When an ASP.NET page is executing, the server must have a security context, or identity, for the process that is executing the ASP.NET code. This identity is used when securing resources using Windows Integrated security, such as files protected using the NTFS file system or network resources.

For example, the files that contain the application code stored in the App_Code subdirectory of an application only need to be read by the ASP.NET application identity. Therefore, the security settings for the files in the App_Code directory can be restricted so that the ASP.NET application identity has Read access only. Another common use of the Windows identity of the ASP.NET application is as the identity of a connection to a SQL Server using Integrated Security. For more information, see ASP.NET Required Access Control Lists (ACLs) and How to: Access SQL Server Using Windows Integrated Security.

The identity of an ASP.NET application is determined by several factors. By default, ASP.NET pages run with the Windows identity of the service that processes ASP.NET pages on the Web server. On a computer running Windows ServerВ 2003, that identity is the identity of the application pool that the ASP.NET application is a part of (by default, the NETWORK SERVICE account). On computers running WindowsВ 2000 and WindowsВ XP Professional, the identity is the local ASPNET account is created when the .NET Framework is installed. This identity can be configured to a different identity if desired. For more information, see Configuring ASP.NET Process Identity.

You can modify the Windows identity that your ASP.NET page runs as by using the identity element of the system.web configuration section. The identity element can be used to instruct ASP.NET to impersonate a Windows user ID. Impersonating a Windows identity means that the ASP.NET pages for the application will run as that Windows identity. You can specify a user name and password to impersonate. Alternatively, you can enable impersonation and ASP.NET will run in one of two ways: an anonymous identity specified by IIS, or the authenticated browser identity as determined by IIS (for example, Anonymous authentication, Windows Integrated (NTLM) authentication, and so on). For more information, see ASP.NET Impersonation.

If you are impersonating a Windows identity, you can execute code that reverts to the original identity of the process instead of the impersonated user ID. For this reason, in environments where you need to keep one application separate from another, you should isolate the applications in separate application pools on computers running Windows ServerВ 2003. Each application pool should be configured with a unique Windows identity.

You can easily determine the Windows identity of the operating system thread that your ASP.NET page is running by using the Name property of the WindowsIdentity returned by the GetCurrent method as shown in the following code example.

В	Copy Code
<%=System.Security.Principal.WindowsIdentity.GetCurrent().Name%>

The ASP.NET user identity is used to access ASP.NET-specific resources. For example, you can identify a portion of your application that is only available to certain users, while other portions of your application are available to all users.

The ASP.NET user is determined by the authentication element of the system.web section of the Web.config file for your application. You have several options for authenticating the ASP.NET identity for your application. You can use the Windows user name that is determined by IIS, ASP.NET Forms authentication, Passport authentication, or a custom authentication scheme. The ASP.NET identity can be accessed using the User property of the current HttpContext. For details, see ASP.NET Authentication.

If you are using ASP.NET Forms authentication or a custom authentication solution to provide the ASP.NET identity, you can use ASP.NET membership to provide a user data store and user management functionality. For more information, see Managing Users by Using Membership.