How does Impersonation work in ASP.NET

The ASP.NET executes everything under a Windows account. When you are using IIS7.x, this identity is the identity of the worker processes created for an application pool configured in IIS. Each application pool can have its own identity. Every time, as each page request is processed, the configured identity specifies what ASP.NET can and cannot do.  Impersonation gives you flexibility, because you can temporarily change the identity that ASP.NET uses for certain tasks, instead of using a fixed account for all users, web pages, and applications.

Impersonation is a process of temporarily assuming the identity of another Windows account. This process does not give you the ability to avoid Windows security. You must have the credentials for the user you desire to impersonate, when you implement them into your code or a user provides them at application’s execution time.

By using impersonation you can use the permissions that are defined for the currently authenticated user. This means the actions ASP.NET performs will be limited and matching to the person who is using the application. By impersonating the user in your web application, you ensure that your application cannot inadvertently give the user access to any files except the ones in that user’s directory. If you try, in your application, to access a restricted file, the Windows operating system will intersect, and an exception will be raised in your code.

ASP.NET provides two types of impersonation:

– Configured (web.config) – allows you to specify that page requests should be run under the identity of the user who is making the request.

– Programmatic -gives you the ability to switch to another identity within the code and switch back to the original identity when a specific task is finished.