In some cases, it makes sense to use Windows Authentication. Here is a brief discussion of the basic steps to set this up. For a more in-depth, but easy to follow treatment, check out the book I mentioned above.
1. Set the authentication mode and turn on impersonation in web.config. Here's an example of part of web.config:
<configuration> <system.web> <authentication mode="Windows" /> <identity impersonate="true" /> </system.web> </configuration>2. You can also specify a list of groups and users that are allowed access through allow and deny elements in the <authorization> element like so:
<allow roles="comma-separated list of Windows account groups" users="comma-separated list of Windows user accounts" verb="GET|POST|HEAD" />The verb attribute is optional and at least either roles or users (or both) must be present. This is a very basic discussion of this topic. There are many other options available. For example, if you set up this information in the machine.config file, it controls access for all .NET apps on that particular server. Another option to consider is using Passport authentication, details can be found at www.passport.com. Still another option is to use Forms-based authentication. This is an improvement on how we have done authentication in ASP applications in the past. It makes it very easy to implement. Once a user is authenticated, you can find out information on the current user programmatically through the User object. The User object is property of the HttpContext object and provides information about the user including if they belong to a particular group or not, how they were authenticated (Forms, MTLM, Basic, Passport), what their user name is, etc.
This was first published in April 2002