Authentication And Identity Flow When ASP Page Consumes ASP.NET Web Service

"Classic" ASP has application isolation that is different from ASP.NET. Here is one of the real world scenarios where it might matter.

image

There is a legacy web application written in ASP and hosted on Win2K3 box (IIS 6.0). It is of course in the process of migration to ASP.NET. As part of the migration process there were several ASP.NET web services factored out of the classic ASP app. These web services are hosted on another Win2K3 box and require windows authentication. Classic ASP must consume these web services while satisfying the requirement of windows authentication. ASP page consumes the web service via .Net COM interop invoking .Net component:

The question here is what is this account that ASP page authenticates to ASP.NET web service on another machine?

It is common mistake assuming that the account is the application pool's one. ASP does not run in the context of the application pool. In case of anonymous access It runs in the context of what defined for anonymous user:

image

Said that, in order to let ASP page authenticate to ASP.NET web service based on windows authentication one needs to define domain account in above property page for virtual directory where ASP resides. This is the account that will hit the ASP.NET web service.

Comments

  • Anonymous
    September 05, 2007
    Rather then setting the site to a custom anonymous user, which breaks Windows Integrated Authentication, we use a COM object to revert the ASP process back to the AppPool identity.http://support.microsoft.com/kb/248187We have a COM object with a "RunAsAppPool" method that reverts the processing thread to its original owner, in this case its the App Pool ID:Dim objASPIdentitySet objASPIdentity = Server.CreateObject("ASPIdentity.Identity")'Reverting to AppPool...objASPIdentity.RunAsAppPool()'Do stuff like DB access with Trusted Connections,'running WebService calls etc.You can always access the logged on user via Request.ServerVariables("LOGON_USER"), but the page will now continue as the app pool.One note of warning - you can't go back.  Once you revert the thread, you'd need the user/password to re-logon...Chris
  • Anonymous
    September 05, 2007
    Can you share the implementation of the RunAsAppPool method?. If you use LogonUser API then you have problem of securely managing the credentials that you pass to it in order to impersonate.In any case, I am developer but I strive to do security stuff utilizing infrastructure first and saving coding as a fall back.
  • Anonymous
    October 01, 2007
    Alikl,Is it possible (and advisable) to use Network Service account to enable anonymous access so the asp pages can them access SQL using IIS the machineaccount?Thank you for your help,sk6
  • Anonymous
    October 02, 2007
    sk6I am not sure I understand the question right but here are some related resources:How To: Use the Network Service Account to Access Resources in ASP.NEThttp://msdn2.microsoft.com/en-us/library/ms998320.aspxWhiteboard Solutionhttp://www.securityguidanceshare.com/wiki/Category:Whiteboard_SolutionDoes it answer your question?