468,321 Members | 1,843 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,321 developers. It's quick & easy.

ASP.NET worker process context and SQL authentication

I am trying to configure my ASP.NET application and have come across
something unexpected.

First, I understand that all ASP.NET applications running on a single server
will utilize a single aspnet_wp.exe process. And that this process, by
default, runs under the context of the ASPNET username.

I would rather use a trusted connection to connect to SQL Server to avoid
having to put a username and password in a config file. However, if I use a
trusted connection, all of my databases will have to be configured to use
ASPNET as the user. Is this true.

In another post, I read that the aspnet_wp.exe process would impersonate the
caller? Is this IIS or the ISAPI filter? Is this possible? If so, then it
would be possible to use a trusted connection to SQL and that user would be
the user that is configured to run the IIS application, correct?

Thank you for your help,

Dave
Nov 17 '05 #1
7 1467
Hi Dave,
First, I understand that all ASP.NET applications running on a single server will utilize a single aspnet_wp.exe process. And that this process, by
default, runs under the context of the ASPNET username.
No this isn't entirely correct. In Windows 2000 the Application Isolation
determines how many instances of the process are started. If you use the
default of medium there is only a single instance. But if you use High then
each virtual defined as such runs its own process and spans a new instance
of the ASPNet client process.

In Windows 2003 you can set up an Application pool which can be assigned to
a virtual directory and each application pool runs in its own process.

If you have a multi-homed Web server using integrated authentication is
probably a bad idea because you can only have a single user that runs all
these applications as configured in Machine.config's ProcessModel|Username
setting. In Windows 2003 you have more control as you can assign a username
and password for each application pool.

To impersonate the calling user account you can use <identity
impersonate="true"/> in web.config. This would be an anonymous user (IUSR_
most likely) or the user that is authenticated if the page is protected by
file/directory security. This may work well for an extranet internal app,
but is probably a bad choice for public apps...

Hope this helps,

+++ Rick ---



--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/wwHelp
----------------------------------
Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:e9**************@TK2MSFTNGP12.phx.gbl... I am trying to configure my ASP.NET application and have come across
something unexpected.

First, I understand that all ASP.NET applications running on a single server will utilize a single aspnet_wp.exe process. And that this process, by
default, runs under the context of the ASPNET username.

I would rather use a trusted connection to connect to SQL Server to avoid
having to put a username and password in a config file. However, if I use a trusted connection, all of my databases will have to be configured to use
ASPNET as the user. Is this true.

In another post, I read that the aspnet_wp.exe process would impersonate the caller? Is this IIS or the ISAPI filter? Is this possible? If so, then it would be possible to use a trusted connection to SQL and that user would be the user that is configured to run the IIS application, correct?

Thank you for your help,

Dave

Nov 17 '05 #2
Hi Dave,
First, I understand that all ASP.NET applications running on a single server will utilize a single aspnet_wp.exe process. And that this process, by
default, runs under the context of the ASPNET username.
No this isn't entirely correct. In Windows 2000 the Application Isolation
determines how many instances of the process are started. If you use the
default of medium there is only a single instance. But if you use High then
each virtual defined as such runs its own process and spans a new instance
of the ASPNet client process.

In Windows 2003 you can set up an Application pool which can be assigned to
a virtual directory and each application pool runs in its own process.

If you have a multi-homed Web server using integrated authentication is
probably a bad idea because you can only have a single user that runs all
these applications as configured in Machine.config's ProcessModel|Username
setting. In Windows 2003 you have more control as you can assign a username
and password for each application pool.

To impersonate the calling user account you can use <identity
impersonate="true"/> in web.config. This would be an anonymous user (IUSR_
most likely) or the user that is authenticated if the page is protected by
file/directory security. This may work well for an extranet internal app,
but is probably a bad choice for public apps...

Hope this helps,

+++ Rick ---



--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/wwHelp
----------------------------------
Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:e9**************@TK2MSFTNGP12.phx.gbl... I am trying to configure my ASP.NET application and have come across
something unexpected.

