问题
When a user browses to a ASP.NET website, is the user impersonating the ASPNET account or the account specified in IIS->Directory Security->Account used for anonymous access (EX: IUSR_XXX)
My website writes files to the disk and I was wondering which of these accounts need write access to the folder? Also, can someone explain how the impersonate element in the web.config ties into all this?
Thanks!
回答1:
If impersonation is enabled in an ASP.NET application then:
- If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.
- If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
- In either case, permissions for the account are checked in the Windows Access Control List (ACL) for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.
If impersonation is disabled in an ASP.NET application then:
- If anonymous access is enabled in IIS, the request is made using the system-level process account.
- If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
- In either case, permissions for the account are checked in the Windows ACL for the resource(s) that a user requests, and a resource is only available if the account they are
running under is valid for that resource.
Source: Understanding Impersonation in ASP.NET
回答2:
By default the identity is MachineName\ASPNET, you can change this behavior by turning on identity impersonation in the web.config
来源:https://stackoverflow.com/questions/1981578/which-account-is-used-when-a-user-navigates-to-a-asp-net-website