471,075 Members | 667 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,075 software developers and data experts.

IUSR_machinename vs ASPNET

Hello all,

I am trying to ascertain the difference, in terms of access and
privileges, between the Internet Guest User Account (IUSR_machinename,
where machinename is the name of your computer) vs. the ASPNET user
(ASP.NET machine account).

If you write a web application, you can configure it via its
web.config file. One of the things you can do is set the impersonate
attribute in the <identity> tag. If you set it (impersonate) to true,
and you additionally qualify the username and password attributes, the
visiting user can impersonate that specific account.

However, if you don't qualify username/password, but still set
impersonate = true, I understand that it defaults to impersonating
IUSR_machinename.

Finally, if you set impersonate=false, the user's scope defaults to
that of ASPNET.

The default settings on my machine are that IUSR_machinename is part
of the Guests group, and ASPNET is part of the Users group. But,
according to the description, these two groups have the same
privileges.

So then, what is the difference between setting the visiting user as
IUSR_machinename vs setting him/her as ASPNET ??

I have done a lot of reading on this, but the answer eludes me.

Any help appreciated.

regards,
Andrew J Fortune,
Melbourne,
Australia
Jul 21 '05 #1
2 8049
Andrew,

Did you know that there is a newsgroup

microsoft.public.dotnet.framework.aspnet

Probably you get a quicker answer there,

Cor

"Andrew J Fortune"
Hello all,

I am trying to ascertain the difference, in terms of access and
privileges, between the Internet Guest User Account (IUSR_machinename,
where machinename is the name of your computer) vs. the ASPNET user
(ASP.NET machine account).

If you write a web application, you can configure it via its
web.config file. One of the things you can do is set the impersonate
attribute in the <identity> tag. If you set it (impersonate) to true,
and you additionally qualify the username and password attributes, the
visiting user can impersonate that specific account.

However, if you don't qualify username/password, but still set
impersonate = true, I understand that it defaults to impersonating
IUSR_machinename.

Finally, if you set impersonate=false, the user's scope defaults to
that of ASPNET.

The default settings on my machine are that IUSR_machinename is part
of the Guests group, and ASPNET is part of the Users group. But,
according to the description, these two groups have the same
privileges.

So then, what is the difference between setting the visiting user as
IUSR_machinename vs setting him/her as ASPNET ??

I have done a lot of reading on this, but the answer eludes me.

Any help appreciated.

regards,
Andrew J Fortune,
Melbourne,
Australia

Jul 21 '05 #2
On 19 Sep 2004 19:07:01 -0700, ma*****@ains.net.au (Andrew J Fortune) wrote:

Hello all,

I am trying to ascertain the difference, in terms of access and
privileges, between the Internet Guest User Account (IUSR_machinename,
where machinename is the name of your computer) vs. the ASPNET user
(ASP.NET machine account).

If you write a web application, you can configure it via its
web.config file. One of the things you can do is set the impersonate
attribute in the <identity> tag. If you set it (impersonate) to true,
and you additionally qualify the username and password attributes, the
visiting user can impersonate that specific account.

However, if you don't qualify username/password, but still set
impersonate = true, I understand that it defaults to impersonating
IUSR_machinename.

Finally, if you set impersonate=false, the user's scope defaults to
that of ASPNET.

The default settings on my machine are that IUSR_machinename is part
of the Guests group, and ASPNET is part of the Users group. But,
according to the description, these two groups have the same
privileges.

So then, what is the difference between setting the visiting user as
IUSR_machinename vs setting him/her as ASPNET ??

I have done a lot of reading on this, but the answer eludes me.


They're both restricted accounts but there are a few differences. ASPNET (or Network Service in
Server 2003) is simply the "catch-all" account when impersonation is not implemented for any of the
IIS security mechanisms. I believe that the ASPNET account has some privileges beyond group level.

Process and request identity in ASP.NET
http://support.microsoft.com/default...b;en-us;317012

In any event, ASPNET was added when impersonation was turned off by default for the move from ASP to
ASP.NET. The IUSR accounts are specific to Anonymous (no) authentication.

To answer your question though, using impersonation when implementing Anonymous authentication
probably doesn't make much sense under most circumstances. Typically you only enable impersonation
under Basic, Integrated NT, etc. when you want to identify the true authenticated user account.
Paul ~~~ pc******@ameritech.net
Microsoft MVP (Visual Basic)
Jul 21 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Harry Simpson | last post: by
1 post views Thread by Brian | last post: by
3 posts views Thread by Kim | last post: by
6 posts views Thread by Andrew Chalk | last post: by
2 posts views Thread by Andrew J Fortune | last post: by
reply views Thread by CESAR DE LA TORRE [MVP] | last post: by
3 posts views Thread by musosdev | last post: by
5 posts views Thread by =?Utf-8?B?TWljaGFlbCBNaWxsZXI=?= | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.