c# - ASP.NET Impersonate in .NETFramework 2 VS .NETFrameWork 4

Question

We have an ASP.NET Site in .NetFramework 2 (with App Pool 2 Classic in IIS 7.5), We use mixed Authentication with Basic Authenticate and Form Authenticate.

The Configuration in IIS is:

And have specific user in Anonymous Authentication named: Guest.

When The user Login with another username like Admin we use impersonate:

string Token = GetSpecificTokenOfCurrentUser();
System.Security.Principal.WindowsIdentity WinUser = (WindowsIdentity) HttpContext.Current.Application["User_"+Token];
WinUser.Impersonate();

So every thing is perfect until we upgrade website to .NetFramework 4 and add a lot of features in .NET 4 to website, and we figured we have a new Problem.

The problem is the user login with Admin And open some pages (3-4) all together in same time, like quickly opened in new tab, the User Not impersonated in some cases. Like the first page impersonated correctly to Admin but another pages not impersonated and still have Guest User.

This is so weird, we don't have any changes in Authentication Part. the changes is we upgrade to .NetFrameWork 4 and App Pool is .NetFrameWork 4 - Classic.

We have a test in .Net 2 Version Of Website. every thing is OK, but we change the App Pool to .NetFrameWork 4 and the problem was shown.

So The question is what changes happened in .NetFramework 4 App Pool to Impersonate?

Is there any thing we missed? any suggestion?

Answer 1

I found Some points:

1- The Multi-Request behaves like Parallel processing, and as you know in classic mode we have some limitations with parallelism.

2- In Integrated mode we have some limitations in Impersonate Enable. The default behavior of Enable Impersonate is 500.24 Error: Internal Server Error An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode" if we want enable impersonate we need to add <validation validateIntegratedModeConfiguration="false"/> to <system.webServer> in web.config, So we don't get the error, but steel we have another limitation. The impersonate commands not worked in Begin_RequestAnd in AuthenticateRequest Methods, anything else worked perfectly.

The Breaking Changes for ASP.NET 2.0 applications running in Integrated mode on IIS 7.0 is very good article in this case.

So the solution is

Move to Integrated mode (Need Add tag) And Use Impersonate in any other methods instead of Begin_Request or AuthenticateRequest.