Impersonation in .Net With IIS Settings

Published on
9,086 Points
Last Modified:
We can implement the Impersonation in an ASP.Net application based on the requirement for running an request under specific account else only the piece of business logic under specifc account (i.e Mainly used to access the network resources at runtime) other than the service account.
Implementation of the impersonation in an application can be achieved by configutaion at the application level (Web.Config , IIS) else code level (.CS , .VB etc files) implementation using the WindowsIdentity.Impersonate method to switch for specific account at runtime and return back to the account it’s switched to the process the request.

In general, ASP.Net application runs under “Network Service” account which is the configured in the Identity section of the application pool to which the virtual directory or web site configured.

Fig 1
Fig : 1

In the above picture it’s defined to run under “Network Service” and the same can be configured to use the different account and the pre-condition it needs is that the Account have to be under the “IIS_WPG” user group of the machine and “Network Servcie” is added to the group by default.

Fig 2
Fig : 2

ASP.NET does not use impersonation by default and code runs using the ASP.NET application's process identity. We can use the delegation to use impersonation token to access network resources and the ability to use delegation depends on your selected authentication mechanism and appropriate account configuration.

We are enabling the access to the resource through an account, it is mandatory to check with the privileages provided to the account on accessing the resources across the network, It will give access to the unauthorized users and make sure the access control list (ACL) have identified for the account to that grants access to the process identity.

It's important to understand the Access privileges needed for the account which runs the show of the Asp.Net application from the below link, here the details list of permission needed for the ASP.NET account for the file and folder permissions to function properly.

Permissions are required only by the account that the ASP.NET process is running as, while others are required by any impersonated account also

ASP.NET Required Access Control Lists (ACLs)

64bit OS
if you're running on the 64bit OS. It's mandatory that the account should have the permission to folder "%SystemRoot%\Microsoft.NET\Framework64\" in addition to the "%SystemRoot%\Microsoft.NET\Framework\" folder.

For further and indepth reading, suggest : http://msdn.microsoft.com/en-us/library/xh507fc5(v=vs.100).aspx along with the various links.
1 Comment
LVL 15

Author Comment

Sure Mark , Please procced.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…
If you, like me, have a dislike for using Online Subscription anti-spam services, then this video series is for you. I have an inherent dislike of leaving decisions such as what is and what isn't spamming to other people or services for me and insis…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month