How to implement Windows authentication and authorization in ASP.NET

Authentication and authorization

Windows authentication and Windows authorization are two terms that are frequently interchanged. However, they do not have the same meaning. Windows authentication permits the recipient to determine the user's identity. Windows authorization determines the resources to which a user may gain access.

Configure Web application for Windows authentication

To configure your Web application for Windows authentication, follow these steps:

1. Create an ASP.NET Web Application named ASPNETWinAuth. By default, theWebForm1.aspx file appears.
2. In the HTML view of WebForm1.aspx, replace the existing code with the following sample code:

   <%=User.Identity.Name%>
   

3. Click Start, point to Programs, point to Administrative tools, and then click Internet Information Services.
4. The Internet Information Services MMC appears. Expand Computer, and then expand a Web site that uses Windows authentication.
5. Click the ASPNETWinAuth Web site application.
6. On the Action menu, click Properties.
7. In Properties, click the Directory Security tab.
8. Under Anonymous access and authentication control, click Edit.
9. In Authentication Methods, click to select Integrated Windows authentication. Click to clear all other check boxes.
10. Click OK.
11. In Properties, click OK. The ASPNETWinAuth Web application is now configured to accept valid user accounts.

Configure the ASP.NET application

After you configure the IIS Web site for Integrated Windows Authentication, you must configure the ASP.NET application to recognize authenticated users. To do this, you must change the Web.config file. In the Web.config file, locate the <authentication> tag, and then set the mode attribute to Windows, as in the following example:

<authentication mode="Windows" />

Test authentication

To test your Windows authentication setting, follow these steps:

1. In Microsoft Internet Explorer, view the WebForm1.aspx page. This page is located in the Http://Localhost folder. For example:
   http://Localhost/ASPNETWinAuth/WebForm1.aspx
   Because Integrated Windows Authentication uses the current Windows user information on the client computer for the authentication, it does not immediately prompt the user for a user name and password. However, if the authentication exchange cannot identify the user, a dialog box appears that prompts the user for a Windows user account user name and password.
2. Type a valid user name and password. When the page loads, your user name appears in the following format:
   Domain Name\User Name

Restrict access

In ASP.NET, you set authorization to the application by adding settings in the Web.config file. You can specify which users or groups are permitted to have access to what resources as follows:

• To permit all users of an NT Group named Managers to have access to your resources, use the following code:

  <configuration>
    <system.web>
      <authorization>
        <allow roles="domainname\Managers" />
        <deny users="*" />
      </authorization>
    </system.web>
  </configuration>
  

• To permit only specific users to have access, use the following code:

  <configuration>
    <system.web>
      <authorization>
        <allow users="domainname\user1,domainname\user2,domainname\user3" />
        <deny users="*" />
      </authorization>
    </system.web>
  </configuration>
  

  Note You can specify multiple roles or users by using a comma separated list. Verify that you use the correct case when you specify the configuration file element and the associated attribute values. This code is case sensitive.

Windows Authenticated logon configuration for Microsoft IIS7

<configuration>
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
        <authentication mode="Windows" />

    </system.web>
</configuration>

After declaring in web.config... we have to perform certain steps.

Configuration

Step 1.  Setup and configure the HelpMaster Active Directory module

Before any Windows-based authentication can take place for any of the HelpMaster modules, including the web interface, you will need to first install, configure and run the HelpMaster Active Directory module to synchronize your HelpMaster users with a valid Active Directory account.  See Active Directory Module Overview for the installation and configuration process

 Step 2.  Create a Windows Authentication 'hmplogin' virtual directory / application on IIS

In order for the Windows Authentication feature of IIS 7 to work, it must first be installed.  This component is not installed by default, so you may need to install it.  See Installing Microsoft IIS 7 for details.  Ensure that you check the "Windows Authentication" checkbox during the install (see picture).

In addition to the creation of the required virtual directory for the web interface, a second directory needs to be created called 'hmplogin'.  Unlike the standard HelpMaster web interface virtual directory which accepts anonymous authentication, this virtual directory will be configured to authenticate valid Windows accounts (network accounts) only.  Once authentication has been successful, the authenticated Windows user will be automatically re-directed back to the standard HelpMaster web interface application and automatically logged in with their corresponding HelpMaster account.

To configure the Windows Authentication virtual directory, perform the following steps on your HelpMaster web server.  The following steps reflect the steps required for IIS version 7.

1. Open the IIS Manager by selecting Control Panel > Administrative Tools > Internet Information Services (IIS) Manager
2. "Right click" on the Default Web Site node/branch and select Add application... from the pop-up menu
   
   
   
   The properties for a new application will be displayed.
3. The "Add Application" screen contains several settings that need to be configured.  After each of the settings below have been configured, click OK to create the web application.
   
   
   
   Alias : This is the name of your HelpMaster Windows authentication web application.  This should be one word without any spaces.  This name will be the web page that you will need to access to use the HelpMaster Module.  eg. www.machinename.com/virtualdirectoryalias.  It is recommended that you call the name of this application "hmplogin".  This is the name used throughout this documentation.
   
   Application pool : Select the application pool that the HelpMaster web interface will operate in.  Choose the default, or select / create an application pool.  For further information about Application pools, refer to
   
   Physical path : Click the "..." button to browse to where you installed HelpMaster.  It is vital that you select the [HMP Web Install Path]\WinLogin folder.  If you selected default settings during the setup, this location may be "C:/inetpub/wwwroot/HelpMaster Web Interface/WinLogin" or similar.  Note: If you moved this folder at any time, or wish to re-locate this folder, please read this first.
   
