PRB: Request.ServerVariables("LOGON_USER") Returns Empty String in ASP.NET

Article translations Article translations
Article ID: 306359 - View products that this article applies to.
This article was previously published under Q306359
Expand all | Collapse all

SYMPTOMS

If you try to access the Request.ServerVariables("LOGON_USER") variable in ASP.NET, an empty string is returned.

NOTE: If you are using Microsoft Visual C# .NET, the following syntax accesses this variable:
Request.ServerVariables["LOGON_USER"]
				

CAUSE

This problem occurs because the authentication-related variables in the ServerVariables collection are not populated if you use Anonymous Access security to access the .aspx page. This problem can also occur if you give the Anonymous user access in the <authorization> section of the Web.config file.

RESOLUTION

To populate the LOGON_USER variable when you use any authentication mode other than None, you can deny access to the Anonymous user in the <authorization> section of the Web.config file. To deny access to the Anonymous user in the <authorization> section, follow these steps:
  1. Change the authentication mode in the Web.config file to anything other than None. For example, the following entry in the Web.config file sets the authentication mode to Forms-based authentication:
    <authentication mode="Forms" />
    					
  2. To deny access to the Anonymous user in the Web.config file, use the following syntax:
    <authorization>
       <deny users = "?" /> <!-- This denies access to the Anonymous user -->
       <allow users ="*" /> <!-- This allows access to all users -->
    </authorization>
    					
If you are using Windows authentication, you can also use the following steps to resolve this problem:
  1. Change the authentication mode in the Web.config file to Windows as follows:
    <authentication mode="Windows" />
    					
  2. In the Internet Services Manager, right-click the .aspx file or the Web Project folder, and then click Properties.
  3. If you clicked Properties for the Web Project folder, click the Directory Security tab. If you clicked Properties for the .aspx file, click the File Security tab.
  4. Under Anonymous Access and authentication control, click Edit.
  5. In the Authentication methods dialog box, clear the Anonymous Access check box, and then select either the Basic, the Digest or the Integrated (NT Challenge/Response) check box.
  6. Click OK to close both dialog boxes.
For instructions on how to configure Digest authentication, refer to the "References" section at the end of this article.

STATUS

This behavior is by design.

MORE INFORMATION

ASP.NET provides new authentication modes and authorization schemes, which you can configure in the .config files. For this reason, modifying the authentication modes in IIS alone may not always yield the desired results. Therefore, you must also consider the security settings in the .config files.

NOTE: When you enable Anonymous authentication in conjunction with Windows authentication or if you grant access to the Anonymous user in the <authorization> section while you are using any authentication mode other than None, other server variables such as AUTH_USER and REMOTE_USER (as well as the HttpContext.Current.User.Identity.Name property) also return an empty string. You can use the any of the above-mentioned resolutions to populate these variables.

In ASP.NET, you can also use the IsAuthenticated property of the Request object to determine whether the Anonymous Access security is being used. IsAuthenticated returns "false" if Anonymous Access is turned on and returns "true" if you use any other means of authentication such as Forms, Passport, Integrated (NT Challenge/Response), or Basic.

REFERENCES

For more information about security in ASP.NET, refer to the following MSDN Web site:
ASP.NET Web Application Security
http://msdn2.microsoft.com/en-us/library/330a99hc.aspx
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
306590 INFO: ASP.NET Security Overview
222028 Setting Up Digest Authentication for Use with Internet Information Services 5.0
188717 PRB: Request.ServerVariables("LOGON_USER") Returns Empty String

Properties

Article ID: 306359 - Last Review: December 3, 2007 - Revision: 3.8
APPLIES TO
  • Microsoft ASP.NET 1.1
  • Microsoft Internet Information Services 6.0
  • Microsoft ASP.NET 1.0
  • Microsoft Internet Information Services 5.0
Keywords: 
kbconfig kbprb kbsecurity kbweb KB306359

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com