NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

ASP+ Impersonation

Impersonation refers to a concept whereby ASP+ applications execute with the identity of the client on whose behalf they’re operating. The usual reason for doing this is so that authentication and authorization issues do not have to be dealt with in the ASP+ application code. IIS is relied on to authenticate the user and either passes an authenticated token to the ASP+ application or, if unable to authenticate the user, passes an unauthenticated token. In either case, by default, the ASP+ application will impersonate whichever token is received. Then, the ASP+ application relies on the settings on the NTFS directories and files to allow it (now impersonating the client) to gain access or not.

It is highly recommended that the server file space be formatted as NTFS, so that access permissions can be set.

For ASP compatibility, ASP+ will do per-request impersonation by default. If impersonation is enabled for a given application, ASP+ will always impersonate the access token that IIS provides to ISAPI extensions. That token can be either an authenticated user token, or the token for the anonymous user (such as IUSER_MACHINENAME). The impersonation will occur regardless of the type of authentication being used in the application and whether the user is authenticated (in that case, it is the anonymous user token).

Applications that do not desire per-request impersonation can simply be configured to never impersonate and thus run with their original process token. Impersonation is complicated somewhat by the demands of dynamic compilation—at a minimum, authenticated users must be able to read (and possibly write) the codegen directory.

Configuring for Impersonation

To disable impersonation for a given application domain, add the following configuration directive to the desired application configuration:

<impersonation enabled=”false”/>

Adding configuration can be done by putting a configuration file in the application directory or by specifying a <webconfig> section with a location attribute specifying the application. For more information on the ASP+ configuration system, see the ASP+ Configuration Concepts section.

As is the case with other configuration directives, this directive applies hierarchically. It is respected by nested applications in the hierarchy, unless explicitly overridden. As stated previously, the default value for this setting is as follows:

<impersonation enabled=”true”/>

A minimal configuration file to enable impersonation for an application might look similar to the following example:

// config.web file
<security>
     <identity>
          <impersonation enable="true">
     </identity>
</security>