Every process running on a Windows NT/2000 server (or Windows.NET Server, when it ships) has a username associated with it. The username, in conjunction with ACLs (described earlier in Section 19.2), determines what resources the process will have access to.

By default, ASP.NET processes run with a username of SYSTEM. This gives these processes full access to all resources. If there is a security breach, then a malicious user may also be able to run processes with full access to all resources.

To guard against this and provide another layer of security, ASP.NET supports impersonation. Using impersonation, the ASP.NET process assumes, and executes with, the identity of the client making the request. For example, if user Dan requests a web page, and this web page requests access to a resource on the server, then when ASP.NET requests that resource, it will be as though Dan made the request, not SYSTEM. The permissions assigned to Dan in the ACLs will govern the request.

Impersonation is not enabled by default, since it consumes additional server resources. Impersonation is enabled with an <identity> section in a configuration file. The default <identity> section in machine.config looks like the following:

<identity impersonate="false" />

To enable impersonation for an application, add a similar line to the web.configfile in the application virtual root directory, changing the impersonate attribute value to true.

If impersonation is enabled and the request is from an ...