First, I understand that all ASP.NET applications running on a single server will utilize a single aspnet_wp.exe process. And that this process, by
default, runs under the context of the ASPNET username.

I would rather use a trusted connection to connect to SQL Server to avoid
having to put a username and password in a config file. However, if I use a trusted connection, all of my databases will have to be configured to use
ASPNET as the user. Is this true.

In another post, I read that the aspnet_wp.exe process would impersonate the caller? Is this IIS or the ISAPI filter? Is this possible? If so, then it would be possible to use a trusted connection to SQL and that user would be the user that is configured to run the IIS application, correct?

Thank you for your help,

Dave

Nov 17 '05 #3
Thanks for the reply. I got it working.

I did not question about application isolation. I was more concerned with
the account that was used to connect to SQL SErver from the aspnet_wp
process. It kept connecting as ASPNET, and I wanted to control it more. I
wanted it to impersonate the user of the IIS application, which is
configurable per app.

Thank You,

Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
Application Isolation: Are you talking about Application Protection
Settings?
Thanks

"Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message
news:Og**************@tk2msftngp13.phx.gbl...
Hi Dave,
First, I understand that all ASP.NET applications running on a single

server
will utilize a single aspnet_wp.exe process. And that this process, by default, runs under the context of the ASPNET username.


No this isn't entirely correct. In Windows 2000 the Application Isolation
determines how many instances of the process are started. If you use the
default of medium there is only a single instance. But if you use High

then
each virtual defined as such runs its own process and spans a new instance of the ASPNet client process.

In Windows 2003 you can set up an Application pool which can be assigned

to
a virtual directory and each application pool runs in its own process.

If you have a multi-homed Web server using integrated authentication is
probably a bad idea because you can only have a single user that runs all these applications as configured in Machine.config's ProcessModel|Username setting. In Windows 2003 you have more control as you can assign a

username
and password for each application pool.

To impersonate the calling user account you can use <identity
impersonate="true"/> in web.config. This would be an anonymous user (IUSR_ most likely) or the user that is authenticated if the page is protected by file/directory security. This may work well for an extranet internal app, but is probably a bad choice for public apps...

Hope this helps,

+++ Rick ---



--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/wwHelp
----------------------------------
Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:e9**************@TK2MSFTNGP12.phx.gbl...
I am trying to configure my ASP.NET application and have come across
something unexpected.

First, I understand that all ASP.NET applications running on a single

server
will utilize a single aspnet_wp.exe process. And that this process, by default, runs under the context of the ASPNET username.

I would rather use a trusted connection to connect to SQL Server to avoid having to put a username and password in a config file. However, if I use
a
trusted connection, all of my databases will have to be configured to

use ASPNET as the user. Is this true.

In another post, I read that the aspnet_wp.exe process would

impersonate the
caller? Is this IIS or the ISAPI filter? Is this possible? If so, then
it
would be possible to use a trusted connection to SQL and that user

would be
the user that is configured to run the IIS application, correct?

Thank you for your help,

Dave



Nov 17 '05 #4
Thanks for the reply. I got it working.

I did not question about application isolation. I was more concerned with
the account that was used to connect to SQL SErver from the aspnet_wp
process. It kept connecting as ASPNET, and I wanted to control it more. I
wanted it to impersonate the user of the IIS application, which is
configurable per app.

Thank You,

Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
Application Isolation: Are you talking about Application Protection
Settings?
Thanks

"Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message
news:Og**************@tk2msftngp13.phx.gbl...
Hi Dave,
First, I understand that all ASP.NET applications running on a single

server
will utilize a single aspnet_wp.exe process. And that this process, by default, runs under the context of the ASPNET username.


No this isn't entirely correct. In Windows 2000 the Application Isolation
determines how many instances of the process are started. If you use the
default of medium there is only a single instance. But if you use High

then
each virtual defined as such runs its own process and spans a new instance of the ASPNet client process.

In Windows 2003 you can set up an Application pool which can be assigned

to
a virtual directory and each application pool runs in its own process.

