When the user requests a specific resource on the system, that request will come to IIS. IIS authenticates the user requesting the resource and then hands off the request and the security token for the authenticating user to ASP.NET worker process.

ASP.NET worker process will decide whether to impersonate the authenticated user supplied by IIS or not. If impersonation is enabled in the configuration setting in Web.config file, then ASP.NET worker process impersonates the authenticated user. Otherwise, the thread will run under the ASP.NET worker process identity.

ASP.NET checks whether the authenticated user is authorized to access these resources. If they are allowed, ASP.NET serves the request; otherwise it sends an "access-denied" error message back to the user. ASP.NET application security configuration and IIS security configuration are completely independent and can be used independently or in conjunction with each other and also IIS maintains security related configuration settings in the IIS metabase. However, ASP.NET maintains security (and other) configuration settings in XML configuration files.