Impersonation with ASP.NET 2.0

This article explain the impersonation in ASP.NET 2.0.


Impersonation is the process of executing code in the context of another user identity. By default, all ASP.NET code is executed using a fixed machine-specific account. To execute code using another identity we can use the built-in impersonation capabilities of ASP.NET. We can use a predefined user account or user's identity, if the user has already been authenticated using a windows account.

We can use the impersonation in this two scenarios:

  1. To give each web application different permissions.
  2. To use existing Windows user permission.

These two scenario are fundamentally different. In the first one, impersonation defines a single, specific account. In this case, no matter what user access the application, and no matter what type of user-level security you use, the code will run under the account you've set. In the second one, the user must be authenticated by IIS. The web-page code will then execute under the identity of the appropriate user.

Implement Impersonation:

Impersonate the Microsoft IIS Authenticated Account or User:

To impersonate the IIS authenticating user on every request for every page in an ASP.NET application, we must include an <identity> tag in the Web.config file of this application and set the impersonate attribute to true.

<identity impersonate="true" /> 

Impersonate a Specific User:

To impersonate a specific user for all the requests on all pages of an ASP.NET application, you can specify the userName and password attributes in the <identity> tag of the Web.config file for that application.

<identity impersonate="true" userName="AccountNAME" password="Password" />