Difference Between ApplicationPool Identity, Anonymious Identity, ProcessModel Identity, Impersonation Identity and Thread Identity

I am开发者_Python百科 little bit confused about various different identities in ASP.NET and IIS. can any tell me exact difference between Application Pool Identity, Anonymious Identity, ProcessModel Identity, Impersonation Identity and Thread Identity? Please also tell me when asp.net uses which identity?

IIS is web server that can host active/passive content other than ASP.NET (for example, classic asp, php, static files etc). Application Pool Identity decides the user under which the request will be running from IIS perspective. So when static files (html/image) will be served, this user will be used to access files from disk. Many times, IIS will hand over actual execution of request to different handler (for example, php-cgi or ASP.NET runtime etc). That run-time may use different identity to run the request. In case of windows authentication, IIS will pass windows user token to the specific handler and handler may impersonate current request to run under that authenticated user's identity. Classic ASP was one such system. In these cases, when user is not authenticated (i.e. anonymous), anonymous user's identity will be used.

In case ASP.NET, the default configuration will run the request under Application Pool's identity. However, using configuration, you can instruct ASP.NET run-time to impersonate the current user's identity. You can also configure to impersonate request under specific identity by configuring as such - typical this is done where application code need to have specific access permissions such as access to file shares, network resources etc.

Process model identity is something IIS 5.* only. In IIS 6+, its equivalent is application pool identity.

When the worker process is created, process model/application pool identity is used as the process identity.

When anonymous access is allowed, anonymous identity is used as thread identity for all threads who handle incoming requests inside the worker process. Other threads' identities depend on how they are created, and are transparent to developers/end users.

When other authentication method is used such as Windows authentication, the worker thread identities use authenticated user identities (each incoming request may be from an authenticated user, then this user's identity is used for the thread that handles the request).

Impersonation is much more complex, as documented in

http://msdn.microsoft.com/en-us/library/aa376391(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/ff647404.aspx

It changes the security context, which is not an easy-to-understand Windows concept, which you may either learn from great books or from experiments.