The following section lists the sequence of events that take
place in the authentication and authorization process when a new request
arrives.
The IIS first checks the validity of the incoming request.
If the authentication mode is anonymous (default) then the request is
authenticated automatically. But if this authentication mode is overridden in
the web.config file settings, the IIS performs the specified authentication
check first before the request is passed on to ASP.NET.
Now ASP.NET checks whether Impersonation is enabled or not.
If impersonation is enabled, ASP.NET executes with the identity of the entity
on behalf of which it is performing executing the task. If impersonation is not
enabled, the application runs with the identity of the IIS local machine’s
identity and the privileges of the ASP.NET user account. ASPNET or NETWORK
SERVICE is the default ASP.NET unprivileged account on Windows XP and Windows
Server 2003, respectively. Now, the identity that has already been
authenticated and verified is used to request resources from the operating
system. Then ASP.NET performs an authorization check on the requested resources
and if the user is authorized, it returns the request through IIS.