5 April 2012

ASP.NET Impersonation


ASP.NET Impersonation


When using impersonation, ASP.NET applications can execute with the Windows identity (user account) of the user making the request. Impersonation is commonly used in applications that rely on Microsoft Internet Information Services (IIS) to authenticate the user.

ASP.NET impersonation is disabled by default. If impersonation is enabled for an ASP.NET application, that application runs in the context of the identity whose access token IIS passes to ASP.NET. That token can be either an authenticated user token, such as a token for a logged-in Windows user, or the token that IIS provides for anonymous users (typically, the IUSR_MACHINENAME identity).


You control impersonation using the identity configuration element. As with other configuration directives, this directive applies hierarchically. A minimal configuration file to enable impersonation for an application might look like the following example:

< configuration >
  < system.web >
    < identity impersonate="true"/ >
  < /system.web >
< /configuration >
You can also add support for specific names to run an application as a configurable identity, as shown in the following example:

< identity impersonate="true" 
  userName="contoso\Jane" 
  password="********" / >

No comments:

Post a Comment

Comments Welcome