This step-by-step article describes how to configure ASP.NET
applications to use the same credentials as ASP 3.0 applications use. By
default, ASP.NET applications run in a different security context than ASP 3.0
- ASP.NET applications run as the ASPNET user.
- ASP.NET 1.1 (with IIS 6) applications run as the
- ASP 3.0 applications run as the IIS anonymous user, or
they run in the context of the user if the application requires authentication.
You can move an application to ASP 3.0 by changing the default
security configuration. This permits an ASP.NET application to run in the same
security context as an ASP 3.0 application.
Change the Security Context for Anonymous Users
By default, anonymous requests that are handled by ASP.NET are run
in the context of the local ASPNET user account ( or in the NetWorkService user
account in ASP.NET 1.1 applications that run on IIS 6.0).
account behaves similarly to the IUSR_ComputerName account that IIS 5.0 uses
for anonymous requests. You can grant anonymous ASP.NET requests access to the
same resources that anonymous ASP 3.0 requests have access to. To do this, add
the ASPNET user account ( or the NetWorkService user account in ASP.NET 1.1
applications that run on IIS 6.0) to all access control lists (ACLs) where the
IUSR_ComputerName account appears. This may include the NTFS file system
permissions and databases.
Alternatively, you can force ASP.NET to use
the IUSR_ComputerName account. To do this, disable automatic control of the IIS
in the IUSR_ComputerName account. Put both the userName
attribute and the password
attribute in plain text in the Web.config file. Note
Check to make sure that this meets the security requirements of
To force ASP.NET to use the IUSR_ComputerName
account, follow these steps:
- Run Internet Services Manager from the
Administrative Tools folder on the server.
- Right-click the virtual server or the virtual folder and
then click Properties.
- In the Properties dialog box, click the
Directory Security tab.
- In Anonymous Access And Authentication
Control, click Edit.
- In the Authentication Methods dialog box,
click Edit next to the Account Used For Anonymous
- In the Anonymous User Account dialog box,
click to clear the Allow IIS To Control Password check
- In the Password field, type the
new password for the account, click
OK, then and the close Internet Services
- In Computer Manager, reset the password
for the IUSR_ComputerName account to the new
password that you assigned in the previous step.
- Use a text editor such as Notepad to open the Web.config
Web.config file is located in the root directory of the
- Add the <processModel> configuration element under the <system.web> element of the Web.config file for the application.
NoteBefore adding <processModel> to Web.config file, the user has to make sure that the allowDefinition property in the <processModel> section of the Machine.config file is Elsewhere. By default, the value of this property is MachineOnly.
- Configure the <userName> sub tag
and the <password> sub tag of the <processModel> element.
Use the userName and the password that are assigned to the IUSR_ComputerName account.
- Save the Web.config file.
The ASP.NET application
Enable Impersonation for Authenticated Users
To enable impersonation for authenticated users, three
configuration elements in the <system.web>
element of the Web.config file for the application must be
changed. You must make these changes to mimic the behavior of an ASP 3.0
application that requires authentication and then requests resources by using
the authenticated account of the user.
- You must set the authentication mode to
Windows. When you do this, the browser prompts the user
for a Windows userName and password when the user first makes a request to the ASP.NET application.
You can set the authentication mode by adding the <authentication> element to the <system.web> element with the attribute mode="Windows".
- The authorization element configures ASP.NET to refuse all
unauthenticated users. You must define this by using the <authorization> element and then define the <deny users="?"
/> sub tag.
- The identity element configures ASP.NET to impersonate the
authenticated user. By leaving the userName attribute and the password attribute blank, ASP.NET uses the credentials of the
authenticated user when ASP.NET accesses resources. To define all elements to
force authentication and to enable ASP.NET to impersonate the authenticated
users, follow this example:
<authentication mode="Windows" />
<deny users="?" />
<identity impersonate="true" userName="" password=""/>
For more information about the <processModel>
element, visit the following Microsoft Web site:
For additional information,
click the following article numbers to view the articles in the Microsoft
HOW TO: Deploy an ASP.NET Web Application Using Xcopy
HOW TO: Deploy an ASP.NET Web Application Using the Copy Project Feature in Visual Studio .NET
Article ID: 815171 - Last Review: February 27, 2014 - Revision: 2.6
- Microsoft ASP.NET 1.0
- Microsoft Internet Information Services 5.0
- Microsoft ASP.NET 1.1
- Microsoft Internet Information Services 6.0
|kbnosurvey kbarchive kbsecurity kbauthentication kbconfig kbaspobj kbhowtomaster KB815171|