views:

309

answers:

2

I'm going a little nuts trying to understand the doc on impersonation and delegation and the question has come up what account my webservice is running under.

I am logged as myDomainName\johna on my development workstation called JOHNXP. From Vstudio2005 I start my webservice via Debug and the wsdl page comes up in my browser.

From Task Manager, I see the following while sitting at a breakpoint in my .asmx code:

aspnet_wp.exe pid=1316 UserName=ASPNET devenv.exe pid=3304 UserName=johna

The IIS Directory Security tab for the Virtual Directory that hosts my ws.asmx code has "Enable Anonymous access" UNCHECKED and has "Integrated Windows Authentication" CHECKED.

So when the MSDN people state "you must configure the user account under which the server process runs", what would they be refering to in the case of my little webservice described above?

I am quoting from: http://msdn.microsoft.com/en-us/library/aa302400.aspx

Ultimately, I want this webservice of mine to impersonate whatever authenticated domain user browses through to an invoke of my webservice. My webservice in turn consumes another ASMX webservice on a different server (but same domain). I need this remote webservice to use the impersonated domain user credentials (not those of my webservice on JOHNXP).

So its getting a little snarly for me to understand this and I see I am unclear about the account my web service uses. I think it is ASPNET in IIS 5.1 on WinXP but not sure.

+2  A: 

By default any application running on top of ASP.NET (including ASMX web services) will execute under the ASP.NET Machine Account (ASPNET) security context, which has restricted privileges on the host machine.

This behavior can be altered by enabling impersonation, which will cause the ASP.NET application to execute under the security context of the authenticated user, or a specific user account. Impersonation is enabled in the Web.config file:

<system.web>
  <!-- ASP.NET runs as the authenticated user -->
  <identity impersonate="true" />
</system.web>

<system.web>
  <!-- ASP.NET runs as the specified user -->
  <identity impersonate="true"
            username="DOMAIN\user"
            password="password" />
</system.web>

When Integrated Windows Authentication is enabled in IIS and the anonymous Internet user account is disabled, the authenticated user will be the Windows identity of the client making the HTTP request.
With impersonation turned on, that same identity will be used by the ASP.NET worker process when processing the request.

Enrico Campidoglio
I forgot to mention that I have <identity impersonate="true" /> in the web.config for my webservice. So, I conclude that causes the whole service to run with the credentials of the authenticated user. Thank you for your answer.
John Galt
+1  A: 

By the way, in addition to the answer,above it should actually be:

<system.web>
  <!-- ASP.NET runs as the specified user -->
  <identity impersonate="true"
            userName="DOMAIN\user"
            password="password" />
</system.web>

The user name needs a capitalised N -> userName

Hope this helps

FinancialRadDeveloper