Using IIS Authentication with ASP.NET Impersonation

Internet Information Services (IIS) provides several authentication schemes that can be employed when securing a Web application. Common scenarios include using Integrated Windows authentication (NTLM) within a corporate intranet to determine application users' identity based on their Windows login, or specifying a single anonymous identity for a particular application. The Windows identity supplied by IIS can then be used to determine whether the Web application has access to a protected Windows resource, such as a file protected using an Access Control List (ACL), or a network resource such as a file or database server. You can configure ASP.NET to use the Windows identity supplied by IIS using impersonation.

By default, ASP.NET is configured to use Windows authentication mode, which applies the Windows identity supplied by IIS to the User property of the current HttpContext object. This enables you to determine the identity supplied by IIS through the User property (the user Name is blank when anonymous identification is used), but does not use the supplied identity as the WindowsIdentity for the current page. The WindowsIdentity for an application is used when determining if the application has access to a particular file or network resource.

To configure ASP.NET to impersonate the Windows identity supplied by IIS as the WindowsIdentity for the ASP.NET application, edit the Web.config file for the application and set the impersonate attribute of the identity configuration element to true, as shown in the following example.

    <identity impersonate="true" />

Impersonation is independent of the authentication mode configured using the authentication configuration element. The authentication element is used to determine the User property of the current HttpContext. Impersonation is used to determine the WindowsIdentity of the ASP.NET application.

The following describes how you would enable impersonation using an intranet scenario as an example. In this scenario, you are setting up an internal corporate Web site for posting employee information. However, some of the information is for managers only. The manager information can be posted to a subdirectory of the employee information site, so that access to the information can be limited. IIS determines the user's identity using Windows Integrated (NTLM) security. The scenario assumes that:

  • The Web server has the Microsoft Windows NT Server, Windows 2000 Server, or Windows Server 2003 operating system installed.

  • IIS 6.0 is installed the Web server.

  • The Web server hard disk is formatted using NTFS.

  • All employees that need access to restricted resources are using Windows.

As the administrator of the application in the scenario, you would need to do the following:

  1. Create the files and directories shown in the following illustration:


  2. Create a Windows group named Managers that contains all users who should have access to the ManagerInfo.aspx file.

  3. Use Internet Information Services (IIS) Manager to disable anonymous authentication for the application and enable integrated windows authentication.

  4. In the application's Web.config file, set the impersonate attribute in the identity element to true.

  5. Set the NTFS access control list (ACL) for the ManagerInformation directory to allow access to only those identities that are in the Windows Manager group and any required system accounts. You would need to be sure to include the identity of the ASP.NET process. The identity of the ASP.NET process for Windows 2000 Server or Windows NT is the local ASPNET account. The identity of the ASP.NET process for Windows Server 2003 and later is the identity of the IIS application pool, which by default is the NETWORK SERVICE account.


    The ASP.NET role-management feature provides an alternative method of restricting access to areas of your Web application. For more information, see Managing Authorization Using Roles.

See Also


Basic Security Practices for Web Applications

Other Resources

ASP.NET Web Application Security