ApiController.User.Identity and System.Security.Principal.WindowsIdentity gives different user details

Question

I have a OWIN hosted web api which runs as Network Service with WindowsAuthentication enabled by the following line in Configuration method of OWIN Startup class.

HttpListener listener = (HttpListener)appBuilder.Properties["System.Net.HttpListener"];
listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;

Everything works fine except when i try getting user details, by

• caller = System.Security.Principal.WindowsIdentity.GetCurrent();
  Returns: AuthenticationType: "Negotiate", Name: "NT AUTHORITY\NETWORK SERVICE"
• ApiController.User.Identity
  Returns: AuthenticationType: "NTLM", Name: "Domain\Username"

I actually expected the credentials which ApiController.User.Identity gave. I'm confused about why i got Different results in both. Can anyone help me with this?

public class CustomFilterAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(HttpActionContext actionContext)
    {
        var caller = OperationContext.Current; //null
        caller = System.Web.HttpContext.Current; //null
        caller = actionContext.RequestContext.Principal.Identity as WindowsIdentity; //desired
        caller = System.Security.Principal.WindowsIdentity.GetCurrent(); //gives account details under which the project is hosted. 
    }
}

OWIN startup class:

public class Startup
{
    public void Configuration(IAppBuilder appBuilder)
    {
         HttpConfiguration config = new HttpConfiguration();
         HttpListener listener = (HttpListener)appBuilder.Properties["System.Net.HttpListener"];
         listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;

         config.MapHttpAttributeRoutes();
         config.MapODataServiceRoute(
                routeName: "ODataRoute",
                routePrefix: "Data",
                model: GetModel()
         );
         config.EnsureInitialized();
         appBuilder.UseWebApi(config);

    }
}

Answer 1

This is clearly explained here - https://msdn.microsoft.com/en-us/library/aa302377.aspx

ASP.NET provides the following principal and identity object implementations:

• WindowsPrincipal and WindowsIdentity objects represent users who have been authenticated with Windows authentication. With these objects, the role list is automatically obtained from the set of Windows groups to which the Windows user belongs.
• GenericPrincipal and GenericIdentity objects represent users who have been authenticated using Forms authentication or other custom authentication mechanisms. With these objects, the role list is obtained in a custom manner, typically from a database.
• FormsIdentity and PassportIdentity objects represent users who have been authenticated with Forms and Passport authentication respectively.

The following tables illustrate, for a range of IIS authentication settings, the resultant identity that is obtained from each of the variables that maintain an IPrincipal and/or IIdentity object. The following abbreviations are used in the table:

• HttpContext = HttpContext.Current.User, which returns an IPrincipal object that contains security information for the current Web request. This is the authenticated Web client.
• WindowsIdentity = WindowsIdentity.GetCurrent(), which returns the identity of the security context of the currently executing Win32 thread.
• Thread = Thread.CurrentPrincipal which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread.

Note   With IIS 6.0 running on Windows Server 2003, the identity Matrix works except that the Machine\ASPNET identity is replaced with NT Authority\Network Service.