To determine what resources are accessible to IIS every session runs in a security context. This context is a particular user impersonated by IIS (typically IUSR_machinename). Using the impersonation parameters you can access resources in a different context.

Impersonation is a security risk so we recommend avoiding it if possible. Indeed we consider it such a security risk that we ship ImageGlue with impersonation disabled. If you wish to enable it you must do so using IGSettings. Impersonation is also difficult to configure correctly so if you must use it we recommend running your virtual directory in the IIS Process (Low Application Protection).

For further details of Windows security see Microsoft's "Windows NT Security". If you want to run IIS in an isolated process see "Server Reliability Through Process Isolation". Please note that security works differently when running in an isolated process. This is fully covered in the above articles.

The user you are trying to impersonate must have the privilege 'Log on as a batch job'. If you try to impersonate and do not have the correct privileges you will receive one of these errors:

A required privilege is not held by the client. (1314)
Access is denied. (5)

If you have problems configuring impersonation you should bear in mind that the Microsoft recommended solution to this is to create a Microsoft Transaction Server (MTS) or COM+ package to host ImageGlue. This will handle the security context switching for you.

When your virtual directory is running in the IIS Process (Low Application Protection) IIS runs as SYSTEM and then impersonates the Anonymous User. You can change the identity of the Anonymous User but it is typically IUSR_machinename.

When your virtual directory is running at part of MTS or COM+ (Medium - Pooled or High - Isolated Application Protection) it will run as IWAM_machinename and again impersonate the IUSR_machinename user.

On Windows NT 4 the IUSR_machinename user does not have the privileges to do impersonation. On Windows 2000 neither the IUSR_machinename nor the IWAM_machinename has the required privileges. To enable impersonation ImageGlue must drop back into the base user (SYSTEM or IWAM_machinename).

Under Windows NT 4.0 you will be able to impersonate if you do not have "Run in separate memory space" checked. If you do have this option checked you must enable "Act as Part of Operating System" for the IWAM_machinename user.

Under Windows 2000 you will be able to impersonate if your Application Protection is set to Low. If your Application Protection is set to Medium or High you will not be able to impersonate.

To change user privileges on Windows NT 4.0

1. Open "User Manager" in "Administrative Tools"
2. Choose "User Rights" from the "Policies" Menu
3. You many need to check "Show Advanced User Rights"
4. Change user rights as required
5. After changing User Rights we advise rebooting

To change user privileges on Windows 2000 or later

1. Open "Local Security Settings"
2. Select "Local Policies/User Rights Assignment"
3. Double click on the required policy
4. Add or remove users as appropriate
5. After changing User Rights we advise rebooting

The name of the user you want to impersonate.

For example the following saves a JPEG on a network volume impersonating the user 'brian' and supplying user password 'lilly'.

[VBScript]
obj.SaveAs "\\Koo\test\DrawXXX.jpg", "Quality=high user=brian password=lilly"

The password for the user you want to impersonate.

The domain for the user that you wish to impersonate. This is an optional parameter.