ASP.NET Impersonation is cleared on application deployment (but I don't want password in web.config)

Question

So I'm using II7 on both my Windows 7 Ultimate box and a Windows 2008 server. Whenever I deploy my application (I'm just manually copying right now), ASP.NET Impersonation gets disabled. I have a special AD user setup that has permissions to the specific database tables I need to use.

I can just re-enable it every time and it keeps the username and password, but it gets annoying. I realize you can turn on <identity impersonate="true"/> in the web.config, but when I deploy an app this way, it removes the username/password from the IIS config and switches it back to "Authenticated User" instead of "Specific User" with the credentials I set earlier. I don't want to put the username and password in the web.config itself.

Is there any way to get IIS (through a web.config setting?) to keep ASP.NET Impersonation enabled and use the username/password I setup in the IIS7 management console?

Answer 1

I've found the best solution has been to set <validation validateIntegratedModeConfiguration="false" /> under the system.webServer section in the web.config as well as setting <identity impersonate="true" /> in the system.web section.

Then set the username and password in the basic settings of the application in the IIS7 manager. The authentication information is saved in the IIS7 settings/registry and will cascade down to the application level.

Answer 2

Why don't you encrypt your connection strings? then it doesn't matter if username/pword is in the web config.

Encrypting Connection Strings in Web.config