If you have a multi-homed Web server using integrated authentication is
probably a bad idea because you can only have a single user that runs all these applications as configured in Machine.config's ProcessModel|Username setting. In Windows 2003 you have more control as you can assign a

username
and password for each application pool.

To impersonate the calling user account you can use <identity
impersonate="true"/> in web.config. This would be an anonymous user (IUSR_ most likely) or the user that is authenticated if the page is protected by file/directory security. This may work well for an extranet internal app, but is probably a bad choice for public apps...

Hope this helps,

+++ Rick ---



--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/wwHelp
----------------------------------
Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:e9**************@TK2MSFTNGP12.phx.gbl...
I am trying to configure my ASP.NET application and have come across
something unexpected.

First, I understand that all ASP.NET applications running on a single

server
will utilize a single aspnet_wp.exe process. And that this process, by default, runs under the context of the ASPNET username.

I would rather use a trusted connection to connect to SQL Server to avoid having to put a username and password in a config file. However, if I use
a
trusted connection, all of my databases will have to be configured to

use ASPNET as the user. Is this true.

In another post, I read that the aspnet_wp.exe process would

impersonate the
caller? Is this IIS or the ISAPI filter? Is this possible? If so, then
it
would be possible to use a trusted connection to SQL and that user

would be
the user that is configured to run the IIS application, correct?

Thank you for your help,

Dave



Nov 17 '05 #5
The IIS virtual directory uses IUSR_AAA as the logon for anonymous access.

In the web.config file for the asp.net application, I use <identity
impersonate="true"/>. I DO NOT supply a username and password as part of
this. This causes, I think, the aspnet_wp.exe process to impersonate the
calling app which is IIS.

Then I use a trusted connection to connect to the database, which uses the
IIS logon info.

Dave


"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:uI**************@tk2msftngp13.phx.gbl...
How did you get it working. Please share
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
Thanks for the reply. I got it working.

I did not question about application isolation. I was more concerned with
the account that was used to connect to SQL SErver from the aspnet_wp
process. It kept connecting as ASPNET, and I wanted to control it more. I
wanted it to impersonate the user of the IIS application, which is
configurable per app.

Thank You,

Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
Application Isolation: Are you talking about Application Protection
Settings?
Thanks

"Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message
news:Og**************@tk2msftngp13.phx.gbl...
> Hi Dave,
>
> > First, I understand that all ASP.NET applications running on a single > server
> > will utilize a single aspnet_wp.exe process. And that this process, by
> > default, runs under the context of the ASPNET username.
>
> No this isn't entirely correct. In Windows 2000 the Application

Isolation
> determines how many instances of the process are started. If you use the > default of medium there is only a single instance. But if you use
High then
> each virtual defined as such runs its own process and spans a new

instance
> of the ASPNet client process.
>
> In Windows 2003 you can set up an Application pool which can be assigned to
> a virtual directory and each application pool runs in its own process. >
> If you have a multi-homed Web server using integrated authentication is > probably a bad idea because you can only have a single user that runs all
> these applications as configured in Machine.config's

ProcessModel|Username
> setting. In Windows 2003 you have more control as you can assign a
username
> and password for each application pool.
>
> To impersonate the calling user account you can use <identity
> impersonate="true"/> in web.config. This would be an anonymous user

(IUSR_
> most likely) or the user that is authenticated if the page is protected
by
> file/directory security. This may work well for an extranet internal

app,
> but is probably a bad choice for public apps...
>
> Hope this helps,
>
> +++ Rick ---
>
>
>
>
>
>
>
> --
>
> Rick Strahl
> West Wind Technologies
> http://www.west-wind.com/
> http://www.west-wind.com/wwHelp
> ----------------------------------
> Making waves on the Web
>
>
> "Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
> news:e9**************@TK2MSFTNGP12.phx.gbl...
> > I am trying to configure my ASP.NET application and have come
across > > something unexpected.
> >
> > First, I understand that all ASP.NET applications running on a

