15 Seconds : Web Services Security in The .NET Framework: "ASP.NET Impersonation
An understanding of ASP.NET impersonation is important before going into the details of authorization and authentication. Therefore, first we will discuss ASP.NET impersonation in this section.
Before delving into the details of ASP.NET impersonation, I would like to clarify one important point that many folk are not aware of. Actually there is one instance of aspnet_wp.exe per processor that serves all the Web applications hosted on a box. This worker process always runs under the security context defined by the tag. The aspnet_wp.exe creates a separate thread, called worker thread, for servicing each client request. We have to distinguish between the server process and the worker threads in order to understand the impersonation and security details of ASP.NET.
With ASP.NET impersonation, the thread servicing the client request can optionally execute with the identity of the client. Let me explain it in detail.
IIS always maps a user request to some Windows account; in case of anonymous access, this is IUSR_machinename account or any other account that has been defined to be used with anonymous access; in the case of Windows authentication, this is the account whose credentials are provided by the Web site user. After successful authentication, IIS forwards this logged-in user's identity to the ASP.NET worker thread. Now the ASP.NET worker thread has the following three options:
It can run under the identity defined by the tag.
It can run under the client identity passed to it by IIS.
It can run under the identity of the user whose credentials have been listed for impersonation.
Now the decision depends on the impersonation settings for the ASP.NET application.
If impersonation is enabled and any specific Windows account ha"