Knowledge Essentials - 3Essentials Hosting

What identity is my ASP.NET application code running under?

Article ID: 269

 Back to Search

Question:

What id does my ASP.net code (aspx pages) execute under?

Answer:

Many people get confused about what user ID asp.net code (aspx files on your site) execute under.   This is because of some slightly misleading articles on the topic by Microsoft - they are accurate, they are just misleading because they don't discuss the changes which might be implemented in a shared hosting environment.  The following discussion should clarify this topic 

  • Not NETWORK SERVICE or ASPNET: On Windows 2003 with IIS, the default for a new website is to configure it to use a default application pool, and the default application pool runs under a user called NETWORK SERVICE (in previous versions of IIS, this ran under a user called ASPNET).  Your site on 3Essentials does NOT execute ASP.net code under NETWORK SERVICE or ASPNET. This is because we do not implement websites in IIS in this default fashion.. if everyone ran under NETWORK SERVICE than any other customer hosted on the same server would have access to your files.  Because we're a shared hosting provider, we need to isolate each user's code to run under their own unique ID.  Microsoft's many articles about ASP.NET running under NETWORK SERVICE or ASPNET is only talking about a default configuration, which someone might use if you were only hosting a single company's websites on a server, and had no need to isolate sites code from each other.
  • IUSR or IWPD:   So, due to the needs of shared hosting - we configure our servers such that each customer's code executes under their own unique ID.  ASP.net executes under a website's unique application pool, and therefore executes under the id assigned to that application pool.  Based on the version of Plesk, this may vary a little:
    • Plesk versions 7.0.3 and below (web4, web6, web8) - each site's application pool will use IUSR_something
    • Plesk versions 7.5.6 and above (web10, web12, web14, web16) - each site's application pool will use IWPD_something.

ASP.net Impersonation:

The above description discusses our default implementation... i.e., that on a Plesk 7.5.6 server, ASP.net executes within the application pool and uses the application pool's identity which would be IWPD_something.  However, ASP.NET also supports impersonation, which may allow you to change the user under which the code executes.  ASP.NET impersonation is disabled by default. If impersonation is enabled for an ASP.NET application, that application runs in the context of the identity whose access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (in our case, the IUSR_something identity).

If you enable impersonation, ASP.NET can either:

  • impersonate the authenticated identity received from IIS (which would be the IUSR_something user, note, this is the IUSR not the IWPD user)
  • or
  • one specified in the application's Web.config file. You have the following three options when configuring impersonation:

So, this means you have 3 options...

  • impersonation is disabled
  • impersonation is enabled
  • impersonation is enabled for a specific identity

Examples on how these are implemented in your web.config are below.

  • Impersonation is disabled. This is the default setting.  You don't actually have to specify it as disabled in your web.config file, because as noted, this is the default - but here's how it would be done.   In this instance, the ASP.NET thread runs using the user id of the application pool as noted previously.
    <identity impersonate="false" />
  • Impersonation enabled. In this instance, ASP.NET impersonates the token passed to it by IIS, which in 3Essentials environment would be the IUSER_something account for your website.
    <identity impersonate="true" />
  • Impersonation enabled for a specific identity. In this instance, ASP.NET impersonates the token generated using an identity specified in the Web.config file.  Note this is NOT supported by 3Essentials shared hosting plans as there is no facility provided for creating users other than those user accounts we create by default to manage your hosting (the IUSR and IWPD users).
    <identity impersonate="true"
              userName="domain\user"
              password="password" />

To verify what identity/user your ASP.net pages are executing under, download the whoami.aspx file attached as a download to this article, and upload it to your httpdocs, and then access it via a browser (i.e., http:///www.yourdomain.com/whoami.aspx)   If you're hosted on one of our Plesk 7.5.6 or above servers, you can even see this change back and forth between the IUSR and IWPD users by simply updating the web.config to enable and disable the impersonate value.

 

 
Downloads Associated With This Article
whoami.zip : Identify ASP.net process identity - Sample Code