Every web application in ASP.NET runs with a specific identity. This identity is based on a user account on the local machine or domain. The application uses this identity when it accesses resources on disk or services. If the account does not have rights to the resource, the web application will not be able to use the resource.

By default, ASP.NET applications run under a common account, typically ASPNET (for Windows XP) or Network Service (for Windows Server 2003). These accounts have limited permissions to use disk and service resources. They do not, for example, have the ability to access ArcGIS Server local data sources.

Impersonation is where the web application assumes a different identity from the default. Impersonation enables the application to access resources available to the account used in the impersonation. To access ArcGIS Server local data sources, for instance, the web application must impersonate a user in the agsusers or agsadmin group.

Impersonation can be configured to be used for the web application on startup, by adding an <identity> tag to the web.config file. Impersonation can also be implemented dynamically in code, so that it can be turned on and off as needed.

The following table describes the identity of the Web application process depending on some common IIS and ASP.NET settings:

Operating System	IIS Settings		ASP.NET Settings	Identity
	Anonymous	Integrated	Impersonate in Web.Config
Windows 2000	Either	Either		ASPNET
	Yes	Either	True	IUSR_<machinename>
	No	Yes	True	Browser user
	Either	Either	True with defined user	User in Web.Config
Windows XP	Either	Either		ASPNET
	Yes	Either	True	IUSR_<machinename>
	No	Yes	True	Browser user
	Either	Either	True with defined user	User in Web.Config
Windows 2003	Either	Either		NETWORK SERVICE
	Yes	Either	True	IUSR_<machinename>
	No	Yes	True	Browser user
	Either	Either	True with defined user	User in Web.Config

If a Web ADF application uses ArcGIS Server local data sources, then the application must contain an ArcGIS identity. The ArcGIS identity does not need to be set for ArcGIS Server Internet data sources or for other data sources used in the Web ADF, such as ArcIMS or WMS.

This identity is stored in the web.config file in the web application. It is used to impersonate the user to enable accessing the data source.

Requirements for the ArcGIS identity account

• The account must be a valid user on the computer where the web application runs. If it is a domain account, the computer must be a member of the domain or a domain that trusts the domain of the account.
• The account must be a member of the agsusers or agsadmin group on the computer where the ArcGIS Server runs (specifically, the Server Object Manager, or SOM).
• If the web application is on a different computer than the ArcGIS Server SOM, then the user account must be recognized on both computers. Use one of these two options:
  (a) use a domain account, if both computers are members of the domain; or
  (b) use a local computer account, where the local account is set up on both computers, with the same password. In this case, omit the domain/computer name from the identity (see below).
• Only one user can be configured in the ArcGIS identity. Using multiple ArcGIS Server local data sources, when those data sources require different identities, is not supported at this release.

Setting the ArcGIS identity using Visual Studio

The easiest approach for setting the identity is to use a Visual Studio context menu that was added and configured when the Web ADF was installed. To use this approach:

1. Using Visual Studio, open the website on the Web server.
2. Right-click the web application name in Solution Explorer and choose Add ArcGIS Identity.
3. Enter the new username, password and machine name or domain. Ensure that the check-box for encrypting the credentials is enabled. Then click OK. Save the web.config file.
4. Verify that the identity tag has been updated in web.config.

Setting the ArcGIS identity manually

If Visual Studio is not available on the Web server computer, you can manually set or update the ArcGIS identity.

1. Open the web.config file in a text editor, such as Notepad.
2. Find the identity XML tag. The contents of this tag may vary, depending on whether the identity was encrypted when it was added. An encrypted identity will look like this:
   

   <identity configProtectionProvider="DataProtectionConfigurationProvider">
      <EncryptedData>
         <CipherData>
            <CipherValue>AQA…vA==</CipherValue>
         </CipherData>
      <EncryptedData>
   </identity>
   

   
   If the identity tag does not exist, you can create it as shown below. Make sure it is within the <system.web> section of web.config.
3. Set or update the identity to a user in the agsusers group on the GIS server. See above for requirements for the user account.
   
   The following is the recommended procedure to set and encrypt the identity:
   1. Modify the identity XML tag to contain the account information you wish to use. Use the standard format for an identity tag in ASP.NET, similar to the following:

      <identity impersonate=”true” userName=”mydomain\myusername” password=”mypassword” />

      If using a local machine account, the domain name (mydomain) may be omitted from the userName value, or the local machine name may be used. If the Web server and GIS server are on separate machines, you must omit the machine name for local accounts.
      
      Save the web.config file.
   2. Test the web application on this Web server to ensure that the identity is correctly recognized.
   3. Encrypt the identity using the standard aspnet_regiis tool. Although normally the web.config file cannot be viewed by browser users, if the Web server is compromised it may be possible for the credentials to be viewed by unauthorized users. To use aspnet_regiis, open a .NET command prompt from Start --> (All) Programs --> Microsoft .NET Framework SDK v2.0 --> SDK Command Prompt.
   4. Type in the command to encrypt the identity section in web.config. For example:
      

      aspnet_regiis -pe "system.web/identity" -app "/MyWebMappingApp" -prov "DataProtectionConfigurationProvider"

      where "/MyWebMappingApp" is the URL of the web application on the local IIS server. 
      
      If the website uses the File System option now availabe in Visual Studio, where the built-in Web server is used, the following will encrypt the identity section using a file path (note the -pef option and omission of the -app option):
      

      aspnet_regiis -pef "system.web/identity" "C:\MyWebFolder\MyWebMappingApp" -prov "DataProtectionConfigurationProvider"

      The above examples use the .NET DataProtectionConfigurationProvider, which uses a machine-specific key for encryption. If you need to deploy the same application to multiple servers, such as in a Web Farm, you should use the RSAProtectedConfigurationProvider, which allows export and import of encryption keys. See this Microsoft article for details: How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA.
4. The identity is now updated and encrypted in the web.config file. The web mapping application should run normally and use the encrypted identity to access the ArcGIS Server local resource.

An alternative option to the encryption with aspnet_regiis is to encrypt the credentials for the identity within the Registry. To do this, use the Aspnet_setreg utility. This utility is available, with instructions, from Microsoft at http://support.microsoft.com/default.aspx?scid=kb;en-us;329290.