Aaah ok, so I checked up on identity impersonate=true, turns out it replaces the default aspnet user with the clients credentials (probably anonymous), I think you should either take it out, or use something like this: <identity impersonate="true" userName="joeblow" password="123456" />