Don’t Claim to Be Someone You are Not


In SharePoint 2010 you have the option of setting your Web Application to use Claims based security or Classic security which is the same as Windows security, aka like we did it in SharePoint 2007. While playing around with an anonymous site which was hosted within a Web App which was configured for claims I came across something interesting that I wanted to make sure you all were aware of. Although your Web Application is configured for claims your OS still uses Windows authentication, this means your AppPool and your IIS anonymous user are not using Claims.

To make the point check out the bit of code below and note right before the local variables the values which will be stored for each once this code is executed within an anonymous site within a claims based web application.

    
    public partial class DaWebPart : UserControl
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            /*NULL*/
            string claimAnon = System.Threading.Thread.CurrentPrincipal.Identity.Name;

            /*NT AUTHORITYIUSER*/
            string winAnon = System.Security.Principal.WindowsIdentity.GetCurrent().Name
            
            /*NULL*/
            string runWithClaim;

            /*CONTOSOAppPoolAccount*/
            string runWithWin; 

            SPSecurity.RunWithElevatedPrivileges(delegate
            {
                runWithClaim = System.Threading.Thread.CurrentPrincipal.Identity.Name;
                runWithWin = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
            });
        }
    }

This scenario does not change much when not running anonymous other than you will have real user names when you access your Claim Identities via System.Threading.Thread.CurrentPrincipal.Identity.

So when we make a call to RunWithElevatedPrivileges() its doing the right thing for us however if you only look at the Thread’s CurrentPrincipal.Identity you will be looking at the ClaimIdentity but you just told SharePoint to change out your WindowsIdentity. An important distinction if you take a dependency on this functionality when moving your code from 2007 to 2010 with claims.

One thought on “Don’t Claim to Be Someone You are Not

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s