About impersonating your ASP.NET code
By using basic or integrated IIS security, you can set the security context on whose behalf the code is running to the current user by adding these two lines in your web.config:
This can be usefull when you want to call WebServices inside you code that needs the current user's credentials (note: you'll need Kerberos authentication not to run into the two-hop problem, see http://blogs.msdn.com/mjeelani/archive/2004/12/07/275921.aspx).
The problem: No impersonation inside HttpHandlers
While your pages and controls will now run on behalf of the current user, for some reason this impersonation is not done inside your custom HttpHandler! Although the user is authenticated (HttpContext.Current.User.IsAuthenticated is true), all code is still running as ASPNET or the default AppPool identity (just add a watch on System.Security.Principal.WindowsIdentity.GetCurrent()). So by calling a WebService inside your HttpHandler code using the DefaultCredentials, the wrong credentials will be passed and you'll probably get a 404.
The solution: Do your own impersonation
public IHttpHandler GetHandler(HttpContext context, string requestType, string url, string pathTranslated)
// Create a WindowsImpersonationContext object by impersonating the Windows identity.
WindowsImpersonationContext impersonationContext = ((WindowsIdentity)context.User.Identity).Impersonate();
// Your impersonated calls to WebServices here
if (impersonationContext != null)
// always undo impersonation
...so, after you impersonate to the identity inside the current HttpContext, your code will now be running on behalf of the currently logged on user, and you can call WebServices using the current user's credentials.