Identity Impersonation question.

[Peter Johansen]

Hi,

I have a server that I use for shared hosting. For security reasons, I set
<identity impersonate="true" /> in my machine.config file, and set
allowOverRide="false" to prevent individual webs from impersonating anything
other than the IIS anonymous account.

The problem now is that I would actually like to impersonate a non-anonymous
user for one specific web application. This web application will allow users
to change their passwords so it can not be run under an anonymous identity.
I know I can change the the IIS anonymous user to an admin user, but I don't
really want to do that either.

Basically, all I need to do then is to find a way to prevent impersonation
for all web applications EXCEPT for this one web application.

Is this possible through machine.config or some other way?

Thanks - Peter

 

[Paul Glavich [MVP - ASP.NET]]

I am not sure I fully understand your requirements but I think you can
either NOT set the impersonation via machine.config and do it only for
individual webs (I know you mentioned you dont want to allow singular webs
to override this) or you could disable anonymous auth in IIS and use Window
Integrated only. If the users are not a member of a domain, then setup
user(s) on the local machine and use that for authentication/authorisation.