Selecting the Impersonation Behavior for ASP.NET Applications

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Unlike ASP applications, you need to configure the impersonation behavior for ASP.NET applications. If you enable impersonation, ASP.NET receives the security token to impersonate from IIS. By specifying a value in the Web.config file of the application, you control the impersonation setting. You have the following three options when specifying this setting.

Impersonation is disabled

This is the default setting. In this instance, the ASP.NET thread runs using the process token of the application worker process regardless of which combination of IIS and ASP.NET authentication is used. By default, the process token of the application worker process is NetworkService.

Disable impersonation by modifying the Web.config file of the application to include the following setting:

<identity impersonate="false" />

Impersonation is enabled

In this instance, ASP.NET impersonates the token passed to it by IIS, which is either an authenticated user or the anonymous user account (IUSR_machinename). For backward compatibility with ASP, you must enable impersonation.

Enable impersonation by modifying the Web.config file of the application to include the following setting:

<identity impersonate="true" />

Impersonation is enabled and a specific impersonation identity is specified

In this instance, ASP.NET impersonates the token that is generated using the configured identity. In this case, ASP.NET does not use the token of the authenticated client, if applicable, except when performing access checks.

Enable impersonation and specify an impersonation identity by modifying the Web.config file of the application to include the following setting:

<identity impersonate="true" name="domain\user" password="password" />