I am busy developing a Web application using ASP.NET and I'd like to authenticate the users using the users' WinNT...
logins. How do I do that? I read about it here and there and just got lost somewhere within readings on system.directoryservices, LDAP, ADSI...can you help? Security is big subject. I would like to refer you to Professional ASP .NET (Wrox Press). This subject is discussed rather well in Chapter 14, "Securing ASP.NET Applications". One thing to keep in mind before we proceed is that you will have to create and manage a Windows login for each user who will connect to your site if you use their NT account for authentication. If you have many users or if the users are added and deleted frequently, that can be a nightmare to manage.
In some cases, it makes sense to use Windows Authentication. Here is a brief discussion of the basic steps to set this up. For a more in-depth, but easy to follow treatment, check out the book I mentioned above.
1. Set the authentication mode and turn on impersonation in web.config. Here's an example of part of web.config:
<configuration> <system.web> <authentication mode="Windows" /> <identity impersonate="true" /> </system.web> </configuration>2. You can also specify a list of groups and users that are allowed access through allow and deny elements in the <authorization> element like so:
<allow roles="comma-separated list of Windows account groups" users="comma-separated list of Windows user accounts" verb="GET|POST|HEAD" />The verb attribute is optional and at least either roles or users (or both) must be present. This is a very basic discussion of this topic. There are many other options available. For example, if you set up this information in the machine.config file, it controls access for all .NET apps on that particular server. Another option to consider is using Passport authentication, details can be found at www.passport.com. Still another option is to use Forms-based authentication. This is an improvement on how we have done authentication in ASP applications in the past. It makes it very easy to implement. Once a user is authenticated, you can find out information on the current user programmatically through the User object. The User object is property of the HttpContext object and provides information about the user including if they belong to a particular group or not, how they were authenticated (Forms, MTLM, Basic, Passport), what their user name is, etc.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.