Configure ASP.NET Impersonation Authentication (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Use ASP.NET impersonation when you want to run your ASP.NET application under a security context different from the default security context for ASP.NET application.

If you enable impersonation for an ASP.NET application, that application can run in one of two different contexts: either as the user authenticated by IIS 7 or as an arbitrary account that you set up. For example, if you were using Anonymous authentication and chose to run the ASP.NET application as the authenticated user, the application would run under an account set up for anonymous users (typically, IUSR). Likewise, if you chose to run the application under an arbitrary account, it would run under whatever security context was set up for that account.

By default, ASP.NET impersonation is disabled. If you enable impersonation, your ASP.NET application runs under the security context of the user authenticated by IIS 7.


For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Authentication Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None


  • ManagedEngine

To configure ASP.NET impersonation authentication

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click Authentication.

  3. On the Authentication page, select ASP.NET Impersonation.

  4. In the Actions pane, click Enable to use ASP.NET Impersonation authentication with the default settings.

  5. Optionally, in the Actions pane, click Edit to set the security principal.

  6. In the Edit ASP.NET Impersonation Settings dialog box, select either Specific user or Authenticated user. Whichever you decide, IIS uses this identity for the security context of the ASP.NET application. By default, IIS 7 is set to impersonate the authenticated user.

  7. Click OK to finish or proceed to the next optional steps to change the identity to impersonate.

  8. Optionally, click Set to change the Specific user identity.

  9. In the Set Credentials dialog box, enter the name of an existing user account in User name, the password associated with that user account in Password, and then the exact same value in Confirm password for a new account IIS should use for anonymous access.

  10. Click OK to close the Set Credentials dialog box.

  11. Click OK to close the Edit ASP.NET Impersonation Settings dialog box.

Command Line

To enable or disable ASP.NET Impersonation, use the following syntax:

appcmd set config /commit:WEBROOT/section:identity /impersonate:true | false

By default, IIS sets the impersonate attribute to false, which disables ASP.NET Impersonation authentication. If you set the attribute to true, you enable ASP.NET Impersonation authentication. For example, to enable ASP.NET Impersonation authentication, type the following at the command prompt, and then press ENTER:

appcmd set config /commit:WEBROOT/section:identity /impersonate:true

Optionally, you can set the account for IIS to impersonate, using the following syntax:

**appcmd set config /commit:WEBROOT/section:identity /userName:**string **/password:**string

The variable userName string is the account IIS uses to impersonate and the variable password string is the password. For example, to use an account named Moe for IIS to impersonate, type the following at the command prompt, and then press ENTER:

appcmd set config /commit:WEBROOT/section:identity /userName:Moe/password:pass@word1


When you use Appcmd.exe to configure the identity element at the global level in IIS 7, you must specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).


The procedure in this topic affects the following configuration elements:

<identity> under <system.web>

For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.


Use the following WMI classes, methods, or properties to perform this procedure:

  • IdentitySection class

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also


Configuring Authentication in IIS 7