<alwaysFlowImpersonationPolicy> Element
Specifies that the Windows identity always flows across asynchronous points, regardless of how impersonation was performed.
<configuration>
<runtime>
<alwaysFlowImpersonationPolicy>
Syntax
<alwaysFlowImpersonationPolicy
enabled="true|false"/>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
Attributes
| Attribute | Description |
|---|---|
enabled |
Required attribute. Indicates whether the Windows identity flows across asynchronous points. |
enabled Attribute
| Value | Description |
|---|---|
false |
The Windows identity does not flow across asynchronous points, unless the impersonation is performed through managed methods such as Impersonate. This is the default. |
true |
The Windows identity always flows across asynchronous points, regardless of how impersonation was performed. |
Child Elements
None.
Parent Elements
| Element | Description |
|---|---|
configuration |
The root element in every configuration file used by the common language runtime and .NET Framework applications. |
runtime |
Contains information about assembly binding and garbage collection. |
Remarks
In the .NET Framework versions 1.0 and 1.1, the Windows identity does not flow across asynchronous points. In .NET Framework version 2.0, there is an ExecutionContext object that contains information about the currently executing thread, and flows it across asynchronous points within an application domain. The WindowsIdentity also flows as part of the information that flows across the asynchronous points, provided the impersonation was achieved using managed methods such as Impersonate and not through other means such as platform invoke to native methods. This element is used to specify that the Windows identity does flow across asynchronous points, regardless of how the impersonation was achieved.
You can alter this default behavior in two other ways:
In managed code on a per-thread basis.
You can suppress the flow on a per-thread basis by modifying the ExecutionContext and SecurityContext settings by using the ExecutionContext.SuppressFlow, SecurityContext.SuppressFlowWindowsIdentity, or SecurityContext.SuppressFlow method.
In the call to the unmanaged hosting interface to load the common language runtime (CLR).
If an unmanaged hosting interface (instead of a simple managed executable) is used to load the CLR, you can specify a special flag in the call to the CorBindToRuntimeEx Function function. To enable the compatibility mode for the entire process, set the
flagsparameter for CorBindToRuntimeEx Function toSTARTUP_ALWAYSFLOW_IMPERSONATION.
Configuration File
In a .NET Framework application, this element can be used only in the application configuration file.
For an ASP.NET application, the impersonation flow can be configured in the aspnet.config file found in the <Windows Folder>\Microsoft.NET\Framework\vx.x.xxxx directory.
ASP.NET by default disables the impersonation flow in the aspnet.config file by using the following configuration settings:
<configuration>
<runtime>
<legacyImpersonationPolicy enabled="true"/>
<alwaysFlowImpersonationPolicy enabled="false"/>
</runtime>
</configuration>
In ASP.NET, if you want to allow the flow of impersonation instead, you must explicitly use the following configuration settings:
<configuration>
<runtime>
<legacyImpersonationPolicy enabled="false"/>
<alwaysFlowImpersonationPolicy enabled="true"/>
</runtime>
</configuration>
Example
The following example shows how to specify that the Windows identity flows across asynchronous points, even when the impersonation is achieved through means other than managed methods.
<configuration>
<runtime>
<alwaysFlowImpersonationPolicy enabled="true"/>
</runtime>
</configuration>
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for