Impersonation in ASP.NET without declaring password

Question

I am trying to implement impersonation in ASP.NET. I am following this URL.

Microsoft beautifully explains the process.

However, I am a bit skeptical about declaring the password in web.config

Is there any way, we can achieve impersonation without declaring password?

Thank you

Related: http://stackoverflow.com/questions/2912903/how-to-use-hashed-password-in-impersonate-of-asp-net?rq=1 — lc., Jul 17 '13 at 13:45
You can try with Mode="Windows" which will impersonate with Integrated security. — Chirag Vidani, Jul 17 '13 at 13:48
You want any code, on any machine in your organization, to be able to say "I'm really the CEO, trust me", just by placing itself inside an asp.net website? — Damien_The_Unbeliever, Jul 17 '13 at 14:55

score 1 · Accepted Answer · edited May 23 '17 at 12:11

If you want to use user name and password for impersonation you have to store it somewhere.

But here is a list of things you can try:

Don't store credentials, but ask user to type them in. This will remove maintenance headache from you (user left company, password expired etc)
Store credentials in web config using encryption
Use Windows impersonation where currently logged in user passes a security descriptor automagically.

1 Answers1