ASP.NET Quickstart Tutorials

Securing Your Application

Authentication and Authorization

Windows-based Authentication

Forms-based Authentication

Authorizing Users and Roles

User Account Impersonation

Using the Login Controls

Creating and Logging In a User

Displaying Content for Logged-in Users

Changing a Password

Membership and Role Manager

Creating a New User

User Login and Properties

Updating User Properties

Account Lockouts

Deleting a User

Managing Roles

Adding and Deleting Roles

Adding a User to a Role

Deleting a User from a Role

Authorizing Access to a Page

Programmatic Authorization

Back to ASP.NET Home

User Account Impersonation

As mentioned in the Security Overview, impersonation is the ability of a thread to execute in a security context different from that of the process owning the thread. What this means for a Web application is that if a server is impersonating, it is doing work using the identity of the client making the request.

By default, ASP.NET does not do per-request impersonation. This is different from ASP, which does impersonate on every request. If desired, you can configure an application to impersonate on every request with the following Configuration directive:

<identity impersonate="true" />

Since ASP.NET does dynamic compilation, enabling impersonation requires that all accounts have read/write access to the application's Codegen directory (where dynamically compiled objects are stored by the ASP.NET runtime) as well as the global assembly cache (%Windir%\assembly). Some applications require impersonation to be enabled for ASP compatibility or to use Windows authentication services.