single > server
> > will utilize a single aspnet_wp.exe process. And that this process, by
> > default, runs under the context of the ASPNET username.
> >
> > I would rather use a trusted connection to connect to SQL Server
to avoid
> > having to put a username and password in a config file. However, if I use
> a
> > trusted connection, all of my databases will have to be configured to use
> > ASPNET as the user. Is this true.
> >
> > In another post, I read that the aspnet_wp.exe process would

impersonate
> the
> > caller? Is this IIS or the ISAPI filter? Is this possible? If

so, then
> it
> > would be possible to use a trusted connection to SQL and that user

would
> be
> > the user that is configured to run the IIS application, correct?
> >
> > Thank you for your help,
> >
> > Dave
> >
> >
>
>



Nov 17 '05 #6
The IIS virtual directory uses IUSR_AAA as the logon for anonymous access.

In the web.config file for the asp.net application, I use <identity
impersonate="true"/>. I DO NOT supply a username and password as part of
this. This causes, I think, the aspnet_wp.exe process to impersonate the
calling app which is IIS.

Then I use a trusted connection to connect to the database, which uses the
IIS logon info.

Dave


"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:uI**************@tk2msftngp13.phx.gbl...
How did you get it working. Please share
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
Thanks for the reply. I got it working.

I did not question about application isolation. I was more concerned with
the account that was used to connect to SQL SErver from the aspnet_wp
process. It kept connecting as ASPNET, and I wanted to control it more. I
wanted it to impersonate the user of the IIS application, which is
configurable per app.

Thank You,

Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
Application Isolation: Are you talking about Application Protection
Settings?
Thanks

"Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message
news:Og**************@tk2msftngp13.phx.gbl...
> Hi Dave,
>
> > First, I understand that all ASP.NET applications running on a single > server
> > will utilize a single aspnet_wp.exe process. And that this process, by
> > default, runs under the context of the ASPNET username.
>
> No this isn't entirely correct. In Windows 2000 the Application

Isolation
> determines how many instances of the process are started. If you use the > default of medium there is only a single instance. But if you use
High then
> each virtual defined as such runs its own process and spans a new

instance
> of the ASPNet client process.
>
> In Windows 2003 you can set up an Application pool which can be assigned to
> a virtual directory and each application pool runs in its own process. >
> If you have a multi-homed Web server using integrated authentication is > probably a bad idea because you can only have a single user that runs all
> these applications as configured in Machine.config's

ProcessModel|Username
> setting. In Windows 2003 you have more control as you can assign a
username
> and password for each application pool.
>
> To impersonate the calling user account you can use <identity
> impersonate="true"/> in web.config. This would be an anonymous user

(IUSR_
> most likely) or the user that is authenticated if the page is protected
by
> file/directory security. This may work well for an extranet internal

app,
> but is probably a bad choice for public apps...
>
> Hope this helps,
>
> +++ Rick ---
>
>
>
>
>
>
>
> --
>
> Rick Strahl
> West Wind Technologies
> http://www.west-wind.com/
> http://www.west-wind.com/wwHelp
> ----------------------------------
> Making waves on the Web
>
>
> "Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
> news:e9**************@TK2MSFTNGP12.phx.gbl...
> > I am trying to configure my ASP.NET application and have come
across > > something unexpected.
> >
> > First, I understand that all ASP.NET applications running on a

single > server
> > will utilize a single aspnet_wp.exe process. And that this process, by
> > default, runs under the context of the ASPNET username.
> >
> > I would rather use a trusted connection to connect to SQL Server
to avoid
> > having to put a username and password in a config file. However, if I use
> a
> > trusted connection, all of my databases will have to be configured to use
> > ASPNET as the user. Is this true.
> >
> > In another post, I read that the aspnet_wp.exe process would

impersonate
> the
> > caller? Is this IIS or the ISAPI filter? Is this possible? If

so, then
> it
> > would be possible to use a trusted connection to SQL and that user

would
> be
> > the user that is configured to run the IIS application, correct?
> >
> > Thank you for your help,
> >
> > Dave
> >
> >
>
>



Nov 17 '05 #7

With Impersonation you get the calling user's security context. This is the
way ASP worked prior to ASP.Net...

