ASP.NET web application -- how to get Windows user?

Question

My legacy ASP.NET Framework 4.5 (Windows auth) web site running in IIS uses the following code to get the Windows user id (to assess permissions):

String Name = System.Environment.UserName;

Looking at a log of this string, the Windows user ID isn't obtained correctly; rather, the name corresponding to the application pool credentials is obtained.

Is this due to using impersonation in web.config:

<identity impersonate="true" userName="app_user" password="xxxx" />

Or can I change a setting in IIS to correct this?

The web site used to work correctly. Something was changed in IIS and now it doesn't...

In web.config, windows authentication is specified:

<system.web>
<compilation debug="true" defaultLanguage="c#" targetFramework="4.5" />
<authentication mode="Windows" />. . .

UPDATE: by enabling Anonymous Authentication (impersonation) in IIS for the web application itself, I was able to overcome this issue.

You should never again set `userName` and `password` in `identity` tag. To configure an identity for the whole web application you should use application pool identity. To query the log on user information in your legacy ASP.NET web apps, use `Page.User` or `Controller.User` please. Don't know how you get started with this web app, but there are tons of samples over the internet telling the right way to go. — Lex Li, Dec 18 '21 at 19:11
You might read my blog post for more details, https://blog.lextudio.com/miseries-around-asp-net-windows-authentication-setup-14e2e8522ad2 — Lex Li, Dec 18 '21 at 19:34

score 0 · Answer 1 · answered Dec 18 '21 at 19:38

0

uses the following code to get the Windows user id (to assess permissions):

String Name = System.Environment.UserName;

If you already implemented the Windows auth within your ASP.NET app (actually, the following code is enough):

<configuration>
  <system.web>
    ...
    <authentication mode="Windows"></authentication>
  </system.web>
</configuration>

Retrieve the necessary info via the System.Web.HttpContext.Current.User / System.Web.HttpContext.Current.User.Identity.Name property value (wherever you are - ASPX Page Code Behind, ASP.NET MVC Controller, any ASP.NET app module):

Check out some related threads to understand the differences: System.Web.HttpContext.Current.User.Identity.Name Vs System.Environment.UserName in ASP.NET

ASPX Page Code Behind:

protected void Page_Load(object sender, EventArgs e) {
    //Page.User
    ...
}

ASP.NET MVC Controller:

public class HomeController : Controller {
    public ActionResult SomeActionMethod() {
        //User
    }
}

any ASP.NET app module:

public class X {
    public void Y() {
        //System.Web.HttpContext.Current.User
    }
}

answered Dec 18 '21 at 19:38

Mikhail

9,186
4
33
49

Sorry: the code where I am retrieving user name is in ASPX page code behind. – user2132190 Dec 18 '21 at 19:44
Check our my first code snippet. – Mikhail Dec 18 '21 at 19:44
thank you; that code is already in web.config. I will update my question. – user2132190 Dec 18 '21 at 19:58
Does my code work for you? – Mikhail Dec 18 '21 at 21:20
Thank you for the code. The issue turned out to be with IIS Anonymous Auth being disabled. I have stuck with the original code. – user2132190 Dec 20 '21 at 21:27
BTW, `HttpContext.Current` can be `null` if you don't know. And "actually, the following code is enough" is in fact not enough. That snippet in `web.config` works even if anonymous/Basic/Digest authentication is used on IIS so don't expect it to enforce Windows authentication. – Lex Li Dec 20 '21 at 22:24

ASP.NET web application -- how to get Windows user?

1 Answers1