On each ASP.NET request, there are four different security identities to be aware of:
The operating system thread identity.
The request authenticated identity set by IIS.
The IPrincipal available on Thread.CurrentPrincipal.
The IPrincipal available from HttpContext.Current.User
If you are using Windows authentication in your ASP.NET application, then the impersonation token from IIS is used to create a WindowsIdentity for both the current thread and the current context. If the current request is an anonymous user, then the WindowsIdentity is just the value of WindowsIdentity.GetAnonymous. For authenticated users, the WindowsIdentity represents the authenticated user credentials from the IIS impersonation token. For applications running on a UNC share, the WindowsIdentity that is created represents either the anonymous user account configured in IIS or the credentials that were used to authenticate the user.
If you are using forms authentication, though, the impersonation token set by IIS has no bearing on the security information set on the thread and the context. Instead, for authenticated users, the FormsAuthenticationModule will create a GenericPrincipal containing a FormsIdentity and set this value on the current context's User property.
If no authentication module sets an IPrincipal on the current context's user property, the hidden DefaultAuthenticationModule will create a GenericPrincipal with a username set to the empty string and set this value on the current ...