So it's IUSR_ when not logged in or whatever accuont when you are via file
permissions.

+++ Rick ---

--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/wwHelp
----------------------------------
Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:u3**************@TK2MSFTNGP09.phx.gbl...
The IIS virtual directory uses IUSR_AAA as the logon for anonymous access.

In the web.config file for the asp.net application, I use <identity
impersonate="true"/>. I DO NOT supply a username and password as part of
this. This causes, I think, the aspnet_wp.exe process to impersonate the
calling app which is IIS.

Then I use a trusted connection to connect to the database, which uses the
IIS logon info.

Dave


"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:uI**************@tk2msftngp13.phx.gbl...
How did you get it working. Please share
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
Thanks for the reply. I got it working.

I did not question about application isolation. I was more concerned with the account that was used to connect to SQL SErver from the aspnet_wp
process. It kept connecting as ASPNET, and I wanted to control it more.
I
wanted it to impersonate the user of the IIS application, which is
configurable per app.

Thank You,

Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
> Application Isolation: Are you talking about Application Protection
> Settings?
> Thanks
>
> "Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message
> news:Og**************@tk2msftngp13.phx.gbl...
> > Hi Dave,
> >
> > > First, I understand that all ASP.NET applications running on a single
> > server
> > > will utilize a single aspnet_wp.exe process. And that this process, by
> > > default, runs under the context of the ASPNET username.
> >
> > No this isn't entirely correct. In Windows 2000 the Application
Isolation
> > determines how many instances of the process are started. If you
use
the
> > default of medium there is only a single instance. But if you use High > then
> > each virtual defined as such runs its own process and spans a new
instance
> > of the ASPNet client process.
> >
> > In Windows 2003 you can set up an Application pool which can be

assigned
> to
> > a virtual directory and each application pool runs in its own process. > >
> > If you have a multi-homed Web server using integrated
authentication is
> > probably a bad idea because you can only have a single user that runs all
> > these applications as configured in Machine.config's
ProcessModel|Username
> > setting. In Windows 2003 you have more control as you can assign a
> username
> > and password for each application pool.
> >
> > To impersonate the calling user account you can use <identity
> > impersonate="true"/> in web.config. This would be an anonymous
user (IUSR_
> > most likely) or the user that is authenticated if the page is

protected
by
> > file/directory security. This may work well for an extranet internal app,
> > but is probably a bad choice for public apps...
> >
> > Hope this helps,
> >
> > +++ Rick ---
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > Rick Strahl
> > West Wind Technologies
> > http://www.west-wind.com/
> > http://www.west-wind.com/wwHelp
> > ----------------------------------
> > Making waves on the Web
> >
> >
> > "Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
> > news:e9**************@TK2MSFTNGP12.phx.gbl...
> > > I am trying to configure my ASP.NET application and have come

across > > > something unexpected.
> > >
> > > First, I understand that all ASP.NET applications running on a

single
> > server
> > > will utilize a single aspnet_wp.exe process. And that this process, by
> > > default, runs under the context of the ASPNET username.
> > >
> > > I would rather use a trusted connection to connect to SQL Server to > avoid
> > > having to put a username and password in a config file. However, if
I
> use
> > a
> > > trusted connection, all of my databases will have to be
configured to
> use
> > > ASPNET as the user. Is this true.
> > >
> > > In another post, I read that the aspnet_wp.exe process would
impersonate
> > the
> > > caller? Is this IIS or the ISAPI filter? Is this possible? If

so, > then
> > it
> > > would be possible to use a trusted connection to SQL and that

user would
> > be
> > > the user that is configured to run the IIS application, correct?
> > >
> > > Thank you for your help,
> > >
> > > Dave
> > >
> > >
> >
> >
>
>



Nov 17 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Dave Mehrtens | last post: by
5 posts views Thread by J-T | last post: by
reply views Thread by Gregory Gadow | last post: by
reply views Thread by NPC403 | last post: by
1 post views Thread by howard w | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.