<alwaysFlowImpersonationPolicy> Element

Specifies that the Windows identity always flows across asynchronous points, regardless of how impersonation was performed.

<configuration>
  <runtime>
    <alwaysFlowImpersonationPolicy>

Syntax

<alwaysFlowImpersonationPolicy
  enabled="true|false"/>  

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute Description
enabled Required attribute.

Indicates whether the Windows identity flows across asynchronous points.

enabled Attribute

Value Description
false The Windows identity does not flow across asynchronous points, unless the impersonation is performed through managed methods such as Impersonate. This is the default.
true The Windows identity always flows across asynchronous points, regardless of how impersonation was performed.

Child Elements

None.

Parent Elements

Element Description
configuration The root element in every configuration file used by the common language runtime and .NET Framework applications.
runtime Contains information about assembly binding and garbage collection.

Remarks

In the .NET Framework versions 1.0 and 1.1, the Windows identity does not flow across asynchronous points. In .NET Framework version 2.0, there is an ExecutionContext object that contains information about the currently executing thread, and flows it across asynchronous points within an application domain. The WindowsIdentity also flows as part of the information that flows across the asynchronous points, provided the impersonation was achieved using managed methods such as Impersonate and not through other means such as platform invoke to native methods. This element is used to specify that the Windows identity does flow across asynchronous points, regardless of how the impersonation was achieved.

You can alter this default behavior in two other ways:

  1. In managed code on a per-thread basis.

    You can suppress the flow on a per-thread basis by modifying the ExecutionContext and SecurityContext settings by using the ExecutionContext.SuppressFlow, SecurityContext.SuppressFlowWindowsIdentity, or SecurityContext.SuppressFlow method.

  2. In the call to the unmanaged hosting interface to load the common language runtime (CLR).

    If an unmanaged hosting interface (instead of a simple managed executable) is used to load the CLR, you can specify a special flag in the call to the CorBindToRuntimeEx Function function. To enable the compatibility mode for the entire process, set the flags parameter for CorBindToRuntimeEx Function to STARTUP_ALWAYSFLOW_IMPERSONATION.

Configuration File

In a .NET Framework application, this element can be used only in the application configuration file.

For an ASP.NET application, the impersonation flow can be configured in the aspnet.config file found in the <Windows Folder>\Microsoft.NET\Framework\vx.x.xxxx directory.

ASP.NET by default disables the impersonation flow in the aspnet.config file by using the following configuration settings:

<configuration>  
   <runtime>  
      <legacyImpersonationPolicy enabled="true"/>  
      <alwaysFlowImpersonationPolicy enabled="false"/>  
   </runtime>  
</configuration>  

In ASP.NET, if you want to allow the flow of impersonation instead, you must explicitly use the following configuration settings:

<configuration>  
   <runtime>  
      <legacyImpersonationPolicy enabled="false"/>  
      <alwaysFlowImpersonationPolicy enabled="true"/>  
   </runtime>  
</configuration>  

Example

The following example shows how to specify that the Windows identity flows across asynchronous points, even when the impersonation is achieved through means other than managed methods.

<configuration>  
  <runtime>  
    <alwaysFlowImpersonationPolicy enabled="true"/>  
  </runtime>  
</configuration>  

See also