asp.net.ph

Skip Navigation LinksHome > ASP.NET Applications > ASP.NET Web Application Security > ASP.NET Authentication > The WindowsAuthenticationModule Provider

The Windows Authentication Provider

ASP.NET Web Applications   ASP.NET Web Application Security   ASP.NET Authentication


The WindowsAuthenticationModule provider relies on IIS to provide authenticated users, using any of the mechanisms IIS supports. The provider module constructs a WindowsIdentity object. The default implementation constructs a WindowsPrincipal object and attaches it to the application context. The WindowsPrincipal object maps identities to Windows groups.

If you use IIS authentication, the provider module uses the authenticated identity passed in from IIS. IIS authenticates the identity using basic, digest, or Windows authentication, or some combination of them. You can use impersonation and you can use NTFS ACL permissions to restrict or allow access to protected resources. This is the provider configuration you should use if you want to implement site security with a minimum of ASP.NET coding.

An important reason to use the Windows Authentication provider is to implement an impersonation scheme that can use any of the authentication methods that might have already been performed by IIS before passing the request to the ASP.NET application. To do this, set the authentication mode to Windows, and confirm that the impersonate element is set to true, as shown in the following example:

<authentication mode = "Windows"></authentication>
<identity impersonate = "true" />

Please note that configuring an ASP.NET application has no effect on the IIS Directory Security settings. The systems are completely independent and are applied in sequence. In addition to selecting an authentication mode for an ASP.NET application, it is also important to configure IIS authentication appropriately.

Next you must set the NTFS ACLs to allow access only to the proper identities. If you want to enable impersonation for only a short time during request processing, you can do it by using an impersonation context and WindowsIdentity.Impersonate.

NOTE: A Windows identity for an anonymous user cannot be impersonated because it causes an exception.

First, set the impersonate element to false, then set up a context using the WindowsIdentity.Impersonate method, as follows:

WindowsImpersonationContext context = 
   WindowsIdentity.Impersonate ( impersonateToken );
// do whatever.
context.Undo ( );
  C# VB

Notice that you can use context.Undo for identity reversion.

As mentioned earlier, you can implement a custom Windows authorization scheme by using a WindowsAuthenticate_OnAuthenticate event handler to create a WindowsPrincipal or a GenericPrincipal object from a WindowsIdentity object. You can then use one of the new objects to implement your own custom authentication scheme. The WindowsPrincipal object maps identities to Windows groups. The default implementation constructs a WindowsPrincipal object and attaches it to the application context.

See Also

The Passport Authentication Provider   The Forms Authentication Provider



© 2025 Reynald Nuñez and asp.net.ph. All rights reserved.

If you have any question, comment or suggestion
about this site, please send us a note