IUSR_machinename vs ASPNET

[Andrew J Fortune]

Hello all,

I am trying to ascertain the difference, in terms of access and
privileges, between the Internet Guest User Account (IUSR_machinename,
where machinename is the name of your computer) vs. the ASPNET user
(ASP.NET machine account).

If you write a web application, you can configure it via its
web.config file. One of the things you can do is set the impersonate
attribute in the <identity> tag. If you set it (impersonate) to true,
and you additionally qualify the username and password attributes, the
visiting user can impersonate that specific account.

However, if you don't qualify username/password, but still set
impersonate = true, I understand that it defaults to impersonating
IUSR_machinename.

Finally, if you set impersonate=false, the user's scope defaults to
that of ASPNET.

The default settings on my machine are that IUSR_machinename is part
of the Guests group, and ASPNET is part of the Users group. But,
according to the description, these two groups have the same
privileges.

So then, what is the difference between setting the visiting user as
IUSR_machinename vs setting him/her as ASPNET ??

I have done a lot of reading on this, but the answer eludes me.

Any help appreciated.

regards,
Andrew J Fortune,
Melbourne,
Australia

 

[Cor Ligthert]

Andrew,

Did you know that there is a newsgroup

microsoft.public.dotnet.framework.aspnet

Probably you get a quicker answer there,

Cor

"Andrew J Fortune"

 

[Paul Clement]

On 19 Sep 2004 19:07:01 -0700, (e-mail address removed) (Andrew J Fortune) wrote:

¤ Hello all,
¤
¤ I am trying to ascertain the difference, in terms of access and
¤ privileges, between the Internet Guest User Account (IUSR_machinename,
¤ where machinename is the name of your computer) vs. the ASPNET user
¤ (ASP.NET machine account).
¤
¤ If you write a web application, you can configure it via its
¤ web.config file. One of the things you can do is set the impersonate
¤ attribute in the <identity> tag. If you set it (impersonate) to true,
¤ and you additionally qualify the username and password attributes, the
¤ visiting user can impersonate that specific account.
¤
¤ However, if you don't qualify username/password, but still set
¤ impersonate = true, I understand that it defaults to impersonating
¤ IUSR_machinename.
¤
¤ Finally, if you set impersonate=false, the user's scope defaults to
¤ that of ASPNET.
¤
¤ The default settings on my machine are that IUSR_machinename is part
¤ of the Guests group, and ASPNET is part of the Users group. But,
¤ according to the description, these two groups have the same
¤ privileges.
¤
¤ So then, what is the difference between setting the visiting user as
¤ IUSR_machinename vs setting him/her as ASPNET ??
¤
¤ I have done a lot of reading on this, but the answer eludes me.
¤

They're both restricted accounts but there are a few differences. ASPNET (or Network Service in
Server 2003) is simply the "catch-all" account when impersonation is not implemented for any of the
IIS security mechanisms. I believe that the ASPNET account has some privileges beyond group level.

Process and request identity in ASP.NET
http://support.microsoft.com/default.aspx?scid=kb;en-us;317012

In any event, ASPNET was added when impersonation was turned off by default for the move from ASP to
ASP.NET. The IUSR accounts are specific to Anonymous (no) authentication.

To answer your question though, using impersonation when implementing Anonymous authentication
probably doesn't make much sense under most circumstances. Typically you only enable impersonation
under Basic, Integrated NT, etc. when you want to identify the true authenticated user account.


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)