Using Windows Authentication

All ASP.NET applications are configured to run as a specific Windows user.  This is specified in the .NET Framework machine.config file.  By default, the user account is <local machine>\ASPNET.  This ASPNET user is a local machine account that has limited privileges, allowing web applications to run as a relatively un-trusted user without administrative privileges so they cannot compromise the integrity of the server.

Procedure

Check the user configuration in the machine.config file as follows:

Step 1:  Locate your machine.config file, e.g.:

C:\<WINDOWS-DIRECTORY>\Microsoft.NET\Framework\v1.0.3705\CONFIG

Be sure to use the Machine.config file specific to your active .NET Framework installation.

Step 2:  Search for the string processModel and look for the “userName” and “password” attributes.

<processModel

     enable="true"

     timeout="Infinite"

     idleTimeout="Infinite"

     shutdownTimeout="0:00:05"

     requestLimit="Infinite"

     requestQueueLimit="5000"

     restartQueueLimit="10"

     memoryLimit="60"

     webGarden="false"

     cpuMask="0xffffffff"

     userName="machine"

     password="AutoGenerate"

     logLevel="Errors"

     clientConnectedCheck="0:00:05"

userName="[user]" is the Microsoft Windows user name used when running ASP.NET applications.  If a domain is not specified, the current machine name is assumed to be the domain name.

There are two special users:

• "machine": run the process as a low privilege user account named "ASPNET".  (This is the default.)

• "SYSTEM": run the process as a local system (high privilege administrator) account.

password="[AutoGenerate | password]" is the password of the designated Microsoft Windows user.  Specify "AutoGenerate" for special users (machine and SYSTEM).

When ASP.NET is running under Microsoft IIS 6 in native mode, the Microsoft IIS 6 process model is used and settings in this section are ignored.  Use the Microsoft IIS administrative user interface to configure process identity and cycling for the Microsoft IIS worker process for the desired application.

If Microsoft SQL Server is installed on the same machine as your Microsoft IIS web server, you can create a Microsoft SQL Server login account for the configured Windows user, even if that user is the default <local machine>\ASPNET user.  This allows your applications to connect to Microsoft SQL Server using "Windows authentication".  If, however, Microsoft SQL Server is running on a remote machine, it is not possible to create a Microsoft SQL Server login account for the <local machine>\ASPNET user because the ASPNET user is not recognized as a valid domain user.  It is a local machine account only.  In this case, you will have to reconfigure ASP.NET to run as a valid domain user instead of the default ASPNET user.

See Also

Case 1:  Microsoft SQL Server is installed on the local machine

Case 2:  Microsoft SQL Server is installed on a remote machine

Configuring Database Authentication for Microsoft SQL Server Applications

Deploying Applications to a Production Server