I am trying to configure my ASP.NET application and have come across
something unexpected.
First, I understand that all ASP.NET applications running on a single server
will utilize a single aspnet_wp.exe process. And that this process, by
default, runs under the context of the ASPNET username.
I would rather use a trusted connection to connect to SQL Server to avoid
having to put a username and password in a config file. However, if I use a
trusted connection, all of my databases will have to be configured to use
ASPNET as the user. Is this true.
In another post, I read that the aspnet_wp.exe process would impersonate the
caller? Is this IIS or the ISAPI filter? Is this possible? If so, then it
would be possible to use a trusted connection to SQL and that user would be
the user that is configured to run the IIS application, correct?
Thank you for your help,
Dave 7 1632
Hi Dave, First, I understand that all ASP.NET applications running on a single
server will utilize a single aspnet_wp.exe process. And that this process, by default, runs under the context of the ASPNET username.
No this isn't entirely correct. In Windows 2000 the Application Isolation
determines how many instances of the process are started. If you use the
default of medium there is only a single instance. But if you use High then
each virtual defined as such runs its own process and spans a new instance
of the ASPNet client process.
In Windows 2003 you can set up an Application pool which can be assigned to
a virtual directory and each application pool runs in its own process.
If you have a multi-homed Web server using integrated authentication is
probably a bad idea because you can only have a single user that runs all
these applications as configured in Machine.config's ProcessModel|Username
setting. In Windows 2003 you have more control as you can assign a username
and password for each application pool.
To impersonate the calling user account you can use <identity
impersonate="true"/> in web.config. This would be an anonymous user (IUSR_
most likely) or the user that is authenticated if the page is protected by
file/directory security. This may work well for an extranet internal app,
but is probably a bad choice for public apps...
Hope this helps,
+++ Rick ---
--
Rick Strahl
West Wind Technologies http://www.west-wind.com/ http://www.west-wind.com/wwHelp
----------------------------------
Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:e9**************@TK2MSFTNGP12.phx.gbl... I am trying to configure my ASP.NET application and have come across something unexpected.
First, I understand that all ASP.NET applications running on a single
server will utilize a single aspnet_wp.exe process. And that this process, by default, runs under the context of the ASPNET username.
I would rather use a trusted connection to connect to SQL Server to avoid having to put a username and password in a config file. However, if I use
a trusted connection, all of my databases will have to be configured to use ASPNET as the user. Is this true.
In another post, I read that the aspnet_wp.exe process would impersonate
the caller? Is this IIS or the ISAPI filter? Is this possible? If so, then
it would be possible to use a trusted connection to SQL and that user would
be the user that is configured to run the IIS application, correct?
Thank you for your help,
Dave
Hi Dave, First, I understand that all ASP.NET applications running on a single
server will utilize a single aspnet_wp.exe process. And that this process, by default, runs under the context of the ASPNET username.
No this isn't entirely correct. In Windows 2000 the Application Isolation
determines how many instances of the process are started. If you use the
default of medium there is only a single instance. But if you use High then
each virtual defined as such runs its own process and spans a new instance
of the ASPNet client process.
In Windows 2003 you can set up an Application pool which can be assigned to
a virtual directory and each application pool runs in its own process.
If you have a multi-homed Web server using integrated authentication is
probably a bad idea because you can only have a single user that runs all
these applications as configured in Machine.config's ProcessModel|Username
setting. In Windows 2003 you have more control as you can assign a username
and password for each application pool.
To impersonate the calling user account you can use <identity
impersonate="true"/> in web.config. This would be an anonymous user (IUSR_
most likely) or the user that is authenticated if the page is protected by
file/directory security. This may work well for an extranet internal app,
but is probably a bad choice for public apps...
Hope this helps,
+++ Rick ---
--
Rick Strahl
West Wind Technologies http://www.west-wind.com/ http://www.west-wind.com/wwHelp
----------------------------------
Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:e9**************@TK2MSFTNGP12.phx.gbl... I am trying to configure my ASP.NET application and have come across something unexpected.
First, I understand that all ASP.NET applications running on a single
server will utilize a single aspnet_wp.exe process. And that this process, by default, runs under the context of the ASPNET username.
I would rather use a trusted connection to connect to SQL Server to avoid having to put a username and password in a config file. However, if I use
a trusted connection, all of my databases will have to be configured to use ASPNET as the user. Is this true.
