hi,
i've always read that the user you set in the IIS website/virtual directory is the user that runs the app (anonymous user identity)
But in the application pool, i can also set a user (process model, identity)
what is the difference between the two, and which one will need access if i do a file read?
EDIT:
the bounty is for this quesyion ' but if i use 'anonymous authentication', is the user i choose in the 'anonymous user identity' ever used? – ' posted as comment
Checkout this post. Quote:
The two accounts are different things. Think of the website identity representing the user of the site. If you create a new website this account is the anonymous IIS account. If you disable "Anonymous Authentication", your users will have to authenticate against the website (in a intranet/Windows domain site this could be implicite using the network credentials.)
The application pool identity is the Windows account needed for running your assemblies. Normally it is the "Network Service" account which is a least privileged account with limited user rights and permissions. It does have network credentials. This means that you can use it to authenticate against network resources in a domain. You can also use it to access a SQL Server database with integrated security.
For example, if your ASP.NET application has to write to a folder, you have to grant the permission to the application pool account, not to the website account. For more information on application pool identities, read here.
Think of the website identity as a rule that defines who can access the site. If you specify an anonymous account to use, that account must have access to the site. If anonymous access is disabled, then the user's credentials must have access to the folder.
The app pool identity defines what the application can do. The app pool's worker process will run using the app pool identity; that account must be granted access to any resources (SQL Server, file shares, etc) that the app will need to access.
To answer your question: yes, the anonymous account is used. Think of the scenario where you're hosting a hundred web sites, and you don't want one customer's files to be able to access another's. You would assign separate anonymous access to each customer. Each site's anonymous account allows IIS to access only the files relevant to that particular site (provided you've configured that account's access correctly).
@Michel
if you have an Anon Access Account setup on your site (virtual dir)
AND you have
<system.web>
<identity impersonate="true" />
</system.web>
in your web.config, this will use that identity.
if you have a part of code where you can set the credentials
CredentialCache.DefaultCredentials
this will point to the Anon Account,if you want to test what user you are using try
Thread.CurrentPrincipal.Identity.Name.ToString()
have a look at this post for more information
http://blogs.iis.net/sakyad/archive/2008/11/19/process-and-thread-identity-in-asp-net-a-practical-approach.aspx