Windows Authentication in ASP.NET
Introduction
Security is an important consideration in your web applications. Securing a web
application consists of two steps :
- Authenticating the user accessing the page
- Authorizing the user to access the page
Authentication is a process of determining whether a user is the one who he claims to
be. Typically this will be determined with the help of user id and password.
Authorization is a process in which you decide whether an authenticated user is allowed
to access certain page or resource. For example, operators may not be allowed to view
certain confidential financial information that managers can view.
ASP.NET offers various ways to authenticate and authorize users of your web site. They
are :
- Windows authentication
- Forms authentication (cookie authentication)
- Passport authentication
In this code sample (which is Part - I of the three part series) we will see how to
implement windows authentication.
Windows Authentication
Windows authentication scheme uses traditional mechanisms of Basic, NTLM/Kerberose and
Digest authentication. Here IIS uses the credentials of logged in user are used to
authenticate web requests. In case integrated windows authentication is turned off a
typical gray colored dialog pops up asking for user id and password.
Steps involved in implementing windows authentication and authorization
- Create a ASP.NET web application
- Modify web.config to set authentication mode to
windows
- Modify web.config to deny access to anonymous users
- Authorize users based on their NT user groups (roles)
The sample application available for download shows you how to implement this scheme in
ASP.NET web applications.
<%
displaydownloadlink "Download Sample Application","winauth.zip"
%>