Lesson 2: Using Windows Authentication

The purpose of this lesson is to show the relationship between Windows (or NTLM) authentication and ASP.NET. This lesson also delves into the concept of impersonation.

• "Windows authentication is the default authentication method when you create a new Web application project."

This Web application configuration denies anonymous users:

<authentication mode="Windows"/>
<authorization>
    <deny users="?"/>
    <!-- Deny unauthenticated users -->
</authorization>

For more information on authentication configuration see:

http://msdn.microsoft.com/library/en-us/
    cpgenref/html/gngrfauthorizationsection.asp

• "If impersonation is enabled, the application executes using the permissions found in your user account. Otherwise, the application executes using the limited ASPNET user account... When a user is authorized, ASP.NET issues an authorization certificate in the form of a cookie that persists for the duration of the user's session."

Keep in mind that the impersonated credentials must have the same rights as the "limited" ASPNET account otherwise lack of access to folders like \\Temporary ASP.NET Files will cause exceptions. For more details, see "How To: Create a Custom Account to Run ASP.NET" by J.D. Meier, Alex Mackman, Michael Dunner and Srinath Vasireddy here:

http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT01.asp

• "When a user is authorized, ASP.NET issues a certificate in the form of a cookie that persists for the duration of the user's session."

The speculation here suggests that this certificate "persists" elsewhere when cookie-less sessions are enabled.

• "One of the key advantages of Windows authentication is that users who are logged on to the network don't have to log on again to access the Web application."

This feature is best enjoyed in a domain-based Intranet setting using Microsoft Web browsers.

• "To restrict access to specific users, list their names separated by commas in an <allow> element."

This is the example:

<authorization>
    <allow users="contoso\\DeannaMeyer,contoso\\MichaelEmanuel" />
    <deny users="*" />
</authorization>

• "To allow or deny access to certain groups of users, add the <roles> element to the authorization list..."

This is the example:

<authorization>
    <allow roles="contoso\\Administrators" />
    <deny users="*" />
</authorization>

• "The Identity property returns an object that includes the user name and role information..."

The Identity property is a member of System.Web.UI.Page.User.

• "These methods and properties can be used in conjunction with the Global module's AuthorizeRequest event to check user names against an external user file rather than use the list in Web.config."

This topic seems to be connected with HTTP Modules such as in "INFO: ASP.NET HTTP Modules and HTTP Handlers Overview" at:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q307985

• "If authorization is set both in Web.config and in IIS, the IIS setting is evaluated first..."

Because the "most restrictive" setting is used the order of events here seems irrelevant.

• "Allowing IIS to control the password for the anonymous account is highly recommended, but this setting might need to be overridden if your application is deployed over multiple servers."

This recommendation must also be weighed against the MSKB article "Password Synchronization/Allow IIS to Control Password May Cause Problems" at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q216828

• "...you can enable multiple authentication methods through IIS...you can detect which method was used to authenticate a user in code by using the Identity object's AuthenticationType method..."

• "...once a user is authenticated, the application runs under the identity of the ASP.NET user account by default."

This default behavior is changed by declaring the identity element with the form:

<configuration>
    <system.web>
        <identity impersonate="true" />
    </system.web>
</configuration>

The authenticated user that ASP.NET runs under must have the same (or more) security privileges as the ASP.NET user account. The WindowsIdentity.GetCurrent() method of System.Security.Principal can be used to verify the running account.

ASP.NET can also run under a single, known account with a configuration like this:

<configuration>
    <system.web>
        <identity impersonate="true" userName="root" password="jkdfjds#X5g" />
    </system.web>
</configuration>

This configuration (in a file called Web.config) can be placed in a subfolder of the Web application to define certain areas of the application that run under impersonation.