Security in .NET Impersonation

Impersonation in .Net allows you to run an application in a particular user account which is determined by you. Usually the account in which the application runs is ASPNET or NETWORK SERVICE depending on the version of IIS you are running in your machine.

With IIS 5.0 the ASPNET account is used and it is not possible to override this account in the web.config file. In the IIS 6.0 you can configure this in the web.config file so that you can run the application on a different user account.

In the web.config file you can include the line,
<identity impersonate = “true” /> to enable impersonation. You can also impersonate for a particular user with the syntax, <identity impersonate = “true” username = “user_name” password = “user_pwd” />

So with the configuration in the web.config file you can run the application under a different user account. Although you might have different authentication models the underlying account in which the application runs is not changed. The security context is not changed although authentication is a tool. With classic ASP, this is not possible.