Windows Integrated Security Authentication

Windows integrated security authentication (often referred to as Windows authentication) is the easiest security mechanism to implement. The basic vision is beautiful in its simplicity: if the user has already logged on to Windows, the browser can silently pass the user’s credentials to ASP.NET. Let’s look a little closer at how the mechanism works. First a user logs on to a Windows NT Domain with a user name and password. When the user tries to access a Web site that uses Windows authentication, the browser sends the user’s logon credentials in an encrypted format to IIS. IIS authenticates the user’s credentials and then passes the authenticated identity to ASP.NET. For the user this is very easy; the authentication happens silently without the user having to once again type in a user name and password after logging on to Windows.

Windows authentication works well if both the client and server are on the same domain, because IIS authenticates the user account against the domain where IIS is located. If the user is on another domain or not on a domain at all, she will be prompted for a username and password. So, simply logging on to Windows is not sufficient; users have to be logged on to the same domain as the Web server (or into a trusted domain). Note that Windows authentication does not work with Netscape browsers or if there is a firewall between the client and the server.

Because of these limitations, Windows authentication is best used for intranet sites, where the client and server sit on the same domain. Windows authentication has one feature that isn’t available to any other authentication mechanisms: Impersonation. You can optionally configure your application to run with the same privileges as the user (with an account that actually impersonates the user). This is useful, for example, if you want the application to have access to a directory that only the user has access to. In the following exercise, you’ll create a sample Web site that uses Windows authentication.

Create an application that uses Windows authentication

In this exercise, you’ll create a Web application that displays who the current user is and the account that ASP.NET is running under.

1. In Visual Basic .NET, create a new ASP.NET Web application named WinTest.

2. When the application is created, the default page WebForm1.aspx is opened in the designer. Add two labels and two text boxes to this form.

3. Set the Text property of one label to ASP Username, and set the Text property of the other label to Client Username.

4. Set the ID property of one text box to txtASPUsername, and set the ID property of the other text box to txtClientUsername. When you have finished, the form should look similar to the following illustration:

   

5. Double-click the background of the form to open the Page_Load event handler. Add the following code to this event:

   Private Sub Page_Load(ByVal sender As System.Object, _
    ByVal e As System.EventArgs) Handles MyBase.Load
    Dim strASPUsername As String
    Dim strClientUsername As String
    ’Get account ASP.NET is using
    strASPUsername = _
    System.Security.Principal.WindowsIdentity.GetCurrent.Name
    ’Get account client is logged in as
    strClientUsername = User.Identity.Name
    ’Display the accounts
    Me.txtASPUsername.Text = strASPUsername
    Me.txtClientUsername.Text = strClientUsername
   End Sub

6. Press F5 to run the application. The page should look like the illustration on the following page.

   

   The ASP Username is the Windows account ASP.NET is using to run. Unless your machine name is also Pukeko (a pukeko is a flightless bird native to New Zealand), it will probably read differently. At this point, you’re probably wondering why the client name is blank. You might be asking, “What went wrong?” The answer is “Nothing.” Because the Web site allows anonymous access, IIS defaults to using anonymous access and performs no authentication. Next, you’ll change the configuration to deny access to anonymous logins.

7. Open the Web.Config file, and change the authorization section to

   <authorization>
    <!-- Deny access to "?" the anonymous user -->
    <deny users="?" /> 
    <!-- <allow users="[comma separated list of users]"
    roles="[comma separated list of roles]"/>
    <deny users="[comma separated list of users]"
    roles="[comma separated list of roles]"/>
    -->
   </authorization>

8. Press F5 to run the application. IIS will use Windows authentication to authenticate you, and WebForm1 will look similar to the following illustration:

   

Add user impersonation

In the previous example, you saw that your application was running under the ASPNET account. In this exercise, you’ll configure your application to run under the account of the current client user. This is known as impersonation.

1. In Visual Basic .NET, open the WinTest ASP.NET Web Application.

2. Open the Web.Config file, and in the authentication section, locate the line that reads

   <authentication mode="Windows" />

3. Immediately after this line, add the following line:

   <identity impersonate = "true" />

   This causes the ASP.NET process to run under the account of the client user.

4. Press F5 to run the application. WebForm1 should look similar to the illustration shown on the following page.