File upload fails when user is authenticated. Using IIS7 Integrated mode.

Posted by Nikkelmann on Stack Overflow See other posts from Stack Overflow or by Nikkelmann
Published on 2011-01-14T10:50:23Z Indexed on 2011/01/14 10:53 UTC
Read the original article Hit count: 196

These are the user identities my website tells me that it uses:

Logged on: NT AUTHORITY\NETWORK SERVICE (Can not write any files at all)
and
Not logged on: WSW32\IUSR_77 (Can write files to any folder)

I have a ASP.NET 4.0 website on a shared hosting IIS7 web server running in Integrated mode with 32-bit applications support enabled and MSSQL 2008. Using classic mode is not an option since I need to secure some static files and I use Routing.

In my web.config file I have set the following:

<system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
</system.webServer>

My hosting company says that Impersonation is enabled by default on machine level, so this is not something I can change.

I asked their support and they referred me to this article: http://www.codinghub.net/2010/08/differences-between-integrated-mode-and.html

Citing this part:

Different windows identity in Forms authentication

When Forms Authentication is used by an application and anonymous access is allowed, the Integrated mode identity differs from the Classic mode identity in the following ways:

* ServerVariables["LOGON_USER"] is filled.
* Request.LogognUserIdentity uses the credentials of the [NT AUTHORITY\NETWORK SERVICE] account instead of the [NT AUTHORITY\INTERNET USER] account. 

This behavior occurs because authentication is performed in a single stage in Integrated mode. Conversely, in Classic mode, authentication occurs first with IIS 7.0 using anonymous access, and then with ASP.NET using Forms authentication. Thus, the result of the authentication is always a single user-- the Forms authentication user. AUTH_USER/LOGON_USER returns this same user because the Forms authentication user credentials are synchronized between IIS 7.0 and ASP.NET.

A side effect is that LOGON_USER, HttpRequest.LogonUserIdentity, and impersonation no longer can access the Anonymous user credentials that IIS 7.0 would have authenticated by using Classic mode.

How do I set up my website so that it can use the proper identity with the proper permissions?

I've looked high and low for any answers regarding this specific problem, but found nil so far...

I hope you can help!

© Stack Overflow or respective owner

Related posts about c#

Related posts about ASP.NET