Ask the Expert

How to authenticate the users using their WinNT logins?

I am busy developing a Web application using ASP.NET and I'd like to authenticate the users using the users' WinNT logins. How do I do that? I read about it here and there and just got lost somewhere within readings on system.directoryservices, LDAP, ADSI...can you help?

    Requires Free Membership to View

Security is big subject. I would like to refer you to Professional ASP .NET (Wrox Press). This subject is discussed rather well in Chapter 14, "Securing ASP.NET Applications". One thing to keep in mind before we proceed is that you will have to create and manage a Windows login for each user who will connect to your site if you use their NT account for authentication. If you have many users or if the users are added and deleted frequently, that can be a nightmare to manage.

In some cases, it makes sense to use Windows Authentication. Here is a brief discussion of the basic steps to set this up. For a more in-depth, but easy to follow treatment, check out the book I mentioned above.

1. Set the authentication mode and turn on impersonation in web.config. Here's an example of part of web.config:

	<authentication mode="Windows" />
	<identity impersonate="true" />
2. You can also specify a list of groups and users that are allowed access through allow and deny elements in the <authorization> element like so:
<allow 	roles="comma-separated list of Windows account groups"
	users="comma-separated list of Windows user accounts"
The verb attribute is optional and at least either roles or users (or both) must be present. This is a very basic discussion of this topic. There are many other options available. For example, if you set up this information in the machine.config file, it controls access for all .NET apps on that particular server. Another option to consider is using Passport authentication, details can be found at Still another option is to use Forms-based authentication. This is an improvement on how we have done authentication in ASP applications in the past. It makes it very easy to implement. Once a user is authenticated, you can find out information on the current user programmatically through the User object. The User object is property of the HttpContext object and provides information about the user including if they belong to a particular group or not, how they were authenticated (Forms, MTLM, Basic, Passport), what their user name is, etc.

This was first published in April 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: