Reposting my unanswered in technet.microsoft question?
MSDN "ASP.NET Delegation" article tells:
- 1) "When you configure to use a particular account as the process identity, ASP.NET attempts to delegate that account. If it is a local account that is identical (including password) to a local account on a remote machine, delegation is possible. If such an account does not exist on the remote machine, to the network it appears as the Windows anonymous account (NT AUTHORITY\ANONYMOUS LOGON). In addition, delegation is also possible if the account is a domain account that has access to the remote machine, in which case it uses the domain network identity of that account."
The same frequently repeated story as in case of manually/interactively accessing remote computer (server resource) in workgroup - it is necessary to create local account with the same username, the same password. But why?
If a workgroup Windows client process cannot access resources on server machine without having duplicate of such (local) account on target machine already pre-created, does it mean that client (process, machine, or user) can access server resources only by/after having logged (opening logon session) into server machine?
Or, how to understand that such access is impossible without having corresponding duplicate local account on server machine?
The same MSDN "ASP.NET Delegation" article tells:
- "NetworkService account. It behaves the same as the System account. This account possesses the network credentials associated with the machine account (domainname\machinename) in the domain of which it is a member"
Does not any Windows have accounts ((NT AUTHORITY\NETWORK SERVICE)?
as well as many other common pre-built accounts?
Why are they installed (before any joining to domain) but cannot be used for remote network access and client identification ?
And what is identity used when the process from workgroup Windows under identity ((NT AUTHORITY\NETWORK SERVICE) accesses a remote server?
My related questions:
- domained LocalSystem vs. non-domained LocalSystem account in Windows-es ?
- how to check group membership of an “NT AUTHORITY\” account ?
- Is client LocalSystem (SYSTEM) identified by target/server machine? and in which context?
- Window workgroup LocalSystem vs. domain (AD) LocalSystem [closed]
- how to better set up machine for development both in workgroup and Windows domain? [closed]
- interoperating with Windows domain computer from workrgroup Windows [closed]
- the context of local user of AD-joined machine? Is it of domain machine account or of local machine account?
- RunAs under domain account from non-AD Windows [closed]
- how to better set up machine for development both in workgroup and Windows domain? [closed]
- how to share the same domain machine account with multi-boot workgroup Windows setup?