WindowsXP/inetsrv/iis/img/help/iisnts/htm/asp/eadg3wqc.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<TITLE>Passing Security Context</TITLE>
<SCRIPT LANGUAGE="JavaScript">
<!--
	TempString = navigator.appVersion
	if (navigator.appName == "Microsoft Internet Explorer"){	
// Check to see if browser is Microsoft
		if (TempString.indexOf ("4.") >= 0){
// Check to see if it is IE 4
			document.writeln('<link rel="stylesheet" type="text/css" href="/iishelp/common/coua.css">');
		}
		else {
			document.writeln('<link rel="stylesheet" type="text/css" href="/iishelp/common/cocss.css">');
		}
	}
	else if (navigator.appName == "Netscape") {						
// Check to see if browser is Netscape
		document.writeln('<link rel="stylesheet" type="text/css" href="/iishelp/common/coua.css">');
	}
	else
		document.writeln('<link rel="stylesheet" type="text/css" href="/iishelp/common/cocss.css">');
//-->
</script>
<SCRIPT LANGUAGE="VBScript">
<!--
Sub Window_OnLoad()
   Dim frmContents
   On Error Resume Next
   If Not Parent Is Nothing Then
      Set frmContents = Parent.Contents
      If Not frmContents Is Nothing Then
            frmContents.Window.TOCSynch_Click
      End If
   End If
End Sub
//--></SCRIPT><META NAME="DESCRIPTION" CONTENT="Internet Information Services reference information">
<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "<http://www.rsac.org/ratingsv01.html>" l comment "RSACi North America Server" by "inet@microsoft.com <mailto:inet@microsoft.com>" r (n 0 s 0 v 0 l 0))'>
<META NAME="MS.LOCALE" CONTENT="EN-US">
<META NAME="MS-IT-LOC" Content="Internet Information Services"> 
</HEAD>

<BODY BGCOLOR="#FFFFFF" TEXT="#000000">

<H1><A NAME="_k2_passing_security_context"></A><SUP></SUP>Passing Security Context</H1>

<P>Windows establishes a security context for each logged on user. When IIS receives a request from a client, it authenticates the request and then impersonates the client. While IIS is impersonating the client, IIS operates within the confines of the authenticated client's security context. This security context may change during the various stages of request processing, depending on the nature of the client request. The following diagram illustrates the various security contexts that may play a part in request processing.</P>

<P><IMG SRC="/iishelp/iis/htm/asp/art/seccont.gif" ALT="Security Context" BORDER=0></P>

<P>The security context of the IIS process (inetinfo) is known as LocalSystem. However, when IIS is processing a client request, it will impersonate the context of the client that generated the request. If the client is authenticated with the Anonymous authentication scheme, the security context will be IUSR_<I>machinename</I> for in process applications and IWAM_<I>machinename</I> for applications running in an isolated process. If the client is authenticated with any other authentication scheme, the security context will map to the individual account of the client.</P>

<P>If you create an instance of a COM component with ASP, the COM component will inherit the security context of the .asp file that created it. When IIS destroys the component instance, it will also use the security context of the .asp file in most instances. There is at least one case, however, where this will not occur. If the COM component has been given session scope (that is, <B>Session</B>("mysesscomp") = <B>Server.CreateObject</B>("MyComps.Comp1")), and the session times out before the component is destroyed, IIS will try to destroy the component by using its own security context (LocalSystem) rather than the context of the client that accessed the .asp file. If the component has accessed secured resources that it has not released, this scenario can have side effects throughout the system.</P>
<hr class="iis" size="1">
<p align="center"><em><a href="../../../common/colegal.htm">&copy; 1997-2001 Microsoft Corporation. All rights reserved.</a></em></p>
</BODY>
</HTML>