   Connect as... : Select the connection method.  It is vital that this setting is set to "Application user (pass-through authentication)" (Important!)
   
   
   
4. Once the HelpMaster "hmplogin" application has been created, ensure that it is configured for Windows Authentication.
   
   Click on the "hmplogin" application, then find the "Authentication" icon in the "IIS" group.  Right-click and select "Open Feature"
   
   If the Windows Authentication icon is not displayed, it most likely means that it is not installed.  See Installing Microsoft IIS 7 for details.  Ensure that you check the "Windows Authentication" checkbox during the install (see picture).
   
   
5. Right-click on "Windows Authentication" and select "Enable" from the pop-up menu.
   
   

Step 3.  Configuring redirect for un-authenticated requests (optional)

Now that you have created a web application to accept Windows authenticated logins, you may like to configure this application to appropriately handle logins that for whatever reason cannot be authenticated.  (eg.  account has expired, network issues, non-network login etc).  When an authentication request fails, you can configure the IIS to re-direct the user back to the standard HelpMaster login page where they can try logging onto the HelpMaster web interface via their HelpMaster account.

To configure un-authenticated request redirection, perform the following steps on your HelpMaster web server.

1. Click on the "hmplogin" application, then find the "Error Pages" icon in the "IIS" group.  Right-click and select "Open Feature"
   
   
2. Edit the properties for '401;1' and '401;2'.  These error codes refer to authentication errors.  Rather than display the default error page, you can re-direct these errors to point back to your standard HelpMaster web interface application that youconfigured previously.

Disabling Anonymous Access to the Admin Site

Configuring IIS 7 to Force Authentication on the Admin Site

This article describes how to use IIS authentication to further protect and secure your AspDotNetStorefront admin site. The concepts covered here require an understanding of Windows Security, and should be undertaken by a knowledgeable IT professional. Improperly configured security settings on a publicly facing server can potentially make the server vulnerable to attack or prevent legitimate users from accessing the system.

Choosing between Windows Authentication and Basic Authentication

IIS 7 providers administrators with the option of choose three settings for authenticating users. 

For the purpose of this article, we will cover the two applicable options. 

Windows Authentication in IIS 7 is the most secure option, as it uses hashing technology to prevent sending clear text usernames and passwords over the internet. Many web browsers do not support this however, so if your admin site is accessed by clients using browsers other than Microsoft Internet Explorer, Basic Authentication should be used instead. 

Basic Authentication can be used on admin sites that must be accessed by a wide range of browsers and devices. One important thing to keep in mind with Basic Authentication is that usernames and passwords are not hashed, so additional precautions should be taken to ensure that your credentials are safe. Sites using Basic Authentication should always use SSL when connecting to the admin site. This will ensure that credentials are encrypted in transit to and from the website.

Disabling Anonymous Access to the Admin Site

1. Open the IIS Management Console on the web server

2. Expand the Sites folder

3. Expand your AspDotNetStorefront web site

4. Select the Admin folder

5. Double-Click the IIS - Authentication option

6. Under Authentication, select the Anonymous Authentication and click 'Disable' in the Actions pane on the right

7. For Windows Authentication: Select the Windows Authentication and click 'Enable' in the Actions pane on the right

8. For Basic Authentication: Select the Basic Authentication and click 'Enable' in the Actions pane on the right

NOTE: You can potentially enable both authentication mechanisms on the site. If both Basic and Windows Authentication are enabled, IIS will first try to use Windows Authentication, and then attempt Basic if that fails.

NOTE: If using Basic Authentication, you will receive a warning stating that "...credentials will be sent in clear text over the wire". This warning does not apply to valid SSL connections.

NOTE: With Windows Authentication you will get an Alert stating that "Challenge-based and login redirect-based authentication cannot be used simultaneously." but it can be ignored.

10. If using Windows Authentication only, restart the site. If using Basic Authentication, select Basic Authentication and click "Edit..." in the Actions menu to the right, and enter your site domain (Realm is optional), then click OK

11. If requiring HTTPS for the admin console, double-click the IIS - SSL Settings for the Admin folder, and check the "Require SSL". NOTE that SSL must be in place and valid for this option to be available

12. Restart the site

Giving Users Access to the Admin Site

Once Basic or Windows Authentication is enabled on your admin site, user access to the entire directory is controlled using NTFS permissions. To assign a user permission to access your admin site: 

1. Create a new user account in Windows using Computer Management (or Active Directory Users and Computers if your server is a member of an Active Directory domain).

2. Using Windows Explorer, browse to the directory that contains your AspDotNetStorefront web site files.

3. Right click the Admin folder and choose Properties.

4. Click the Security tab and click Add.

5. Enter the name of the user you just created and click OK, or click advanced to view a list of all users you can add.

6. Assign the user Read, List, and Read & Execute permissions to the admin site.

7. Click OK.

Testing Authentication

1. Go to http://yoursite/admin or https://yoursite/admin (depending on whether SSL is required or not).

2. If all steps were done properly, you will be presented with a login prompt.

3. Enter your Windows user account username and password and click OK.

4. You should now be taken to your Admin site’s login page.