Friday, May 9, 2008

ASP.NET Authentication

ASP.NET Authentication

Authentication is the process of obtaining identification credentials from a user ( such as name and password ), and validating those credentials against some authority.

If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity. Once an identity has been authenticated, the authorization process determines whether that identity has access to a given resource.

ASP.NET implements authentication through authentication providers, the modules that contain the code to authenticate the requestor's credentials. This section describes the authentication providers built into ASP.NET.


The Windows Authentication Provider
Describes how to use the Windows Authentication provider The Passport Authentication Provider
Describes how to use the Passport Authentication provider.
The Forms Authentication Provider
Describes how to use the Forms Authentication provider.


The Windows Authentication Provider

The WindowsAuthenticationModule provider relies on IIS to provide authenticated users, using any of the mechanisms IIS supports. The provider module constructs a WindowsIdentity object. The default implementation constructs a WindowsPrincipal object and attaches it to the application context. The WindowsPrincipal object maps identities to Windows groups.

If you use IIS authentication, the provider module uses the authenticated identity passed in from IIS. IIS authenticates the identity using basic, digest, or Windows authentication, or some combination of them. You can use impersonation and you can use NTFS ACL permissions to restrict or allow access to protected resources. This is the provider configuration you should use if you want to implement site security with a minimum of ASP.NET coding.

An important reason to use the Windows Authentication provider is to implement an impersonation scheme that can use any of the authentication methods that might have already been performed by IIS before passing the request to the ASP.NET application. To do this, set the authentication mode to Windows, and confirm that the impersonate element is set to true, as shown in the following example:



Please note that configuring an ASP.NET application has no effect on the IIS Directory Security settings. The systems are completely independent and are applied in sequence. In addition to selecting an authentication mode for an ASP.NET application, it is also important to configure IIS authentication appropriately.

Next you must set the NTFS ACLs to allow access only to the proper identities. If you want to enable impersonation for only a short time during request processing, you can do it by using an impersonation context and WindowsIdentity.Impersonate.

NOTE: A Windows identity for an anonymous user cannot be impersonated because it causes an exception.

First, set the impersonate element to false, then set up a context using the WindowsIdentity.Impersonate method, as follows:

WindowsImpersonationContext context =
WindowsIdentity.Impersonate ( impersonateToken );
// do whatever.
context.Undo ( );

Dim context As WindowsImpersonationContext = _
WindowsIdentity.Impersonate ( impersonateToken )
' do whatever.
context.Undo ( )

C# VB

Notice that you can use context.Undo for identity reversion.

As mentioned earlier, you can implement a custom Windows authorization scheme by using a WindowsAuthenticate_OnAuthenticate event handler to create a WindowsPrincipal or a GenericPrincipal object from a WindowsIdentity object. You can then use one of the new objects to implement your own custom authentication scheme. The WindowsPrincipal object maps identities to Windows groups. The default implementation constructs a WindowsPrincipal object and attaches it to the application context.

See Also