Web application to use window domain accounts for authentication

Question

If you have a web application that will run inside a network, it makes sense for it to support windows authentication (active directory?).

Would it make sense to use AD security model as well, or would I make my own roles/security module that some admin would have to configure for each user?

I've never dealt with windows security before, so I am very confused as to how I should be handling security for a web application that runs within a windows network.

I guess there are 2 major points I have to tackle:

1. authentication
2. authorization

I have a feeling that best-practice would say to handle authorization myself, but use AD authentication right?

Answer 1

Basically windows handles everything, you never store usernames or passwords, AD and IIS do all the work for you

add this to your web.config

 <system.web>
  ...
  <authentication mode="Windows"/>
  ...
 </system.web>

To configure Windows authentication

1. Start Internet Information Services (IIS).
2. Right-click your application's virtual directory, and then click Properties.
3. Click the Directory Security tab.
4. Under Anonymous access and authentication control, click Edit.
5. Make sure the Anonymous access check box is not selected and that Integrated Windows authentication is the only selected check box.

You can then deal with the business or authorization using web.config again. for example

<authorization>
 <deny users="DomainName\UserName" />
 <allow roles="DomainName\WindowsGroup" />
</authorization>

Read more here: http://msdn.microsoft.com/en-us/library/ms998358.aspx

Answer 2

I used windows security on some of my internal sites.

Basically the way I set it up is I remove anonymous access in IIS, then assign permissions on the sites files though the standard windows security model.

I'm not sure if this is the best practices, but it has always worked well for me.