In another post, I read that the aspnet_wp.exe process would impersonate
the caller? Is this IIS or the ISAPI filter? Is this possible? If so, then
it would be possible to use a trusted connection to SQL and that user would
be the user that is configured to run the IIS application, correct?
Thank you for your help,
Dave
Thanks for the reply. I got it working.
I did not question about application isolation. I was more concerned with
the account that was used to connect to SQL SErver from the aspnet_wp
process. It kept connecting as ASPNET, and I wanted to control it more. I
wanted it to impersonate the user of the IIS application, which is
configurable per app.
Thank You,
Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:%2***************@tk2msftngp13.phx.gbl... Application Isolation: Are you talking about Application Protection Settings? Thanks
"Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message news:Og**************@tk2msftngp13.phx.gbl... Hi Dave,
First, I understand that all ASP.NET applications running on a single server will utilize a single aspnet_wp.exe process. And that this process,
by default, runs under the context of the ASPNET username.
No this isn't entirely correct. In Windows 2000 the Application
Isolation determines how many instances of the process are started. If you use the default of medium there is only a single instance. But if you use High then each virtual defined as such runs its own process and spans a new
instance of the ASPNet client process.
In Windows 2003 you can set up an Application pool which can be assigned to a virtual directory and each application pool runs in its own process.
If you have a multi-homed Web server using integrated authentication is probably a bad idea because you can only have a single user that runs
all these applications as configured in Machine.config's
ProcessModel|Username setting. In Windows 2003 you have more control as you can assign a username and password for each application pool.
To impersonate the calling user account you can use <identity impersonate="true"/> in web.config. This would be an anonymous user
(IUSR_ most likely) or the user that is authenticated if the page is protected
by file/directory security. This may work well for an extranet internal
app, but is probably a bad choice for public apps...
Hope this helps,
+++ Rick ---
--
Rick Strahl West Wind Technologies http://www.west-wind.com/ http://www.west-wind.com/wwHelp ---------------------------------- Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message news:e9**************@TK2MSFTNGP12.phx.gbl... I am trying to configure my ASP.NET application and have come across something unexpected.
First, I understand that all ASP.NET applications running on a single server will utilize a single aspnet_wp.exe process. And that this process,
by default, runs under the context of the ASPNET username.
I would rather use a trusted connection to connect to SQL Server to avoid having to put a username and password in a config file. However, if I use a trusted connection, all of my databases will have to be configured to use ASPNET as the user. Is this true.
In another post, I read that the aspnet_wp.exe process would
impersonate the caller? Is this IIS or the ISAPI filter? Is this possible? If so, then it would be possible to use a trusted connection to SQL and that user
would be the user that is configured to run the IIS application, correct?
Thank you for your help,
Dave
Thanks for the reply. I got it working.
I did not question about application isolation. I was more concerned with
the account that was used to connect to SQL SErver from the aspnet_wp
process. It kept connecting as ASPNET, and I wanted to control it more. I
wanted it to impersonate the user of the IIS application, which is
configurable per app.
Thank You,
Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:%2***************@tk2msftngp13.phx.gbl... Application Isolation: Are you talking about Application Protection Settings? Thanks
"Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message news:Og**************@tk2msftngp13.phx.gbl... Hi Dave,
First, I understand that all ASP.NET applications running on a single server will utilize a single aspnet_wp.exe process. And that this process,
by default, runs under the context of the ASPNET username.
No this isn't entirely correct. In Windows 2000 the Application
Isolation determines how many instances of the process are started. If you use the default of medium there is only a single instance. But if you use High then each virtual defined as such runs its own process and spans a new
instance of the ASPNet client process.
In Windows 2003 you can set up an Application pool which can be assigned to a virtual directory and each application pool runs in its own process.
If you have a multi-homed Web server using integrated authentication is probably a bad idea because you can only have a single user that runs
all these applications as configured in Machine.config's
ProcessModel|Username setting. In Windows 2003 you have more control as you can assign a username and password for each application pool.
To impersonate the calling user account you can use <identity impersonate="true"/> in web.config. This would be an anonymous user
(IUSR_ most likely) or the user that is authenticated if the page is protected
by file/directory security. This may work well for an extranet internal
app, but is probably a bad choice for public apps...
Hope this helps,
+++ Rick ---
--
Rick Strahl West Wind Technologies http://www.west-wind.com/ http://www.west-wind.com/wwHelp ---------------------------------- Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message news:e9**************@TK2MSFTNGP12.phx.gbl... I am trying to configure my ASP.NET application and have come across something unexpected.
