Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

I’ve been digging into iis authentication and authorization trying to understand differences between user/identity settings in web.config, security settings for virtual directory, and application pool user identity.

In short, this is what I figures out (please correct me if wrong):


Authentication is controlled in IIS as either Anonymous, Digest, Integrated, or Basic authentication. Default, authentication is to be taken in a quite strict sense – i.e. authentication with no authorization meaning that the process of determining who’s using the website is finished, now IIS will begin determining which windows rights this user will be assigned.


The “windows rights” is by default determined by the user running the process on the server. This user is defined by the application pool identity user. This means that the authenticated user will not receive more rights that what the app pool user has.

But – impersonation

This is not always true, though – please note the words default in the text above 🙂 In web.config you can add the tag <identity impersonate=”true” />. This will impersonate the process to run under the authenticated user instead of the app pool user! Or you could type <identity impersonate=”true” userName=”user” password=”pwd” />. This would impersonate the process to run always under the specified user for the specific site.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s