What does the authenticatedUserOverrideUser do?

Three types of user identities are typically involved during the HTTP request processing inside the IIS worker process (IIS 7.0, IIS 7.5)

1. Worker Process User (will abbreviate as: WP_USER)
2. Authenticated User for Http request (will abbreviate as: AUTH_USER)
3. Virtual Directory User (optionally configured) (will abbreviate as: VDIR_USER)

 VDIR_USER is optionally configured, and primarily to enable access UNC paths. The WP_USER and AUTH_USER are used for each HTTP request processing.

Virtual Directory User (VDIR_USER) not configured

Worker process user (WP_USER) is used

• to access distributed web.config files .
• to listen on file system change notifications

Authenticated user (AUTH_USER) for the request is used

• for authorization purposes by IIS authorization modules that use the user name or user token of the user authenticated for http request
• to read/write content (such as content files placed on the file system)
• to access information about content files (eg. Size or lastModified)

Virtual Directory User (VDIR_USER) configured

Worker process user (WP_USER) is used

• to access the distributed web.config files .
• to listen on the file system change notifications

Authenticated user for the request (AUTH_USER) is used

• for authorization purposes by IIS authorization modules that use the user name or user token of the user authenticated for http request
• to read/write content (such as content files placed on the file system)
• to access information about content files (eg. Retrieve the file Size or last modified date)

Introducing the authenticatedUserOverride setting

IIS 7.5 that ships with WIn2008 R2 has a new feature, that allows IIS administrator to configure IIS the way that worker process identity (WP_USER) is used for accessing resources. The authenticated user is only used for authorization purposes.

The system.WebServer/serverRuntime section  has been extended to include new setting “authenticatedUserOverride” that can be set to 2 values

• “UseAuthenticatedUser” will keep the behavior in the default mode (just like IIS 7.0 would use authenticated user). This is the default value of the authenticatedUserOverride
• “UseWorkerProcessUser” allows IIS to be configured the way that authenticated user (AUTH_USER) as specified by client will only be used for the authorization checks. For the rest of the authenticated access the identity of the worker process would be used.

This setting is briefly described in the IIS configuration reference http://www.iis.net/ConfigReference/system.webServer/serverRuntime.

The following 2 tables should help to understand how the setting affects IIS worker process behavior.

authenticatedUserOverride : UseAuthenticatedUser (default behavior)

authenticatedUserOverride : UseWorkerProcessUser

Note: This article doesn’t elaborate on additional rules on how identities are used within request handlers - Asp.Net, FastCGI, CGI, classic ASP.   I hope to get to it some other day.