Home/ Questions/Q 514331
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T07:30:49+00:00

When a user browses to a ASP.NET website, is the user impersonating the ASPNET

  • 0

When a user browses to a ASP.NET website, is the user impersonating the ASPNET account or the account specified in IIS->Directory Security->Account used for anonymous access (EX: IUSR_XXX)

My website writes files to the disk and I was wondering which of these accounts need write access to the folder? Also, can someone explain how the impersonate element in the web.config ties into all this?

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If impersonation is enabled in an ASP.NET application then:

    • If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.
    • If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
    • In either case, permissions for the account are checked in the Windows Access Control List (ACL) for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.

    If impersonation is disabled in an ASP.NET application then:

    • If anonymous access is enabled in IIS, the request is made using the system-level process account.
    • If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
    • In either case, permissions for the account are checked in the Windows ACL for the resource(s) that a user requests, and a resource is only available if the account they are
      running under is valid for that resource.

    Source: Understanding Impersonation in ASP.NET

    • 0