According to MSDN, "When using impersonation, ASP.NET
applications can optionally execute with the identity of the client on whose
behalf they are operating. The usual reason for doing this is to avoid dealing
with authentication and authorization issues in the ASP.NET application code.
Instead, you rely on Microsoft Internet Information Services (IIS) to authenticate
the user and either pass an authenticated token to the ASP.NET application or,
if unable to authenticate the user, pass an unauthenticated token. In either
case, the ASP.NET application impersonates whichever token is received if
impersonation is enabled. The ASP.NET application, now impersonating the
client, then relies on the settings in the NTFS directories and files to allow
it to gain access, or not. Be sure to format the server file space as NTFS, so
that access permissions can be set”.
Impersonation is disabled by default and allows the ASP.NET
process to act as the authenticated user, or as an arbitrary specified user. Impersonation
can be specified in the web.config file as shown below:
Listing VIII
<identity impersonate="true"/> or <identityimpersonate="false"/>
It is also possible to use a particular identity for all
authenticated requests. This is possible by specifying the following in the
application’s web.config file:
<identity impersonate="true" username="username"password="password"/>