Pierre posted an entry bout impersonation in ASP.NET szenarios.
There are several scenario where you have to use the impersonation in ASP.NET. Consider, for example, you have to save and load files from a network share (file server). In that case, if the web site accept anonymous authentications, you have to impersonate a windows user who has enought privileges to access to that resource.
You have three choices (I guess):
- Elevate the ASP.NET process identity - worse case since you could compromise the whole site security Impersonate a windows user during the single call (http://blogs.msdn.com/shawnfa/archive/2005/03/22/400749.aspx) Demand the task to a COM+ server application
I think that the last is the best since we have more security and maintenance control
I agree with him that “Demand the task to a COM+ server application” is the best way of the three he listed. But for me impersonation it is still a don’t.
By the way i wanted to post this as a comment but Comments on this post are closed. Yes this is some criticism on weblogs.asp.net :-) …
So here my opinion as post in my blog:
Avoid impersonation! If you need to redirect a binary that is located on a different box than the webserver to the client utilize another IIS on the 2nd machine or write a service that returns the binary data.