As mentioned in the <a href="/quickstart/aspplus/doc/securityoverview.aspx">Security Overview</a>, impersonation refers to a process whereby a server application executes with the identity of the entity it's performing work on behalf of. What this means for a Web application is that if a server is impersonating, it's doing work using the identity of the client making the request.
<p>
By default, ASP+ does not do per-request impersonation. This is a different from ASP, which does impersonate on every request. If desired, an application can be configured to impersonate on every request with the following configuration directive:
<p>
<div class="code"><xmp>
<security>
<identity>
<impersonation enable="true" />
</identity>
</security>
</xmp></div>
<p>
Since ASP+ does dynamic compilation, enabling impersonation requires that all accounts have read/write access to the application's "codegen" directory (where dynamically compiled objects are stored by the ASP+ runtime) as well as the global assembly cache (%windir%\assembly). Some applications will require impersonation to be enabled for ASP compatibility or to use Windows authentication services.
