In my app's config there is a impersonation tag containing username and password and I'm wondering what should these credentials be to make the app work - are these the credentials of some user in the domain or the IIS server or what?
You should only need that if the user that the IIS process is running under doesn't have access to a particular resource that you need.
I use it while working on a very large domain. It's generally a user on the domain that has access privileges to specific things like a SQL back-end and/or file/folder permissions. You may run into an error when you try to build your project depending on your configuration, the solution for me was to comment the impersonation line, build, deploy and then uncomment it again at its deployed location.
Identity impersonate without a username and password will force the .NET process for the web-app to run as the same user that IIS is set to run as. If it has a username and password specified then it is forcing the .NET process to run as that specific user.
The reason for it is likely that the app needs to either connect to a database using trusted authentication, security permissions to read/write a file, or network resource.