Get Windows or IIS User without access to Page

Question

I have a .Net assembly (sadly we're stuck in .Net 3.5) which may be used either:

1. In a .Net application (console app, Windows Forms app) run locally on the system, or

2. In an IIS web application using Windows authentication

...and need to get the "current user".

Normally for #1 I'd use System.Security.Principal.WindowsIdentity.GetCurrent(), but that won't work for #2 because it'll be the user account the IIS app is running under (the app pool, for instance); and for #2 I'd use Page.User.Identity in the handler for the request, but in this case, I don't have access to that page.

I suppose I could have a method that let an IIS application pass the Page to the assembly, and the User property isn't virtual, so in theory a malicious app couldn't try to feed me the wrong user identity, but it seems pretty dodgy. Is there a better way?

The goal is to identify the user via Windows authentication (either via login [#1] or IIS using Windows auth [#2]). If I'm going about it completely wrong, I'm all ears for how to do that properly. :-)

Answer 1

• HttpContext.Current.User would obviously work in IIS environment only.
• Thread.CurrentPrincipal would contain the actual authentication data in IIS but would remain empty for desktop application. The advantage here is that it will spare you from the need to add a reference to System.Web assembly (in desktop application).
• System.Security.Principal.WindowsIdentity.GetCurrent() would work for desktop application but in IIS it will return the Application-Pool user, not the authenticated user for the HTTP request.