Windows Authentication with Impersonation and Windows Authentication without Impersonation .


The below configuration elements show you how to enable Windows (IIS) authentication and impersonation in Web.config or Machine.config.


<authentication mode=”Windows” />
<identity impersonate=”true” />

When you use Windows authentication together with impersonation, the following authorization options are available to you:

Client Requested Resources
The ASP.NET FileAuthorizationModule performs access checks for requested file types that are mapped to the ASP.NET ISAPI.

Resources Accessed by Your Application
You can configure Windows ACLs on resources accessed by your application.

URL Authorization
Configure URL authorization in Web.config. With Windows authentication, user names take the form DomainName\UserName and roles map one-to-one with Windows groups.

<authorization>
<deny user=”DomainName\UserName” />
<allow roles=”DomainName\WindowsGroup” />
</authorization>

Explicit Role Checks
You can perform role checking using the IPrincipal interface.

IPrincipal.IsInRole(@”DomainName\WindowsGroup”);

Enterprise Services (COM+) Roles
You can perform role checking program- matically using the ContextUtil class.

ContextUtil.IsCallerInRole(“Director”)

When to Use
Use Windows authentication and impersonation when:
Your application’s users have Windows accounts that can be authenticated by the server.

You need to flow the original caller ’s security context to the middle tier and/or data tier of your Web application to support fine-grained (per-user) authoriza- tion.

The disadvantages of impersonation include:
Reduced application scalability due to the inability to effectively pool database connections.

Delegation requires Kerberos authentication and a suitably configured environ- ment.

Windows Authentication without Impersonation
The below configuration elements show how you enable Windows (IIS) authen- tication with no impersonation declaratively in Web.config.

When you use Windows authentication without impersonation, the following authorization options are available to you:

Client Requested Resources
The ASP.NET FileAuthorizationModule performs access checks for requested file types that are mapped to the ASP.NET ISAPI.

URL Authorization
Configure URL Authorization in Web.config. With Windows authentication, user names take the form DomainName\UserName and roles map one-to-one with Windows groups.

<authorization>
<deny user=”DomainName\UserName” />
<allow roles=”DomainName\WindowsGroup” />
</authorization>

Explicit Role Checks
You can perform role checking using the IPrincipal interface.

IPrincipal.IsInRole(@”DomainName\WindowsGroup”);
When to Use
Use Windows authentication without impersonation when:
Your application’s users have Windows accounts that can be authenticated by the server.



You want to use a fixed identity to access downstream resources in order to support connection pooling.

Also, you can check out:
Check out Best Alternative to InfoPath -> Try Now

You May Also like the Following SharePoint Online Tutorials:

About Bijay Kumar

I am Bijay from Odisha, India. Currently working in my own venture TSInfo Technologies in Bangalore, India. I am Microsoft Office Servers and Services (SharePoint) MVP (5 times). I works in SharePoint 2016/2013/2010, SharePoint Online Office 365 etc. Check out My MVP Profile.. I also run popular SharePoint web site SharePointSky.com

View all posts by Bijay Kumar →