Win2008 Server + IIS7 set identity simulation (asp.net impersonation) _ Practical Tips

Author: eaglet

Reprint please indicate the source

IIS7 has changed a lot compared to IIS 6, and the original settings under IIS 6 can change under IIS 7. Identity simulation configuration, IIS7 and IIS6 are very different, online IIS6 identity simulation of the article more, but the introduction of IIS7 less, I put some of the experience in this blog write down, for reference.

IIS 7 has two types of asp.net application Mode.

One is the mode of integration (Integrated mode), which is the default pattern, which is recommended by Microsoft, and the other is Classic mode (Classic mode), which is used for compatibility with older versions. Integrated mode is easier to use and more secure, and it is safer and more convenient not to write the user name and password of the impersonated account in the configuration file. Now that we've used IIS 7, it's better to use the integration mode in the way that Microsoft recommends.

In integrated mode, identity simulation can be done entirely through the interface:

First, as shown in the previous illustration, IIS 7 has a iis-> authentication at the Server level, and by double-clicking the icon we see the following figure:

In this figure we see IIS7 a asp.net impersonation function, in the Actions inside the enable to open the identity simulation function, and then click Edit Identity Simulation.

We see the above edit box, in this edit box, we specify the identity simulation of the account, this account must be local already existing account, point Set Enter the account name and password.

And then click OK.

Here, according to the help documentation in MSDN, the identity simulation should be set successfully.

Then I made a simple test page to see if the identity simulation was successful and the test program was as follows:

protected void Page_Load (object sender, EventArgs e)
{
Response.Write (System.Security.Principal.WindowsIdentity.GetCurrent (). Name);
}

The results of the operation are:

NT AUTHORITY\IUSR

That is to say ASP.net did not use this MyAccount account that I set up to simulate running, but still use IUSR account to simulate run. After a long search, only to find that the following problems caused:

When you build a Web site with Virtual Studio 2008, there is a default setting in the Web.config file:

<identityimpersonate= "true"/>

This setting is set for IIS 6 as an identity simulation. In this case, the authentication of the user identity is given to IIS. When anonymous logons are allowed, IIS uses the identity of an anonymous login (by default, IUSR) to the ASP.net application. When anonymous logons are not allowed, IIS passes the authenticated identity to the ASP.net application. Asp. NET's specific access rights are determined by the permissions of the account.

This setting is obsolete under IIS 7 and is required in Classical mode.

After I found the cause of the problem, I removed <identity impersonate= "true"/> This configuration item from the web.config. After deletion, you can use the user name configured on the previous interface to simulate the account.

But don't be too early to be happy, and then there's a new problem. The error is as follows:

Could not load file or assembly ' xxxx ' or one of its dependencies. Access is denied.

Description:An unhandled exception occurred during the execution to the current Web request. Please review the "stack Trace for" Information about the error and where it originated in the code.
Exception Details:System.IO.FileLoadException:Could not load file or assembly ' getpathfilelib ' or one of its dependencies. Access is denied.
Source Error:

From the wrong hint, it should be the current demo account does not have sufficient permissions to execute the bin directory Xxxx.dll, so I gave the bin directory to simulate the MyAccount Full control of the permissions, the result is still not, I searched the internet, some people said that the need to be C:\WINDOWS\ Microsoft.net\framework\v2.0.50727\temporary This directory is also set to Full control, so do it, or not. Helpless, I put the MyAccount account into the IIS_IUSRS group, the problem finally resolved.

Now we're going to run the top one. Display the current user's code display results as

Machinename\myaccout

Note: We have to put < identity impersonate= "true"/> Delete only, if only is set to < identity Impersonate= "false"/>

The impersonated account becomes IIS Apppool\defaultapppool, and this setting is incorrect.

Here IIS7 to set up the identity simulation is complete.