When a user requests a web page, there exists a process of security too, so that every anonymous user is checked for authentication before gaining access to the webpage. The following points are followed in the sequence for authentication when a client attempts a page request:
* A .aspx web page residing on an IIS web server is requested by an end user
* IIS checks for the user's credentials
* Authentication is done by IIS. If authenticated, a token is passed to the ASP.NET worker process along with the request
* Based on the authentication token from IIS, and on the web.config settings for the requested resource, ASP.NET impersonates the end user to the request thread. For impersonation, the web.config impersonate attribute's value is checked.