<legacyImpersonationPolicy> Element

Specifies that the Windows identity does not flow across asynchronous points, regardless of the flow settings for the execution context on the current thread.




Attributes and Elements

The following sections describe attributes, child elements, and parent elements.


Attribute Description
enabled Required attribute.

Specifies that the WindowsIdentity does not flow across asynchronous points, regardless of the ExecutionContext flow settings on the current thread.

enabled Attribute

Value Description
false WindowsIdentity flows across asynchronous points depending upon the ExecutionContext flow settings for the current thread. This is the default.
true WindowsIdentity does not flow across asynchronous points, regardless of the ExecutionContext flow settings on the current thread.

Child Elements


Parent Elements

Element Description
configuration The root element in every configuration file used by the common language runtime and .NET Framework applications.
runtime Contains information about assembly binding and garbage collection.


In the .NET Framework versions 1.0 and 1.1, the WindowsIdentity does not flow across any user-defined asynchronous points. Starting with .NET Framework version 2.0, there is an ExecutionContext object that contains information about the currently executing thread, and it flows across asynchronous points within an application domain. The WindowsIdentity is included in this execution context and therefore also flows across the asynchronous points, which means that if an impersonation context exists, it will flow as well.

Starting with .NET Framework 2.0, you can use the <legacyImpersonationPolicy> element to specify that WindowsIdentity does not flow across asynchronous points.


The common language runtime (CLR) is aware of impersonation operations performed using only managed code, not of impersonation performed outside of managed code, such as through platform invoke to unmanaged code or through direct calls to Win32 functions. Only managed WindowsIdentity objects can flow across asynchronous points, unless the alwaysFlowImpersonationPolicy element has been set to true (<alwaysFlowImpersonationPolicy enabled="true"/>). Setting the alwaysFlowImpersonationPolicy element to true specifies that the Windows identity always flows across asynchronous points, regardless of how impersonation was performed. For more information on flowing unmanaged impersonation across asynchronous points, see <alwaysFlowImpersonationPolicy> Element.

You can alter this default behavior in two other ways:

  1. In managed code on a per-thread basis.

    You can suppress the flow on a per-thread basis by modifying the ExecutionContext and SecurityContext settings by using the ExecutionContext.SuppressFlow, SecurityContext.SuppressFlowWindowsIdentity or SecurityContext.SuppressFlow method.

  2. In the call to the unmanaged hosting interface to load the common language runtime (CLR).

    If an unmanaged hosting interface (instead of a simple managed executable) is used to load the CLR, you can specify a special flag in the call to the CorBindToRuntimeEx Function function. To enable the compatibility mode for the entire process, set the flags parameter for CorBindToRuntimeEx Function to STARTUP_LEGACY_IMPERSONATION.

For more information, see the <alwaysFlowImpersonationPolicy> Element.

Configuration File

In a .NET Framework application, this element can be used only in the application configuration file.

For an ASP.NET application, the impersonation flow can be configured in the aspnet.config file found in the <Windows Folder>\Microsoft.NET\Framework\vx.x.xxxx directory.

ASP.NET by default disables the impersonation flow in the aspnet.config file by using the following configuration settings:

      <legacyImpersonationPolicy enabled="true"/>  
      <alwaysFlowImpersonationPolicy enabled="false"/>  

In ASP.NET, if you want to allow the flow of impersonation instead, you must explicitly use the following configuration settings:

      <legacyImpersonationPolicy enabled="false"/>  
      <alwaysFlowImpersonationPolicy enabled="true"/>  


The following example shows how to specify the legacy behavior that does not flow the Windows identity across asynchronous points.

      <legacyImpersonationPolicy enabled="true"/>  

See also