Home/ Questions/Q 9048461
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T12:09:44+00:00

I am using HttpContext.Current.User.Identity.Name to get the user name of the logged in user.

  • 0

I am using HttpContext.Current.User.Identity.Name to get the user name of the logged in user. I would like to know how this is working (using NTLM v2 / Kerberos) and how secure is it? Can the user try to mimic he is someone else?

Basically, from a security point of view, is there something I should be worried about, or how should I improve it?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you are authenticating using Windows authentication (which, given your mention of NTLM/Kerberos it appears you are) then what happens is (roughly) as follows

    • IE sends a request with no authentication header to your web server.
    • IIS refuses the request with a 401 response code and tells the browser the authentication scheme it wants (in this case Negotiate, which tries Kerberos first, and then falls back to NTLM)
    • The kerb handshake takes place over multiple connections, and the ticket is validated against AD
    • IIS passes the ticket down to ASP.NET which, in the process of building the Request object populates the principal on the thread assigned to the request with the identity details from the ticket.
    • When you access HttpContext.User you see the principal for the current thread.

    It’s secure. It’s basically the same authentication type used when you connect to a Windows server via file shares or anything else that is using kerberos. It’s actually IIS and Windows itself doing the vast majority of the work, ASP.NET is just giving you a nice way to query the results.

    • 0