Fog Creek Software
Discussion Board

Welcome! and rules

Joel on Software

IUSR vs. ASPNET user accounts

I have read in this forum that the ASP .NET pages run under the ASPNET user accounts.

However, on my machine, there is not ASPNET user account.

Also, when I give access rights to IUSR, then the ASP .NET pages can access those files.

So, it's clear to me that ASP .NET pages run under the IUSR user account.

Is there a way to configure IIS and .NET so that IIS runs under the IUSR user, and ASP .NET pages run under a separate, ASPNET account?

How do I do that?

Thank you!

Jed Boree
Monday, September 15, 2003

Unless you're running Windows Server 2003, ASP.NET pages, by default, run under the ASPNET account.  In Windows Server 2003, I believe they run under LOCAL SERVICE, but don't quote me on that.  Also, if your system is running as a domain controller, pages won't run under ASPNET (and shouldn't work at all) because the ASPNET user won't exist (search Microsoft support if you need help on this one).

Assuming you aren't using 2003 or running as a domain controller, if you look in Task Manager, you should see aspnet_wp.exe under processes.  This should be running under user ASPNET.  If it isn't, it might be overridden by a web.config setting.  Make sure you don't have a processModel section in a web.config that's pointing to a different user name for some reason (either you shouldn't have a processModel section at all or the user name should be "machine").  Also, check that the user name is "machine" in machine.config (located under the Windows\Microsoft.NET directory tree). 

Monday, September 15, 2003

ASP.NET also supports impersonation

"Enabling Impersonation
With impersonation, you run in the security context of the request entity, either as an authenticated user or as an anonymous user. In ASP.NET, impersonation is optional and is not enabled by default. To enable impersonation at the level of the computer or the application, add the following configuration directive in the <system.web> section of the Machine.config or the Web.config file: <identity impersonate="true"/>"

Just me (Sir to you)
Tuesday, September 16, 2003

What OS are you using? I don't think you're looking in the right place. If you're using the User Accounts icon in Control Panel it's hiding the full story from you. Go to the Computer Management console by either right-clicking My Computer and choosing Manage, or going to Start > Run, typing "compmgmt.msc" and clicking OK.

In Computer Management > System Tools > Local Users and Groups > Users, I am sure you will find an account called ASPNET.

Duncan Smart
Tuesday, September 16, 2003

"Is there a way to configure IIS and .NET so that IIS runs under the IUSR user, and ASP .NET pages run under a separate, ASPNET account?" -- Jed, that's how it works. Why it doesn't seem to be doing that on your machine is a mystery.

Anyway the account ASP.NET uses (by default "ASPNET") is configured in:
<WindowsDir>\Microsoft.NET\Framework\<version>\CONFIG\machine.config. Specifically the  /configuration/system.web/processModel element and the "userName" attribute. If it's set to "machine" then it's using the ASPNET account.

Duncan Smart
Tuesday, September 16, 2003

*  Recent Topics

*  Fog Creek Home