| Author: saravanan 14 May 2008 | Member Level: Silver Points : 2 |
Enabling Windows Authentication within an Intranet ASP.NET Web application
Problem:
You are building an Intranet web application for your organization, and you want to authenticate the users visiting your site. Specifically, you want to ensure that they are logged in using a valid Windows account on the network, and you want to be able to retrieve each incoming user's Windows account name and Windows group membership within your application code on the server.
Discussion:
Authentication is the process of identifying and validating the identity of a client accessing an application. Put more simply -- it is the process of identifying “who” the end-user is when they visit a website.
Authentication is typically used in combination with Authorization -- which is the process of figuring out whether the authenticated user has permissions to access a particular page/resource or to perform some action. For example, when an end-user in a browser tries to access a page, ASP.NET might authenticate the user as “Scott”, and would then run through the configured authorization rules for the requested page to figure out whether “Scott” has permission to access it.
ASP.NET supports multiple ways to authenticate browser users visiting a web application, and implements a flexible set of ways to authorize which permissions they have within the application.
|
| Author: saravanan 14 May 2008 | Member Level: Silver Points : 2 |
|
| Author: saravanan 14 May 2008 | Member Level: Silver Points : 2 |
You should also then add an section to the same web.config file that denies access to “anonymous” users visiting the site. This will force ASP.NET to always authenticate the incoming browser user using Windows Authentication – and ensure that from within code on the server you can always access the username and Windows group membership of the incoming user.
The below web.config file demonstrates how to configure both steps described above:
|
| Author: saravanan 14 May 2008 | Member Level: Silver Points : 2 |
Dim User As System.Security.Principal.IPrincipal
User = System.Web.HttpContext.Current.User
Dim username As String
username = User.Identity.Name
The code above obtains the User IPrincipal object for the current
|
| Author: saravanan 14 May 2008 | Member Level: Silver Points : 2 |
Note that the directive within the section above is what tells ASP.NET to deny access to the application to all “anonymous” users to the site (the “?” character means anonymous user). This forces Windows to authenticate the user, and ensures that the username is always available from code on the server.
Obtaining the Logged-in Username via Code
Once you follow the above configuration steps, you can easily access the logged-in username and role/group mappings for the authenticated user within ASP.NET. For example, you could use the code-snippet below within an ASP.NET page to easily obtain the username of the visiting user:
Dim username As String
username = User.Identity.Name
The code-snippet above works because there is a “User” property built-in to all ASP.NET pages and user-controls. If you want to gain access to this user data from within a regular class or business object (which doesn’t have this property provided), you can write code like below to achieve the same result:
Dim User As System.Security.Principal.IPrincipal
User = System.Web.HttpContext.Current.User
Dim username As String
username = User.Identity.Name
The code above obtains the User IPrincipal object for the current
|
| Author: saravanan 14 May 2008 | Member Level: Silver Points : 2 |
You should then add a web.config file to the root directory of your ASP.NET application that contains an section which sets the mode to “Windows”.
You should also then add an section to the same web.config file that denies access to “anonymous” users visiting the site. This will force ASP.NET to always authenticate the incoming browser user using Windows Authentication – and ensure that from within code on the server you can always access the username and Windows group membership of the incoming user.
The below web.config file demonstrates how to configure both steps described above:
Note that the directive within the section above is what tells ASP.NET to deny access to the application to all “anonymous” users to the site (the “?” character means anonymous user). This forces Windows to authenticate the user, and ensures that the username is always available from code on the server.
Obtaining the Logged-in Username via Code
Once you follow the above configuration steps, you can easily access the logged-in username and role/group mappings for the authenticated user within ASP.NET. For example, you could use the code-snippet below within an ASP.NET page to easily obtain the username of the visiting user:
Dim username As String
username = User.Identity.Name
The code-snippet above works because there is a “User” property built-in to all ASP.NET pages and user-controls. If you want to gain access to this user data from within a regular class or business object (which doesn’t have this property provided), you can write code like below to achieve the same result:
Dim User As System.Security.Principal.IPrincipal
User = System.Web.HttpContext.Current.User
Dim username As String
username = User.Identity.Name
The code above obtains the User IPrincipal object for the current
|