According to MSDN, “When using impersonation, ASP.NET applications can optionally execute with the identity of the client on whose behalf they are operating. The usual reason for doing this is to avoid dealing with authentication and authorization issues in the ASP.NET application code. Instead, you rely on Microsoft Internet Information Services (IIS) to authenticate the user and either pass an authenticated token to the ASP.NET application or, if unable to authenticate the user, pass an unauthenticated token. In either case, the ASP.NET application impersonates whichever token is received if impersonation is enabled. The ASP.NET application, now impersonating the client, then relies on the settings in the NTFS directories and files to allow it to gain access, or not. Be sure to format the server file space as NTFS, so that access permissions can be set”.

Note that Impersonation is disabled by default and can be specified in the web.config file as shown in the code snippet given below.

<identity impersonate=”true”/>
or
<identity impersonate=”false”/>

To impersonate a particular identity, specify the following in your application’s web.config file.

<identity impersonate=”true” username=”joydip” password=”jude”/>

Tags: impersonation asp.net, impoersonation, asp.net, asp

Tags: application_code, ASP.NET security, ASP.NET-security, Authentication, authorization_issues, code_snippet, impersonation, internet_information_services