Reputation:
ASP.NET / IIS Security (Windows Authentication)
This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
Upvotes: 5
Views: 5585
Answers (3)
Reputation:
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx
Upvotes: 0
Reputation: 34810
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Upvotes: 2
Reputation: 354
You're looking for Windows Authentication and Authorization in ASP.NET
- How To Use Windows Auth in ASP.NET
- Authentication/Authorization Explained
- How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider. You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions for using Windows authentication, which bypasses IIS authentication. For example, you can write a custom ISAPI filter that checks the user's credentials against Active Directory. With this approach you must manually create a WindowsPrincipal object.
Upvotes: 4
Related Questions
- ASP.NET Windows Authentication
- IIS Windows Authentication IIS APPOOL
- ASP.NET authentication advice
- windows authentication in iis7
- IIS 7 - authentication
- Windows Authentication IIS7
- IIS 7 and Windows Authentication
- ASP.NET authentication
- Windows Server 2008, IIS7 and Windows Authentication
- asp.net windows authentication