Is it safe to set validateIntegratedModeConfiguration=false in order to continue using identity impersonate=true?

13
votes

We have upgraded an ASP.NET web application from IIS6 to IIS7 integrated mode. Our application uses:

<identity impersonate="true"/>

and therefore we have had to set:

<validation validateIntegratedModeConfiguration="false" />

Is this sensible? My instincts say not, but searching on google for this issue, this "workaround" is suggested on every page visited.

Is impersonation no longer a good practice in IIS7 integrated, and should we abandon it and come up with a different solution?

1
asp.netiis-7iis-6impersonationintegrated-pipeline-mode
You may have better luck asking on serverfault.com as this is an IIS configuration question more than it's a programming question =) - Rob
It was my understanding that impersonation was frowned upon even on IIS6. I'd look into why you need to impersonate & what you can you do remove it, as you're kinda making life hard for yourself, as you can't use any of the new security features in IIS7 - Simon Halsey
@SimonHalsey thanks. have you got any references for the suggestion of bad practice? I think the main reason was for database purposes - Greg Tarr
The biggest problem with impersonation is setting the account up correctly & ensuring it is sufficiently restricted. IIS7 introduced app pool identities which does all the work for you. - Simon Halsey

1 Answers

4
votes

@GregT: Below is the link that answers your question

http://forums.iis.net/t/1150266.aspx
http://mvolo.com/breaking-changes-for-aspnet-20-applications-running-in-integrated-mode-on-iis-70/

As I understand that specific line of code is added up to log issues as errors and perform the necessary operation.