The ASP.NET runtime is used both for developing the application Web presentation layer and as the foundation for the Web service infrastructure. As a consequence, what is said here about impersonation and identity flow will apply for Web-based presentation layers and for Web service-based application servers.
Because impersonation is a Windows functionality, first you need to choose Windows authentication for the ASP.NET authentication mode setting in the Web.config file, as shown below:
<authentication mode="Windows" />
On the IIS side, you must then disable anonymous access to the site and activate one of the available authenticated access methods: Integrated, Basic, or Digest (see Figure 1). If you use Basic authentication, the username password pair is transmitted in clear text, so the use of https is a must.
Figure 1 IIS authentication options.
At this point, the client identity is at your disposal in the ASP.NET code in the Thread.CurrentPrincipal and Page.User properties, whether you enabled impersonation or not. If you want to turn impersonation on, you must add the following line in the ASP.NET Web.config file:
<Identity impersonate="true" />
Note that you don't need to turn impersonation on when performing .NET role-based security checks. As explained, you must impersonate in case you want to access resources that are not sensible to the .NET active identity but to the Windows active identity (such as the file system or SQL server when connecting in integrated mode). You must turn impersonation on as well when the Web server connects to serviced components (remotely or in process) that have COM+ role-based security activated. If you fail to do so, security COM+ checks will be executed against the Web server application identity.