What does the authenticatedUserOverrideUser do?

Posted: Nov 01, 2010  1 comments  

Average Rating

Share this Post

Three types of user identities are typically involved during the HTTP request processing inside the IIS worker process (IIS 7.0, IIS 7.5)

  1. Worker Process User (will abbreviate as: WP_USER)
  2. Authenticated User for Http request (will abbreviate as: AUTH_USER)
  3. Virtual Directory User (optionally configured) (will abbreviate as: VDIR_USER)

 VDIR_USER is optionally configured, and primarily to enable access UNC paths. The WP_USER and AUTH_USER are used for each HTTP request processing.

 

Virtual Directory User (VDIR_USER) not configured

Worker process user (WP_USER) is used

  • to access distributed web.config files .
  • to listen on file system change notifications

Authenticated user (AUTH_USER) for the request is used

  • for authorization purposes by IIS authorization modules that use the user name or user token of the user authenticated for http request
  • to read/write content (such as content files placed on the file system)
  • to access information about content files (eg. Size or lastModified)

 

Virtual Directory User (VDIR_USER) configured

Worker process user (WP_USER) is used

  • to access the distributed web.config files .
  • to listen on the file system change notifications

Authenticated user for the request (AUTH_USER) is used

  • for authorization purposes by IIS authorization modules that use the user name or user token of the user authenticated for http request
  • to read/write content (such as content files placed on the file system)
  • to access information about content files (eg. Retrieve the file Size or last modified date)

 

Introducing the authenticatedUserOverride setting

IIS 7.5 that ships with WIn2008 R2 has a new feature, that allows IIS administrator to configure IIS the way that worker process identity (WP_USER) is used for accessing resources. The authenticated user is only used for authorization purposes.

The system.WebServer/serverRuntime section  has been extended to include new setting “authenticatedUserOverride” that can be set to 2 values

  • “UseAuthenticatedUser” will keep the behavior in the default mode (just like IIS 7.0 would use authenticated user). This is the default value of the authenticatedUserOverride
  • “UseWorkerProcessUser” allows IIS to be configured the way that authenticated user (AUTH_USER) as specified by client will only be used for the authorization checks. For the rest of the authenticated access the identity of the worker process would be used.

This setting is briefly described in the IIS configuration reference http://www.iis.net/ConfigReference/system.webServer/serverRuntime.

The following 2 tables should help to understand how the setting affects IIS worker process behavior.

 

authenticatedUserOverride : UseAuthenticatedUser (default behavior)

 

Application’s web.config

Config change notifications for web.config

file change notifications for content

file content and file content attributes

authorization checks by authorization module

VDIR_USER NOT set

AUTH_USER has token

WP_USER

WP_USER

WP_USER

AUTH_USER

AUTH_USER

VDIR_USER set

AUTH_USER has token

VDIR_USER

VDIR_USER

VDIR_USER

VDIR_USER

AUTH_USER

VDIR_USER NOT set

AUTH_USER WITHOUT token (eg forms auth)

WP_USER

WP_USER

WP_USER

WP_USER

AUTH_USER

VDIR_USER set

AUTH_USER WITHOUT token

VDIR_USER

VDIR_USER

VDIR_USER

VDIR_USER

AUTH_USER

authenticatedUserOverride : UseWorkerProcessUser

 

Application’s web.config

Config change notifications for web.config

file change notifications for content

file content and file content attributes

authorization checks by authorization module

VDIR_USER NOT set

AUTH_USER WITH token

WP_USER

WP_USER

WP_USER

WP_USER

AUTH_USER

AUTH_USER

VDIR_USER set

AUTH_USER WITH token

VDIR_USER

VDIR_USER

WP_USER

VDIR_USER

WP_USER

VDIR_USER

AUTH_USER

VDIR_USER NOT set

AUTH_USER WITHOUT token (eg forms auth)

WP_USER

WP_USER

WP_USER

WP_USER

AUTH_USER

VDIR_USER set

AUTH_USER WITHOUT token

VDIR_USER

VDIR_USER

WP_USER

VDIR_USER

WP_USER

VDIR_USER

AUTH_USER

 

Note: This article doesn’t elaborate on additional rules on how identities are used within request handlers - Asp.Net, FastCGI, CGI, classic ASP.   I hope to get to it some other day.

Submit a Comment

  • Plain text is accepted.
  • URLs starting with http:// are converted to links.