I’ve been digging into iis authentication and authorization trying to understand differences between user/identity settings in web.config, security settings for virtual directory, and application pool user identity.
In short, this is what I figures out (please correct me if wrong):
Authentication is controlled in IIS as either Anonymous, Digest, Integrated, or Basic authentication. Default, authentication is to be taken in a quite strict sense – i.e. authentication with no authorization meaning that the process of determining who’s using the website is finished, now IIS will begin determining which windows rights this user will be assigned.
The “windows rights” is by default determined by the user running the asp.net process on the server. This user is defined by the application pool identity user. This means that the authenticated user will not receive more rights that what the app pool user has.
But – impersonation
This is not always true, though – please note the words default in the text above 🙂 In web.config you can add the tag <identity impersonate=”true” />. This will impersonate the asp.net process to run under the authenticated user instead of the app pool user! Or you could type <identity impersonate=”true” userName=”user” password=”pwd” />. This would impersonate the asp.net process to run always under the specified user for the specific site.