top of page

What is Impersonation ASP.NET?

Writer's picture: The Tech PlatformThe Tech Platform


Impersonation is a process of temporarily assuming the identity of another Windows account. This process does not give you the ability to avoid Windows security. You must have the credentials for the user you desire to impersonate, when you implement them into your code or a user provides them at application’s execution time.


By using impersonation you can use the permissions that are defined for the currently authenticated user. This means the actions ASP.NET performs will be limited and matching to the person who is using the application. By impersonating the user in your web application, you ensure that your application cannot inadvertently give the user access to any files except the ones in that user’s directory. If you try, in your application, to access a restricted file, the Windows operating system will intersect, and an exception will be raised in your code.


ASP.NET provides two types of impersonation:

  1. Configured (web.config) – allows you to specify that page requests should be run under the identity of the user who is making the request.

  2. Programmatic -gives you the ability to switch to another identity within the code and switch back to the original identity when a specific task is finished.


If impersonation is enabled in an ASP.NET application then:

  1. If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.

  2. If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.

  3. In either case, permissions for the account are checked in the Windows Access Control List (ACL) for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.


If impersonation is disabled in an ASP.NET application then:

  1. If anonymous access is enabled in IIS, the request is made using the system-level process account.

  2. If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.

  3. In either case, permissions for the account are checked in the Windows ACL for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.


It is easy to implement impersonation in ASP.Net. You can use the Web.config file that is found in the root directory of the application to enable or disable impersonation for a particular application.


The application can also use the authenticated identity that is received from the IIS if you enable impersonation. If you are going to implement impersonation for an ASP.Net application you can do so in three ways.


By default impersonation is disabled and you can find this with the line,

<identity impersonate="false" />

With the above settings the application worker process account for the ASP.Net application is used. You can enable impersonation by,

<identity impersonate="true" />

With this setting an authenticated user account or the anonymous internet user account is used. If you want to enable impersonation for a particular user account then you have to use the following syntax.

<identity impersonate="true" userName="user_name" password="user_password" />




The Tech Platform




Comments


bottom of page