Request.ServerVariables["LOGON_USER"] vs. Request.LogonUserIdentity

Question

I trying to get the current WindowsIdentity from a caller of an ASP.Net Application without impersonation.

After reading some articles my setup is:

In my IIS I have enabled the Windows Authentication in the Authentication Settings
At my web.conf I set the authentication mode to "Windows"

For testing purposes, I wrote the following log statements

m_techLogger.Warn(string.Format("Request[LOGON_USER] {0}", Request["LOGON_USER"]));
m_techLogger.Warn(string.Format("Request.LogonUserIdentity {0}", Request.LogonUserIdentity.Name));
m_techLogger.Warn(string.Format("HttpContext.Current.User.Identity {0}", HttpContext.Current.User.Identity.Name));
m_techLogger.Warn(string.Format("WindowsIdentity.GetCurrent() {0}", WindowsIdentity.GetCurrent().Name));

This statements returned the following

2015-04-23 10:47:19,628 [7] WARN  - Request[LOGON_USER] DOMAIN\User
2015-04-23 10:47:19,681 [7] WARN  - Request.LogonUserIdentity NT AUTHORITY\SYSTEM
2015-04-23 10:47:19,681 [7] WARN  - HttpContext.Current.User.Identity NT AUTHORITY\SYSTEM
2015-04-23 10:47:19,681 [7] WARN  - WindowsIdentity.GetCurrent() NT AUTHORITY\SYSTEM

I understand that WindowsIdentity.GetCurrent().Name returns the System User. I do not understand why the output from Request.LogonUserIdentity and Request[LOGON_USER] are different. I need the WindowsIdentity Object from the User with the name that returned by Request[LOGON_USER].

Can anybody point me in the right direction?

possible duplicate https://stackoverflow.com/questions/5230441/how-to-get-at-the-current-users-windows-identity — Amila Thennakoon, Apr 02 '18 at 02:37
Your code says `Request["LOGON_USER"]`. Shouldn't it be `Request.ServerVariables[“LOGON_USER”]`? — Zohar Peled, Apr 02 '18 at 06:15
Looks like you haven't enabled impersonation. See [MSDN](https://msdn.microsoft.com/en-us/library/xh507fc5.aspx) for details. — Oleksandr Galperin, Apr 02 '18 at 09:42

score 3 · Answer 1 · answered Apr 04 '18 at 13:16

Request["LOGON_USER"] is only the authentication header that the client has sent to the server. Which means it is the login name of the client sending a request to your server. This login name will not be verified against the Active Directory unless you activate the impersonation. More info here: https://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx

Now without using impersonation you are therefore stuck. You can check the user in the Request["LOGON_USER"] against your AD on your server. But I do not recommend you doing that. Because a hostile client could just send any username in that field and get logged on your server if that user exists.

The correct way of doing this is to enable impersonation and you use an AD group to allow the users to do what your service is now doing and you activate that by just adding this to your IIS config

<configuration>
  <system.web>
    <identity impersonate="true"/>
  </system.web>
</configuration>

But if you really can’t use impersonation you can hack yourself out of this by impersonate a service account using the Win32 API. If you want to do that yourself here is the examples from Microsoft https://msdn.microsoft.com/en-us/library/chf6fbt4.aspx and https://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.aspx

Or you can find a good wrapper here: How do you do Impersonation in .NET?

And using it is as easy as this:

using (new Impersonation(domain, username, password))
{
    // probably connecting to some bad 3rd party stuff that needs a very specific access.
}

Now without knowing more about your actual reason for doing this I hope this will help you further along the road and only do this if it’s absolutely necessary

score 2 · Answer 2 · answered Apr 04 '18 at 13:03

When I try the same I get

    Request.LogonUserIdentity.Name  "DOMAIN\\accountname"   (no capital letter)
    Request["LOGON_USER"]   "DOMAIN\\Accountname"   (capital letters)

To get the current user in our asp.net application, I user this line of code

User.Identity.Name

Does this help in any way?

score 2 · Answer 3 · answered Apr 04 '18 at 17:06

System.Web.HttpContext.Current.User.Identity.Name

Gets or sets security information for the current HTTP request. (The Name of the Logged in user on your Website)

Request.ServerVariables

Gets a collection of Web server variables.

The Request property provides programmatic access to the properties and methods of the HttpRequest class. Because ASP.NET pages contain a default reference to the System.Web namespace (which contains the HttpContext class), you can reference the members of HttpRequest on an .aspx page without using the fully qualified class reference to HttpContext.

Conclussion Both work to the same, but, whith Request.ServerVariables you can iterate for whole the collections dynamically.

For example:

int loop1, loop2;
NameValueCollection coll;

// Load ServerVariable collection into NameValueCollection object.
coll=Request.ServerVariables; 
// Get names of all keys into a string array. 
String[] arr1 = coll.AllKeys; 
for (loop1 = 0; loop1 < arr1.Length; loop1++) 
{
   Response.Write("Key: " + arr1[loop1] + "<br>");
   String[] arr2=coll.GetValues(arr1[loop1]);
   for (loop2 = 0; loop2 < arr2.Length; loop2++) {
      Response.Write("Value " + loop2 + ": " + Server.HtmlEncode(arr2[loop2]) + "<br>");
   }
}

score 1 · Answer 4 · answered Apr 05 '18 at 10:01

1

Have your tried to user

User.Identity.Name

assuming you are after Windows users, as you have mentioned. What output it gives?

Also, does your config file has these settings:

<authentication mode="Windows"/>
<identity impersonate="true"/>

answered Apr 05 '18 at 10:01

r2018

505
4
14

score 0 · Answer 5 · answered Oct 24 '19 at 06:52

0

I had the same issue. Later found out that the windows Authentication was not enabled in IIS.

answered Oct 24 '19 at 06:52

shanavascet

589
1
4
18

Request.ServerVariables["LOGON_USER"] vs. Request.LogonUserIdentity

5 Answers5