Windows Server + IIS 7 setting up Identity Impersonation (ASP. Impersonation)

IIS7 has changed significantly compared to IIS 6, which could have been set to IIS 7 under IIS 6. Identity simulation configuration, IIS7 and IIS6 are very different, online IIS6 identity simulation of the article more, but the introduction of IIS7 less, I put some of the experience in this blog to write down, for reference.

IIS 7 has two types of ASP. NET application Mode.

One is the integrated mode (Integrated mode), which is the default, is the Microsoft recommended mode, the other is the Classic mode, this mode is used for compatibility with the old version. The integrated mode is more convenient and more secure, and does not require the user name and password of the demo account to be written in the configuration file, which is safer and more convenient. Now that we've used IIS 7, it's better to use the integration mode as Microsoft recommends.

In integrated mode, the identity simulation can be done entirely through the interface:

First, as shown, IIS 7 has a iis-> authentication under Server level, and double-click the icon to see the following diagram:

In this figure, we see that IIS7 has an ASP. NET impersonation function, in the Actions point enable the identity simulation function, then click Edit Identity Simulation.

We see this edit box above, in this edit box, we specify the account to be impersonated, this account must be a local account, point Set Enter the name and password of this account.

then click OK.

Here, according to the help documentation in MSDN, the identity simulation should be successful even if it is set up.

Then I made a simple test page to see if the identity simulation was successful and the test program is as follows:

protected void Page_Load (object sender, EventArgs e)
{
Response.Write (System.Security.Principal.WindowsIdentity.GetCurrent (). Name);
}

The result of the operation is actually:

NT AUTHORITY\IUSR

This means that ASP. NET does not run with the MyAccount account that I set up, but still runs with IUSR account emulation. Looked for a long time, only to find that the following problems caused:

When you build a Web site with Virtual Studio 2008, there is a default setting in the Web. config file:

<identityimpersonate= "true"/>

This setting is set for IIS 6 for identity impersonation. In this case, the authentication of the user identity is given to IIS. When anonymous logons are allowed, IIS gives an anonymous logon identity (IUSR by default) to the ASP. When anonymous logons are not allowed, IIS passes the authenticated identity to the ASP. Asp. NET's specific access rights are determined by the account's permissions.

This setting is obsolete under IIS 7, which is required if you are using Classic mode.

After finding the cause of the problem, I put <identity impersonate= "true"/> This configuration item was removed from Web. config. Once deleted, you can use the user name configured in front of the interface to impersonate the account.

But don't be too early to be happy, and then there's a new problem. The error is as follows:

Could not load file or assembly ' xxxx ' or one of its dependencies. Access is denied. Description:An unhandled exception occurred during, the execution of the current Web request. Review the stack trace for more information about the error and where it is originated in the code.
Exception Details:System.IO.FileLoadException:Could not load file or assembly ' getpathfilelib ' or one of its dependencies. Access is denied.
Source Error:

From the error, it should be the current demo account does not have sufficient permissions to execute the bin directory of Xxxx.dll, so I put the bin directory to give the demo account MyAccount Full Control of the permissions, the result or not, I searched the internet, some people say that need to be C:\WINDOWS\ Microsoft.net\framework\v2.0.50727\temporary This directory is also set to Full control, so do, or not. Helpless, I put MyAccount account joined IIS_IUSRS this group, the problem finally solved.

Now let's run the previous code that shows the current user shows the result as

Machinename\myaccout Note: We have to take < Identity impersonate= "true"/> deleted, if only set to < Identity impersonate= "false"/>

The impersonated account becomes IIS Apppool\defaultapppool, which is not the correct setting.

Here IIS7 set up the identity simulation is all done.

Windows Server + IIS 7 setting up Identity Impersonation (ASP. Impersonation)