I have two Windows accounts, my regular user-level one, and an Administrator one. As far as I know, there is no connection between the two in AD, other than my name. I normally log into my dev machine using the user account.
If I run my website locally using VS/IIS Express, I get the following values (as expected):
System.Web.HttpContext.Current.User.Identity.Name = "DOMAIN\\jespaillat"
WindowsIdentity.GetCurrent().Name = "DOMAIN\\jespaillat"
On the deployed site, however, when using both Chrome and IE11, I get the following:
System.Web.HttpContext.Current.User.Identity.Name = "DOMAIN\\admin-jespaillat"
WindowsIdentity.GetCurrent().Name = "IIS APPPOOL\\DefaultAppPool"
Both browsers automatically send my Windows credentials to the server, and do not prompt for login. I get the same behavior when running incognito. I can see in Fiddler that the browser is sending a Kerberos ticket with the request, though the account name is not visible within the base64 string.
So where is it getting the name of the admin account, which I am NOT logged in as? And how are the two accounts even connected?
(Interestingly, Firefox DOES prompt for credentials every time, so I am able to enter the correct value.)
Windows Server 2016, IIS 10, .NET 4.7.2 . Desktop is Windows 7
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
Only Windows Authentication is enabled in IIS
Credential Manager was the culprit.
Turns out that CM had an entry for every remote drive that I've ever used Explorer to connect to (and yes, I had checked the box to "remember my credentials"). Including the drive on the web server.
All of the browsers (except Firefox) were conflating the username/password used to access a file share on a machine, with the username/password to access the website on the same machine. Once I deleted the CM entry for the web server, it worked.