Identifying the Impersonation Behavior for ASP Applications

Applies To: Windows Server 2003, Windows Server 2003 with SP1

For Active Server Pages (ASP) applications, the type of authentication that is used by the user automatically determines impersonation behavior. Because the impersonation behavior is automatic, no configuration is required.

The impersonation behavior in an ASP application is as follows:

• If an anonymous user makes a request, the thread token is based on the user account that is configured as the anonymous user identity (by default, this is the IUSR_machinename user account). You should ensure that the appropriate access control lists (ACLs) are configured on any content that the anonymous user should not be able to access.

• If an authenticated user makes a request, the thread token is based on the authenticated account of the user.