I was looking for a table that showed how client authentication, server authentication and impersonate flag work together. I found many good examples and tutorials explaining how to make any combinaison work, but not a quick reference table.

So I made one. I tested on a Windows Server 2003 with ASP.NET version 2.0. I used wfecth as client to be sure of what was going on. Not every configuration makes sense in real life, but I included it for completeness. HTH !

Client sends creds Server require creds Impersonate Result
don't care No false NETWORK_SERVICE
No Yes don't care 401 Unauthorized
Yes Yes False NETWORK_SERVICE
don't care No True IUSR_MACHINENAME
Yes Yes True Domain\User

ps : Actually, NETWORK_SERVICE is the account the application pool is running under.