dotnet · Rick-Anderson · Feb 4, 2025 · Feb 4, 2025 · Feb 4, 2025 · Feb 5, 2025
diff --git a/aspnetcore/fundamentals/servers/kestrel/endpoints.md b/aspnetcore/fundamentals/servers/kestrel/endpoints.md
@@ -581,6 +581,22 @@ The following example configures an endpoint for HTTP/1.1, HTTP/2, and HTTP/3 co
 
 :::code language="csharp" source="~/fundamentals/servers/kestrel/samples/6.x/KestrelSample/Snippets/Program.cs" id="snippet_ConfigureKestrelProtocols":::
 
+:::moniker-end
+
+:::moniker range=">= aspnetcore-9.0"
+
+## Customize Kestrel named pipe endpoints
+
+Kestrel's named pipe support includes advanced customization options. The [CreateNamedPipeServerStream](/dotnet/api/microsoft.aspnetcore.server.kestrel.transport.namedpipes.namedpipetransportoptions.createnamedpipeserverstream) property on the named pipe options allows pipes to be customized per-endpoint.
+
+This is useful, for example, in a Kestrel app that requires two pipe endpoints with different [access security](/windows/win32/ipc/named-pipe-security-and-access-rights). The `CreateNamedPipeServerStream` option can be used to create pipes with custom security settings, depending on the pipe name.
+
+:::code language="csharp" source="~/fundamentals/servers/kestrel/endpoints/samples/KestrelNamedEP/Program.cs" highlight="7-23" id="snippet_1":::
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-8.0"
+
 ## See also
 
 * <xref:fundamentals/servers/kestrel>

diff --git a/aspnetcore/fundamentals/servers/kestrel/endpoints/samples/KestrelNamedEP/Program.cs b/aspnetcore/fundamentals/servers/kestrel/endpoints/samples/KestrelNamedEP/Program.cs
@@ -1,4 +1,7 @@
+// <snippet_1>
 using System.IO.Pipes;
+using System.Security.AccessControl;
+using System.Security.Principal;
 
 var builder = WebApplication.CreateBuilder();
 
@@ -12,10 +15,39 @@
 {
     options.CreateNamedPipeServerStream = (context) =>
     {
-        var pipeSecurity = CreatePipeSecurity(context.NamedPipeEndpoint.PipeName);
+        var pipeOptions = PipeOptions.None; // Essential!
+
+        var pipeSecurity = CreatePipeSecurity(context.NamedPipeEndPoint.PipeName);
 
         return NamedPipeServerStreamAcl.Create(context.NamedPipeEndPoint.PipeName, PipeDirection.InOut,
             NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Byte,
             context.PipeOptions, inBufferSize: 0, outBufferSize: 0, pipeSecurity);
     };
 });
+
+var app = builder.Build();
+
+app.MapGet("/", () => "Hello World!");
+
+app.Run();
+
+static PipeSecurity CreatePipeSecurity(string pipeName)
+{
+    var pipeSecurity = new PipeSecurity();
+    // configure PipeSecurity object.
+    // </snippet_1>
+
+    // This code to test preceding snippet compiles, it's not a working sample.
+
+    return null;
+    // Get the current process identity.
+    var currentIdentity = WindowsIdentity.GetCurrent();
+    var processUser = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid,
+        currentIdentity.User.AccountDomainSid);
+
+    // Allow only the current process read and write access to the pipe.
+    pipeSecurity.AddAccessRule(new PipeAccessRule(processUser,
+        PipeAccessRights.ReadWrite, AccessControlType.Allow));
+
+    return pipeSecurity;
+}