In ASP.NET you have to juggle with a number of identities, e.g.
- The account of the worker process
- The account of the client (= Context.User / Thread.CurrentPrincipal)
- The Thread identity (when client/application impersonation is used)
- The outcome of IIS authentication (used by the FileAuthorizationModule)
This can be confusing, e.g. when IIS is set to anonymous, but ASP.NET <authentication> is set to Windows (the default), you may wonder why the IUSR_ account needs read access to the .aspx files. This is because the FileAuthorizationModule uses the the security context that resulted from IIS authentication to check if the user is authorized.
In ASP.NET 2.0 you can now access this identity, too. It is stored in Request.LogonUserIdentity. So if you should need to impersonate the account that is set in IIS for anonymous access, this is now easily possible. I have updated the ShowContext.aspx helper, to show you all four identities. Nice for troubleshooting.
leastprivilege.com 