First, I understand that all ASP.NET applications running on a single server will utilize a single aspnet_wp.exe process. And that this process,
by default, runs under the context of the ASPNET username.
I would rather use a trusted connection to connect to SQL Server to avoid having to put a username and password in a config file. However, if I use a trusted connection, all of my databases will have to be configured to use ASPNET as the user. Is this true.
In another post, I read that the aspnet_wp.exe process would
impersonate the caller? Is this IIS or the ISAPI filter? Is this possible? If so, then it would be possible to use a trusted connection to SQL and that user
would be the user that is configured to run the IIS application, correct?
Thank you for your help,
Dave
The IIS virtual directory uses IUSR_AAA as the logon for anonymous access.
In the web.config file for the asp.net application, I use <identity
impersonate="true"/>. I DO NOT supply a username and password as part of
this. This causes, I think, the aspnet_wp.exe process to impersonate the
calling app which is IIS.
Then I use a trusted connection to connect to the database, which uses the
IIS logon info.
Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:uI**************@tk2msftngp13.phx.gbl... How did you get it working. Please share
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message news:%2****************@TK2MSFTNGP09.phx.gbl... Thanks for the reply. I got it working.
I did not question about application isolation. I was more concerned
with the account that was used to connect to SQL SErver from the aspnet_wp process. It kept connecting as ASPNET, and I wanted to control it more. I wanted it to impersonate the user of the IIS application, which is configurable per app.
Thank You,
Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message news:%2***************@tk2msftngp13.phx.gbl... Application Isolation: Are you talking about Application Protection Settings? Thanks
"Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message news:Og**************@tk2msftngp13.phx.gbl... > Hi Dave, > > > First, I understand that all ASP.NET applications running on a single > server > > will utilize a single aspnet_wp.exe process. And that this
process, by > > default, runs under the context of the ASPNET username. > > No this isn't entirely correct. In Windows 2000 the Application Isolation > determines how many instances of the process are started. If you use the > default of medium there is only a single instance. But if you use
High then > each virtual defined as such runs its own process and spans a new instance > of the ASPNet client process. > > In Windows 2003 you can set up an Application pool which can be assigned to > a virtual directory and each application pool runs in its own
process. > > If you have a multi-homed Web server using integrated authentication is > probably a bad idea because you can only have a single user that
runs all > these applications as configured in Machine.config's ProcessModel|Username > setting. In Windows 2003 you have more control as you can assign a username > and password for each application pool. > > To impersonate the calling user account you can use <identity > impersonate="true"/> in web.config. This would be an anonymous user (IUSR_ > most likely) or the user that is authenticated if the page is protected by > file/directory security. This may work well for an extranet internal app, > but is probably a bad choice for public apps... > > Hope this helps, > > +++ Rick --- > > > > > > > > -- > > Rick Strahl > West Wind Technologies > http://www.west-wind.com/ > http://www.west-wind.com/wwHelp > ---------------------------------- > Making waves on the Web > > > "Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message > news:e9**************@TK2MSFTNGP12.phx.gbl... > > I am trying to configure my ASP.NET application and have come
across > > something unexpected. > > > > First, I understand that all ASP.NET applications running on a single > server > > will utilize a single aspnet_wp.exe process. And that this
process, by > > default, runs under the context of the ASPNET username. > > > > I would rather use a trusted connection to connect to SQL Server
to avoid > > having to put a username and password in a config file. However,
if I use > a > > trusted connection, all of my databases will have to be configured to use > > ASPNET as the user. Is this true. > > > > In another post, I read that the aspnet_wp.exe process would impersonate > the > > caller? Is this IIS or the ISAPI filter? Is this possible? If
so, then > it > > would be possible to use a trusted connection to SQL and that user
would > be > > the user that is configured to run the IIS application, correct? > > > > Thank you for your help, > > > > Dave > > > > > >
The IIS virtual directory uses IUSR_AAA as the logon for anonymous access.
In the web.config file for the asp.net application, I use <identity
impersonate="true"/>. I DO NOT supply a username and password as part of
this. This causes, I think, the aspnet_wp.exe process to impersonate the
calling app which is IIS.
Then I use a trusted connection to connect to the database, which uses the
IIS logon info.
Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message
news:uI**************@tk2msftngp13.phx.gbl... How did you get it working. Please share
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message news:%2****************@TK2MSFTNGP09.phx.gbl... Thanks for the reply. I got it working.
I did not question about application isolation. I was more concerned
with the account that was used to connect to SQL SErver from the aspnet_wp process. It kept connecting as ASPNET, and I wanted to control it more. I wanted it to impersonate the user of the IIS application, which is configurable per app.
Thank You,
Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message news:%2***************@tk2msftngp13.phx.gbl... Application Isolation: Are you talking about Application Protection Settings? Thanks
"Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message news:Og**************@tk2msftngp13.phx.gbl... > Hi Dave, > > > First, I understand that all ASP.NET applications running on a single > server > > will utilize a single aspnet_wp.exe process. And that this
process, by > > default, runs under the context of the ASPNET username. > > No this isn't entirely correct. In Windows 2000 the Application Isolation > determines how many instances of the process are started. If you use the > default of medium there is only a single instance. But if you use
High then > each virtual defined as such runs its own process and spans a new instance > of the ASPNet client process. > > In Windows 2003 you can set up an Application pool which can be assigned to > a virtual directory and each application pool runs in its own
process. > > If you have a multi-homed Web server using integrated authentication is > probably a bad idea because you can only have a single user that
runs all > these applications as configured in Machine.config's ProcessModel|Username > setting. In Windows 2003 you have more control as you can assign a username > and password for each application pool. > > To impersonate the calling user account you can use <identity > impersonate="true"/> in web.config. This would be an anonymous user (IUSR_ > most likely) or the user that is authenticated if the page is protected by > file/directory security. This may work well for an extranet internal app, > but is probably a bad choice for public apps... > > Hope this helps, > > +++ Rick --- > > > > > > > > -- > > Rick Strahl > West Wind Technologies > http://www.west-wind.com/ > http://www.west-wind.com/wwHelp > ---------------------------------- > Making waves on the Web > > > "Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message > news:e9**************@TK2MSFTNGP12.phx.gbl... > > I am trying to configure my ASP.NET application and have come
across > > something unexpected. > > > > First, I understand that all ASP.NET applications running on a single > server > > will utilize a single aspnet_wp.exe process. And that this
process, by > > default, runs under the context of the ASPNET username. > > > > I would rather use a trusted connection to connect to SQL Server
to avoid > > having to put a username and password in a config file. However,
if I use > a > > trusted connection, all of my databases will have to be configured to use > > ASPNET as the user. Is this true. > > > > In another post, I read that the aspnet_wp.exe process would impersonate > the > > caller? Is this IIS or the ISAPI filter? Is this possible? If
so, then > it > > would be possible to use a trusted connection to SQL and that user
would > be > > the user that is configured to run the IIS application, correct? > > > > Thank you for your help, > > > > Dave > > > > > >
With Impersonation you get the calling user's security context. This is the
way ASP worked prior to ASP.Net...
So it's IUSR_ when not logged in or whatever accuont when you are via file
permissions.
+++ Rick ---
--
Rick Strahl
West Wind Technologies http://www.west-wind.com/ http://www.west-wind.com/wwHelp
----------------------------------
Making waves on the Web
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message
news:u3**************@TK2MSFTNGP09.phx.gbl... The IIS virtual directory uses IUSR_AAA as the logon for anonymous access.
In the web.config file for the asp.net application, I use <identity impersonate="true"/>. I DO NOT supply a username and password as part of this. This causes, I think, the aspnet_wp.exe process to impersonate the calling app which is IIS.
Then I use a trusted connection to connect to the database, which uses the IIS logon info.
Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message news:uI**************@tk2msftngp13.phx.gbl... How did you get it working. Please share
"Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message news:%2****************@TK2MSFTNGP09.phx.gbl... Thanks for the reply. I got it working.
I did not question about application isolation. I was more concerned with the account that was used to connect to SQL SErver from the aspnet_wp process. It kept connecting as ASPNET, and I wanted to control it
more. I wanted it to impersonate the user of the IIS application, which is configurable per app.
