IIS 7 asp.net application - pass through windows authentication from client to Sharepoint web service (not app pool account)

Question

I'm a little stuck configuring IIS to enable full "pass through" authentication on a web app that communicates with Sharepoint 2010 web services in the code behind. This all runs on a local domain.

I've set the site up as "Windows" authentication in the web.config:

The "asp:LoginName" control displays my domain\user id correctly when the app is deployed to the site.

Everything works fine, however all the work done in the back end connecting to Sharepoint runs under the AppPool account, not the user logged in running the site.
For audit reasons, I want to be able to run everythign as the user that is running the site, not the app pool account.

Can I configure the App Pool to use (or impersonate) the client user account? I thought this would be straight forward, but I'm struggling to see what I have to do to enable this in IIS.

Answer 1

Impersonation isn't set up in IIS; rather, it's configured through the ASP.NET application itself in web.config.

See http://support.microsoft.com/kb/306158 for more details, but in brief as you find that the ASP.NET LoginName control sees your credentials your user principal is set correctly. So, just including

<identity impersonate="true" />

in your web.config file should work fine.