Symptoms
When attempting to open Ultimate Survey Enterprise survey software web pages or other ASP.NET web pages, you receive an error that reads similar to the following:
Either a required impersonation level was not provided, or the provided impersonation level is invalid.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Cause
Your .NET application is attempting to use a method of authentication that is either not allowed or the user that you are impersonating does not have the proper level of permissions.
Suggested Solution
While this error may be a symptom of a more complicated permissions problem, this is most likely the result of the impersonation setting in the web.config. Set impersonate equal to false from the default value of true.
Original line:
<identity impersonate="true" />
Modified line:
<identity impersonate="false" />
Alternative option to explicitly state which user you will impersonate:
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
More Information
When using impersonation, ASP.NET applications can optionally execute with the identity of the client on whose behalf they are operating. The usual reason for doing this is to avoid dealing with authentication and authorization issues in the ASP.NET application code. Instead, you rely on Microsoft Internet Information Services (IIS) to authenticate the user and either pass an authenticated token to the ASP.NET application or, if unable to authenticate the user, pass an unauthenticated token. In either case, the ASP.NET application impersonates whichever token is received if impersonation is enabled. The ASP.NET application, now impersonating the client, then relies on the settings in the NTFS directories and files to allow it to gain access, or not. Be sure to format the server file space as NTFS, so that access permissions can be set.
Impersonation is disabled by default. For ASP compatibility, the user must explicitly enable impersonation. If impersonation is enabled for a given application, ASP.NET always impersonates the access token that IIS provides to ISAPI extensions. That token can be either an authenticated user token, or the token for the anonymous user (such as IUSR_MACHINENAME). The impersonation occurs regardless of the type of authentication being used in the application.
Only application code is impersonated; compilation and configuration are read as the process token. The result of the compilation is put in the "Temporary ASP.NET files" directory. The account that is being impersonated needs to have read/write access to this directory. If an application is on a universal naming convention (UNC) share, ASP.NET will always impersonate the token provided to IIS to access that share unless a configured account is used. If an explicit configured account is provided, ASP.NET will use that account in preference to the IIS UNC token. Applications that do want per-request impersonation can simply be configured to impersonate the user making the request.
Microsoft's knowledgebase provides more information:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp