ASP.Net Impersonation

[Mark Miller]

I am trying to understand Impersonation in the ASP.Net context. Here's what
I DO understand:
-Using Windows Authentication with impersonation="true" means that the
aspnet_wp will try and access the resource with the authenticated user's
credentials (token). If access is denied I get an IIS access denied message.
-I can set NTFS permissions on a file/folder and control access w/o using
code simply by assigning rights by user or group.
-setting impersonation="false" still authorizes the user using NTFS
permissions, but instead it is the aspnet_wp account that accesses the file
and checks the permissions. Then if access is denied ASP.Net throws an
exception.
Here's what I DON'T understand:
-What's the difference then between Windows Authentication with
impersonation turned on, and windows impersonation turned off? Other than
where the authorization takes place (ie. aspnet_wp or NTFS).
-When would I want to use one over the other?

Thanks in advance,
Mark Miller

 

[Paul Glavich [MVP ASP.NET]]

You also need to remember that IIS authentication is performed BEFORE
ASP.Net gets a chance to do anything with it. IIS determines which identity
or user context is passed to ASP.Net for which it can then do impersonation
if required.

It basically comes down to what user context you want your code to run in,
either the ASPNET/NEtwork Service user, the IUSR_..... user, or the
authenticated user from a domain