Scott Forsyth . If I understand you correctly, this article should help.

+1
source

Source: https://habr.com/ru/post/1257394/

More articles:


All Articles