Thank You,
Dave
"MS News (MS ILM)" <sq**********@hotmail.com> wrote in message news:%2***************@tk2msftngp13.phx.gbl... > Application Isolation: Are you talking about Application Protection > Settings? > Thanks > > "Rick Strahl [MVP]" <ri********@hotmail.com> wrote in message > news:Og**************@tk2msftngp13.phx.gbl... > > Hi Dave, > > > > > First, I understand that all ASP.NET applications running on a single > > server > > > will utilize a single aspnet_wp.exe process. And that this process, by > > > default, runs under the context of the ASPNET username. > > > > No this isn't entirely correct. In Windows 2000 the Application Isolation > > determines how many instances of the process are started. If you
use the > > default of medium there is only a single instance. But if you use High > then > > each virtual defined as such runs its own process and spans a new instance > > of the ASPNet client process. > > > > In Windows 2003 you can set up an Application pool which can be assigned > to > > a virtual directory and each application pool runs in its own process. > > > > If you have a multi-homed Web server using integrated
authentication is > > probably a bad idea because you can only have a single user that runs all > > these applications as configured in Machine.config's ProcessModel|Username > > setting. In Windows 2003 you have more control as you can assign a > username > > and password for each application pool. > > > > To impersonate the calling user account you can use <identity > > impersonate="true"/> in web.config. This would be an anonymous
user (IUSR_ > > most likely) or the user that is authenticated if the page is protected by > > file/directory security. This may work well for an extranet
internal app, > > but is probably a bad choice for public apps... > > > > Hope this helps, > > > > +++ Rick --- > > > > > > > > > > > > > > > > -- > > > > Rick Strahl > > West Wind Technologies > > http://www.west-wind.com/ > > http://www.west-wind.com/wwHelp > > ---------------------------------- > > Making waves on the Web > > > > > > "Dave Mehrtens" <dm*******@rightreasontech.com> wrote in message > > news:e9**************@TK2MSFTNGP12.phx.gbl... > > > I am trying to configure my ASP.NET application and have come
across > > > something unexpected. > > > > > > First, I understand that all ASP.NET applications running on a single > > server > > > will utilize a single aspnet_wp.exe process. And that this process, by > > > default, runs under the context of the ASPNET username. > > > > > > I would rather use a trusted connection to connect to SQL Server to > avoid > > > having to put a username and password in a config file.
However, if I > use > > a > > > trusted connection, all of my databases will have to be
configured to > use > > > ASPNET as the user. Is this true. > > > > > > In another post, I read that the aspnet_wp.exe process would impersonate > > the > > > caller? Is this IIS or the ISAPI filter? Is this possible? If so, > then > > it > > > would be possible to use a trusted connection to SQL and that
user would > > be > > > the user that is configured to run the IIS application, correct? > > > > > > Thank you for your help, > > > > > > Dave > > > > > > > > > > > >
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Mark |
last post by:
Hi...
We're looking at moving an ASP app from IIS 5 to IIS 6. In general things
seem to be working okay, but there are some oddities around the edges. One
of those unanticipated changes has to...
|
by: Bucky Pollard |
last post by:
I have a web service that needs to create a batch file and call it (since
there are no APIs for the functionality I am looking for). I am using the
Process and ProcessStartInfo objects. When I try...
|
by: Dave Mehrtens |
last post by:
I am trying to configure my ASP.NET application and have come across
something unexpected.
First, I understand that all ASP.NET applications running on a single server
will utilize a single...
|
by: Abhishek Srivastava |
last post by:
Hello All,
In IIS 6.0 We have a concept of worker processes and application pools.
As I understand it, we can have multiple worker process per appliction
pool. Each worker process is dedicated...
|
by: Danny Miller |
last post by:
Hi there,
I've got a web app that uses impersonation and makes calls to a SQL Server
backend. I'd like to be able to automate the setting of database security for
the web app upon deployment....
|
by: J-T |
last post by:
I guess I'm a litte bit confused about app pool and worker process.
In IIS 6.0 We have a concept of worker processes and application pools. As I
understand it, we can have multiple worker process...
|
by: Gregory Gadow |
last post by:
Still working on this project.
What I have working: I have a service that uses FileSystemWatcher on an
"in box" folder. When a text file appears in the in-box, it copies the
file to a work...
|
by: Patrick |
last post by:
I have an ASP.NET web service whose Web.Config is set to use impersonation
<authentication mode="Windows" />
<identity impersonate="true" />
Within a Web Method, I want to use...
|
by: nicerun |
last post by:
I'm using the Application_Start event at Global.asax.cs to invoke
thread that do some job.
I know that Application_Start event occurs when the very first request
to Web Application received.
-...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |