We can implement the Impersonation in an ASP.Net application based on the requirement for running an request under specific account else only the piece of business logic under specifc account (i.e Mainly used to access the network resources at runtime) other than the service account.
Implementation of the impersonation in an application can be achieved by configutaion at the application level (Web.Config , IIS) else code level (.CS , .VB etc files) implementation using the WindowsIdentity.Impersonate method to switch for specific account at runtime and return back to the account it’s switched to the process the request.
In general, ASP.Net application runs under “Network Service” account which is the configured in the Identity section of the application pool to which the virtual directory or web site configured.
Fig : 1
In the above picture it’s defined to run under “Network Service” and the same can be configured to use the different account and the pre-condition it needs is that the Account have to be under the “IIS_WPG” user group of the machine and “Network Servcie” is added to the group by default.
Fig : 2
ASP.NET does not use impersonation by default and code runs using the ASP.NET application's process identity. We can use the delegation to use impersonation token to access network resources and the ability to use delegation depends on your selected authentication mechanism and appropriate account configuration.
We are enabling the access to the resource through an account, it is mandatory to check with the privileages provided to the account on accessing the resources across the network, It will give access to the unauthorized users and make sure the access control list (ACL) have identified for the account to that grants access to the process identity.
It's important to understand the Access privileges needed for the account which runs the show of the Asp.Net application from the below link, here the details list of permission needed for the ASP.NET account for the file and folder permissions to function properly.
Permissions are required only by the account that the ASP.NET process is running as, while others are required by any impersonated account also
ASP.NET Required Access Control Lists (ACLs)
if you're running on the 64bit OS. It's mandatory that the account should have the permission to folder "%SystemRoot%\Microsoft.NET\Framework64\" in addition to the "%SystemRoot%\Microsoft.NET\Framework\" folder.