Understanding impersonation permissions

Question

I have an ASP.NET web application using Windows authentication and impersonation. Here's the relevant part of web.config:

<authentication mode="Windows"/>
<identity impersonate="true"/>

The application code now tries to access a file (XDocument.Load) that the authenticated user has access to. This worked perfectly fine until today we started getting the following exception instead:

System.UnauthorizedAccessException: Access to the path '...' is denied.

(Obviously, the admin tells me that "nothing has changed on the server".)

I was able to "fix" the issue by granting the application pool identity permission to the file. However, I don't understand why this fixed the problem.

My question: If impersonation is used, why is it still necessary for the application pool identity to have access to the files used? Do both the impersonated user and the application pool identity need access? Or only the application pool identity? If the latter, what's the point of impersonation?

Answer 1

The website accesses the disk by using the w3wp.exe worker process, which is essentially the application pool. The identity set for that app pool (e.g. IIS Apppool\Site001) is used in some situations on disk.

When using Windows authentication, the application pool identity (e.g. IIS Apppool\Site001) is used for some access but the Windows account (e.g. User1) is used for other access. It depends on the impersonation settings of your application or framework that you’re using. Therefore, you would generally need to grant access to the application pool identity, plus every Windows account (e.g. User1, User2, User99) which needs access to your site.

Here some quotes from Scott Forsyth Article. If I understood you correctly this article should help.