Assume your ASP or ASP.NET page needs to access a network share or some other domain resource, but you need to run that page under a different account other than the default anonymous user account. Let’s say you want to run it under your domain username. When you try to run an ASP or ASP.NET page under your account initially, you may get an “ASP.NET is not authorized to access the requested resource” error.
For the solution, you have a few options:
- Choose Windows authentication in the web.config file
<authentication mode="Windows" />
- Disable anonymous access in IIS and instead choose Integrated, Basic (not recommended), or Digest.
- Add the identity tag to your web config
<identity impersonate="true" userName="YOURDOMAINyourusername" password="yourpassword"/>
- Ensure the aspnet_wp process has the “Act as part of the operating system” privilege by assigning that privilege to the ASPNET account.
The above steps should get you further along towards accessing network shares, deleting system files, or whatever other nefarious deed you had in mind. 🙂
Other References:
ASP.NET Identity Matrix
ASP.NET Impersonation