I have an ASP.NET Core application that I want to run on IIS. However, the application needs to operate in the context of the user, as it modifies and reads some data in Windows Active Directory. This might require specific rights that may not be inherently available. Instead of checking if the API user has these rights, it's simpler to have the user log in and be impersonated. This ensures that the user can only do what they have permissions for, as otherwise, the command in Active Directory would fail.
My web.config looks like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\RestTest.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
</system.webServer>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true"/>
</system.web>
</location>
</configuration>
For the site's authentication in IIS, it is set like this: Authentication (Basic is enabled because, by default, it automatically uses the Windows user who is currently logged in. However, I need to use the admin account, so I don't want my current user to be used automatically; instead, the username and password should be entered each time. This worked on another ASMX server running on IIS. However even, if I enable Windows Authentication its also not working)
And my Application Pool is set like this: Application Pool
However, when I output the current user with the following command:
WindowsIdentity.GetCurrent().Name.ToString()
I get: IIS APPPOOL\DefaultAppPool
Does anyone know why the thread is not running in the user context of the loged in Windows User?
In my attempts to resolve this issue, I followed the standard practice for setting up impersonation in an ASP.NET Core application running on IIS. Initially, I configured the web.config to enable Windows authentication and impersonation. Expecting that setting <identity impersonate="true"/> would allow the application to run under the context of the authenticated user, not under the application pool identity.
Furthermore, I modified the web.config to use Basic authentication and also made changes to the Application Pool settings. The idea was to ensure that each user would manually enter their credentials, thereby allowing the application to run under each individual's user context. This is crucial for the correct interaction with Active Directory, especially for accessing and modifying data based on the user's permissions.
However, despite these configurations and modifications to both the web.config and the Application Pool, the application still seems to be running under the IIS APPPOOL\DefaultAppPool context, as evidenced by the output of WindowsIdentity.GetCurrent().Name.ToString(). This outcome is contrary to my expectations, as I need the application to impersonate the logged-in user to interact correctly with Active Directory based on the user's privileges.
I am seeking insights or suggestions on what might be missing or misconfigured in my setup that is preventing the application from running under the user context after authentication.