IIS Application Identities

  • Article

This topic describes the basic concepts that a developer needs to understand when creating IIS applications that cross identity boundaries. For a complete understanding of this topic, developers must be familiar with the NT security and COM+ security models.

IIS manages the authentication and authorization of clients that access IIS applications. IIS administrators can configure security settings that authorize access to specific identities only. Once a client is authenticated, it has an identity that is associated with it as it browses through an application.

Process Identity Compared to Thread Identity

Every Microsoft Windows process has a unique process identity that is used by the Windows object manager for various management tasks. Each process object contains an associated access token, which indicates the type of access rights the process has for secured resources.

The process identity of an IIS application is controlled by the server administrator. For example, if a Web site is configured to allow anonymous access, the applications contained in the Web site run under the process identity of the account that is set in the AnonymousUserName metabase property. If anonymous access is not allowed, the applications run under the process identity of the authenticated client.

When IIS creates a thread to run an ISAPI extension or an ASP page, the thread has an impersonation token associated with it, which has the same identity as the process unless the application calls the Win32 RevertToSelf function. If the application calls the RevertToSelf function, the impersonation token is discarded. It is recommended that you save the impersonation token in case you need it later. In the case of ISAPI extensions, you can use the HSE_REQ_GET_IMPERSONATION_TOKEN server support function to recall the impersonation token.

If a COM component is called from an IIS application, the COM+ security and threading model takes control of which identity is used. The table below summarizes this information.

Application Types and Their Identities

The following table lists application types that are available in IIS and the identities of those types.

Application type

Process identity

Thread identity

ISAPI filters

  • When the IIS server is running in IIS 5.0 isolation mode on IIS 6.0, the process identity is the Local System account because filters run in the Inetinfo.exe process. This also applies to IIS 4.0, IIS 5.0, and IIS 5.1.

  • If the IIS server is running in worker process isolation mode on IIS 6.0, the process identity is a member of the IIS_WPG group because filters run in the W3wp.exe process (also called the worker process for the application pool).

The thread identity is the same as the process identity.

ISAPI extensions

  • If anonymous access is allowed, the process identity is the account that is set in the AnonymousUserName metabase property. AnonymousUserName is configured to the IUSR_computer_name account by default.

  • If anonymous access is not allowed, the process identity is the same as that of the authenticated client.

  • If the Win32 RevertToSelf function is not called, the thread identity is the same as the process identity.

  • If the Win32 RevertToSelf function is called, the ISAPI extension thread impersonates different accounts based on application isolation. For an in-process application, the thread impersonates the Local System account. For an out-of-process application, the thread impersonates the account that is set in the WAMUserName metabase property. For an IIS 6.0 application running in worker process isolation mode, the thread impersonates the NT AUTHORITY\NETWORK SERVICE account.

ASP.NET

ASP.NET behaves the same way as ISAPI extensions because aspnet_isapi.dll is an ISAPI extension.

ASP

ASP behaves the same way as ISAPI extensions because asp.dll is an ISAPI extension.

CGI

  • If anonymous access is allowed, the process identity is the account that is set in the AnonymousUserName metabase property. AnonymousUserName is configured to the IUSR_computer_name account by default.

  • If anonymous access is not allowed, the process identity is that of the that of the authenticated client.

The thread identity is the same as the process identity.

COM components called from ISAPIs or ASP pages

Before the COM component is called:

  • If anonymous access is allowed, the process identity is the account that is set in the AnonymousUserName metabase property. AnonymousUserName is configured to the IUSR_computer_name account by default.

  • If anonymous access is not allowed, the process identity is the same as that of the authenticated client.

When the COM component is called, the COM+ security and threading model take control.

  • If COM+ uses the same thread that IIS was using, the process identity doesn't change.

  • If COM+ creates a new thread for the application, the identity of that thread is configured by the COM+ application (RPC might be involved).

Static HTML pages

  • If anonymous access is allowed, the process identity is the account that is set in the AnonymousUserName metabase property. AnonymousUserName is configured to the IUSR_computer_name account by default.

  • If anonymous access is not allowed, the process identity is that of the authenticated client.

Thread identities do not apply.