Getting Impersonation working in Classic ASP app under IIS 7.5

What settings need to be in place in order to get impersonation working for a Classic ASP application running under IIS 7.5? I have it working perfectly on my test server (Windows Server 2008 R2), but I have a user who is trying to get it working on their R2 server and I can't figure out what setting they have wrong.

Here are the basics for how the app is set up on my test server:

• Basic Authentication is the only authentication method enabled
• The IIS application runs under a 32-bit enabled Application Pool running in Classic mode
• App Pool runs as NetworkService and Load User Profile is set to False

When you run the app on my test server, the user enters their credentials in the Basic Authentication window and then the app will call a server-side object. I can see from Process Monitor that the object is running under NetworkService, but it is impersonating the user's identity. However, on this other server that we're working on, the object does not impersonate the user. It will run under whatever account the Application Pool is configured to run under.

What would stop impersonation from working assuming that server is set up as outlined above? I assume that the web.config settings would not have anything to do with this since it's a Classic ASP application and not an ASP.NET app. But just for kicks I tried "breaking" my test server and putting <identity impersonate="false"/> into the config file. As I suspected, it didn't have any effect and impersonation still worked fine.

What settings should I have them check? They mention that they've "locked down" this server, so I'm sure some setting must be stopping this from working.