October 19, 2010

0 Troubleshooting Authorization Issues In ASP.NET

Check Windows ACLs

If your application is having problems accessing a file or registry key (or any
securable Windows object protected with ACLs), check the ACLs to ensure that the
Web application identity has at least read access.

Check Identity

Also make sure you know which identity is being used for resource access by the
ASP.NET Web application. This is likely to be:
The ASP.NET process identity (as configured on the element in

336 Building Secure ASP.NET Applications

This defaults to the local ASPNET account specified with the username “machine”
and password “AutoGenerate”.

The authenticated caller’s identity (if impersonation is enabled within
web.config) as shown below.

<identity impersonate="true" />

If you have not disabled anonymous access in IIS, this will be IUSR_MACHINE.
A specified impersonation identity as shown below (although this is not recommended)
<identity impersonate="true" userName="Bob" password="password" />

More Information

For more information about the identity used to run ASP.NET and the identity used
to access local and network resources, see Chapter 8, “ASP.NET Security”.

Check the <authorization> Element

Confirm that the <allow> and <deny> elements are configured correctly.
If you have <deny users=�?� /> and you are using Forms authentication and/or IIS anonymous authentication, you must explicitly place an IPrincipal object into
HttpContext.User or you will receive an access denied 401 response.

Make sure the authenticated user is in the roles specified in and


Enable Tracing

ASP.NET provides quick and simple tracing to show the execution of events within
a page and the values of common variables. This can be a very effective diagnostic
aid. Use the page level Trace directive to turn on tracing, as shown below:
<%@ Page language="c#" Codebehind="WebForm1.aspx.cs" AutoEventWireup="false"
Inherits="Test.WebForm1" Trace="true" %>

More Information

For more information on the new tracing feature in ASP.NET see the Knowledge
Base article Q306731, “INFO: New Tracing Feature in ASP.NET”.

Configuration Settings

Most application settings should be placed in web.config. The following list shows
main security related settings that can be placed in web.config.


The following setting which controls the identity used to run the ASP.NET worker
process (aspnet_wp.exe) must be located in machine.config.

Configuration settings for an application are always retrieved from the application’s
web.config file first and these override any equivalent settings within
machine.config. If you want a particular setting to be applied to your application,
explicitly configure the setting in the application’s web.config file.

The main (and often only) web.config file for a particular application lives in its
virtual directory root. Subdirectories can also contain web.config files. Settings in
these files override the settings from web.config files in parent directories.

Determining Identity

Many security and access denied problems relate to the identity used for resource
access. The following code samples presented in this section can be used to help
determine identity in Web pages, COM objects, and Web services.
For more information about .NET identity variables, see “ASP.NET Identity Matrix”
in the Reference section of this guide.

Determining Identity in a Web Page

The following script can be used to gather security context related information and
indicates the identity being used to run a Web page.

To use this code, copy and paste it to create a file with a .aspx file extension. Copy
the file to an IIS virtual directory and view the page from a browser.

<%@ Page language="c#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Threading" %>
<%@ Import Namespace="System.Security.Principal" %>
<form id="WhoAmI" method="post" runat="server">
<TABLE id=contextTable border=1>
<TD align=middle colSpan=3 rowSpan="">
<TD><asp:Label ID="contextName" Runat=server /></TD>
<TD><asp:Label ID="contextIsAuth" Runat=server /></TD>
<TD><asp:Label ID="contextAuthType" Runat=server /></TD>
<TABLE id=windowsIdentityTable border=1>
<TD align=middle colSpan=3 rowSpan="">WindowsIdentity.GetCurrent()</TD>
<TD><asp:Label ID="windowsName" Runat=server /></TD>
<TD><asp:Label ID="windowsIsAuth" Runat=server /></TD>
<TD><asp:Label ID="windowsAuthType" Runat=server /></TD>
<TABLE id=threadIdentityTable border=1>
<TD align=middle colSpan=3
<TD><asp:Label ID="threadName" Runat=server /></TD>

<TD><asp:Label ID="threadIsAuthenticated" Runat=server /></TD>
<TD><asp:Label ID="threadAuthenticationType" Runat=server /></TD>
<script runat=server>
void Page_Load(Object sender, EventArgs e)
IIdentity id = HttpContext.Current.User.Identity;
if(null != id)
contextName.Text = id.Name;
contextIsAuth.Text = id.IsAuthenticated.ToString();
contextAuthType.Text = id.AuthenticationType;
id = Thread.CurrentPrincipal.Identity;
if(null != id)
threadName.Text = id.Name;
threadIsAuthenticated.Text = id.IsAuthenticated.ToString();
threadAuthenticationType.Text = id.AuthenticationType;
id = WindowsIdentity.GetCurrent();
windowsName.Text = id.Name;
windowsIsAuth.Text = id.IsAuthenticated.ToString();
windowsAuthType.Text = id.AuthenticationType;


Post a Comment

Blogger Themes

Powered by Blogger