Windows Authentication

Hello, as I promised, here is a brief note about Windows Authentication in ASP.NET. I omitted the too advanced tools, which won’t be needed for this exam.

ASP.NET Authentication/Authorization

There are four types of authentication in ASP.NET:

–          Windows authentication

–          Forms authentication (used by the membership API)

–          Passport authentication (mostly obsolete, consider Windows Live instead)

–          Anonymous access

Windows authentication:

Use it when:

–          Dealing with a smaller set of known users.

–          Who have Windows user accounts.

–          Potentially in intranet applications.

Windows authentication matches web users to the predefined Windows users (local or Active Directory). WA isn’t a built in feature of ASP.NET, IIS handles everything. To configure it, set authentication mode to Windows in the web.config.

The pros and cons of WA:

–          Little effort for the developers’ part.

–          Allows the reuse of existing logins.

–          Single authentication model for multiple types of apps

–          Allows impersonation.

–          Tied to Windows users.

–          Tied to Windows clients.

–          Hard to customize, inflexible.

IIS Windows Authentication mechanisms:

Basic authentication: user name and password are passed as clear text. All browsers support it (it is standard). Use it only when protection of user’s data is not a question, or with SSL.

Digest authentication: name and password won’t be transmitted, only their hash. Almost impossible to steal the password, the hash code always varies with every request, cannot be replayed. Works only with IE5+, and with Active Directory.

Integrated Windows authentication: name and password won’t be passed, the currently logged in user is passed as a token. It takes place transparently (no pop-ups).

Implementing Windows authentication:

The steps to fulfill:

  1. Configure Windows authentication type using IIS.
  2. Configure ASP.NET in the web.config.
  3. Set up authorization logic.

Configuring IIS:

Force to log in: clear the Enable anonymous access checkbox in the setting of the virtual directory. Then add authorization logic in the web.config.

The rest of the topic is rather administrative, setting up IIS 7.0, the differences of the standard IIS 5.x, 6.0, and IIS 7.0’s Http pipeline model.

Configuring ASP.NET:

In web.config: configuration à system.web à authentication mode=”Windows”

When using IIS 7.0, it’s not necessary to write the web.config by hand, because IIS will update it automatically.

Authorization and Windows Authentication:

There are two ways to set up authorization: by IIS’s virtual directory settings, and by ASP.NET web.config. The latter is preferred. Basic authorization logic looks like the following:

The folder you want to force authorization (can be the root)\web.config\configuration section\system.web section\authorization tag. E.g.:


        <deny users=”?”/>


Location tags can also be used. With them, a path can be described, and the authorization logic included for it. More of it later.

Access user information:

Use User.Identity.Name to get username, or simply the User class. You can convert this User to a WindowsPrincipal, such as:

if(User is WindowsPrincipal)

        WindowsPrincipal princ = User as WindowsPrincipal;

WindowsPrincipal class provides the following members:

IsAnonymous, IsGuest, IsSystem, Groups, Token, Owner, User, Impersonate,  GetAnonymous, GetCurrent, etc.


Impersonation can be used with Windows Authentication. Impersonation enables you to process a request as another user. To configure it in ASP.NET, simply set the web.config’s system.web section’s identity impersonate attribute to true. Username and password can be specified also. To encrypt the sensitive information, use aspnet_setreg.exe.

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: