In this article we will cover Windows Authentication.
Contents
Definitions of few keywords to understand Windows Authentication.
What is Windows Authentication.
Why Windows Authentication.
How Windows Authentication is implemented in
ASP.NET Application.
Configuring impersonation in an application.
Authentication: Authentication is the process of determining the identity of a user based on the user’s credentials. The user’s credentials are usually in the form of user ID and password, which is checked against any credentials' store such as database. If the credentials provided by the user are valid, then the user is considered an authenticated user.
Authorization: After successful authentication, deciding which resources a user can access based on their identity and checking whether the authenticated user has sufficient rights to access the requested resource is authorization.
Impersonation: Impersonation is a process in which user accesses the resources(Ex:Files,DB…) by using the identity of another user.
Ex: If anonymous(not logged in/not Authenticated) access is enabled for a website in IIS, then IIS runs all the users' requests using the identity of the IUSR_machinename account, which is created by IIS. This is the default option in IIS.
WindowsIdentity: It represents the current Windows User.
Authentication Providers
In
ASP.NET authentication is done by both IIS and
ASP.NET.
ASP.NET implements authentication through authentication providers that contains the code necessary to authenticate the requestor's credentials. There are three types of authentication providers built into
ASP.NET. They are:
Windows Authentication Provider.
Forms Authentication Provider.
Passport Authentication Provider.
Windows Authentication Provider: Provides information on how to use Windows authentication in conjunction with Microsoft Internet Information Services (IIS) authentication to secure
ASP.NET applications.
Why Windows Authentication:
Windows authentication is generally used if the users accessing the application belong to same organization.
This authentication method uses Windows accounts for validating users' credentials. This type of authentication is very good for intranet Web sites where we know our users.
How Windows Authentication is Implemented in
ASP.NET Application
With this type of authentication, initially IIS performs the authentication through one of its authentication options (e.g., basic, digest, Integrated Windows, or some combination of them). After successful authentication, IIS passes the credentials of the authenticated user to the
ASP.NET thread. Selection of appropriate identity for the
ASP.NET worker thread is performed by using the process defined under the
ASP.NET Impersonation section. Based on the credentials supplied by IIS, windows identity is created by WindowsAuthenticationModule module in
ASP.NET. This identity is set as current user identity (setting the security information for the current HTTP request)for the application. This is the default authentication mode in
ASP.NET and it is set in web.config file of the application using below code:
<system.web>
<authentication mode="Windows"/>
</system.web>
Although the Windows Authentication mode sets the value of the current User property to a WindowsIdentity based on the credentials supplied by IIS. The Windows identity supplied to the operating system used for permission checking, such as NTFS file permissions, or for connecting to a database using integrated security is the identity of the
ASP.NET process. On Microsoft Windows 2000 and Windows XP Professional, this is the identity of the
ASP.NET worker process, which is the local ASPNET account. On Windows Server 2003, this is the identity of the IIS Application Pool that the
ASP.NET application is part of. Which is the NETWORK SERVICE account.
Read more:
Codeproject Posted via email from .NET Info