Config files : ASP.NET Identity impersonate

Using the impersonate property allows ASP.NET applications to run either with the privileges of the client they are running as, or with arbitrary privileges provided in the configuration. This configuration may allow an attacker to gain unauthorized access to protected resources due to the possibility of privilege escalation.

.NET applications can run using user credentials. The purpose of this functionality is to bypass authentication and access control in the application’s .NET code. Authentication is performed by a web server (Microsoft Internet Information Service IIS), which passes an authenticated token or an unauthenticated anonymous token to the .NET application. By using the token to impersonate the client, the application relies on settings within NTFS directories and files to control access. Impersonation allows an application on a server that is running a .NET application to execute code and access resources in the context of an authorized user.