Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

 

patterns & practices Developer Center

ASP.NET Identity Matrix

J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation

Published: November 2002

Last Revised: January 2006

Applies to:

  • Microsoft® ASP.NET

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for the starting point and a complete overview of Building Secure ASP.NET Applications.

Summary: This document provides tables that illustrate, for a range of IIS authentication settings, the resultant identity that is obtained from each of the variables that maintain an IPrincipal and/or IIdentity object. (4 printed pages)

Principal objects implement the IPrincipal interface and represent the security context of the user on whose behalf the code is running. The principal object includes the user's identity (as a contained IIdentity object) and any roles to which the user belongs.

ASP.NET provides the following principal and identity object implementations:

  • WindowsPrincipal and WindowsIdentity objects represent users who have been authenticated with Windows authentication. With these objects, the role list is automatically obtained from the set of Windows groups to which the Windows user belongs.
  • GenericPrincipal and GenericIdentity objects represent users who have been authenticated using Forms authentication or other custom authentication mechanisms. With these objects, the role list is obtained in a custom manner, typically from a database.
  • FormsIdentity and PassportIdentity objects represent users who have been authenticated with Forms and Passport authentication respectively.

The following tables illustrate, for a range of IIS authentication settings, the resultant identity that is obtained from each of the variables that maintain an IPrincipal and/or IIdentity object. The following abbreviations are used in the table:

  • HttpContext = HttpContext.Current.User, which returns an IPrincipal object that contains security information for the current Web request. This is the authenticated Web client.
  • WindowsIdentity = WindowsIdentity.GetCurrent(), which returns the identity of the security context of the currently executing Win32 thread.
  • Thread = Thread.CurrentPrincipal which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread.

Note   With IIS 6.0 running on Windows Server 2003, the identity Matrix works except that the Machine\ASPNET identity is replaced with NT Authority\Network Service.

Table 1. IIS anonymous authentication

Web.config Settings Variable Location Resultant Identity
<identity impersonate="true"/>
<authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
-
MACHINE\IUSR_MACHINE
-
<identity impersonate="false"/>
<authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
-
MACHINE\ASPNET
-
<identity impersonate="true"/>
<authentication mode="Forms" />
HttpContext
WindowsIdentity
Thread
Name provided by user
MACHINE\IUSR_MACHINE
Name provided by user
<identity impersonate="false"/>
<authentication mode="Forms" />
HttpContext
WindowsIdentity
Thread
Name provided by user
MACHINE\ASPNET
Name provided by user

Table 2. IIS basic authentication

Web.config Settings Variable Location Resultant Identity
<identity impersonate="true"/>
<authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
Domain\UserName
Domain\UserName
Domain\UserName
<identity impersonate="false"/>
<authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
Domain\UserName
MACHINE\ASPNET
Domain\UserName
<identity impersonate="true"/>
<authentication mode="Forms" />
HttpContext
WindowsIdentity
Thread
Name provided by user
Domain\UserName
Name provided by user
<identity impersonate="false"/>
<authentication mode="Forms" />
HttpContext
WindowsIdentity
Thread
Name provided by user
MACHINE\ASPNET
Name provided by user

Table 3. IIS digest authentication

Web.config Settings Variable Location Resultant Identity
<identity impersonate="true"/>
<authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
Domain\UserName
Domain\UserName
Domain\UserName
<identity impersonate="false"/>
<authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
Domain\UserName
MACHINE\ASPNET
Domain\UserName
<identity impersonate="true"/>
<authentication mode="Forms" />
HttpContext
WindowsIdentity
Thread
Name provided by user
Domain\UserName
Name provided by user
<identity impersonate="false"/>
<authentication mode="Forms" />
HttpContext
WindowsIdentity
Thread
Name provided by user
MACHINE\ASPNET
Name provided by user

Table 4: IIS integrated Windows

Web.config Settings Variable Location Resultant Identity
<identity impersonate="true"/>
<authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
Domain\UserName
Domain\UserName
Domain\UserName
<identity impersonate="false"/>
<authentication mode="Windows" />
HttpContext
WindowsIdentity
Thread
Domain\UserName
MACHINE\ASPNET
Domain\UserName
<identity impersonate="true"/>
<authentication mode="Forms" />
HttpContext
WindowsIdentity
Thread
Name provided by user
Domain\UserName
Name provided by user
<identity impersonate="false"/>
<authentication mode="Forms" />
HttpContext. WindowsIdentity
Thread
Name provided by user
MACHINE\ASPNET
Name provided by user

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.