How to implement Windows authentication and authorization in ASP.NET (323176)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft ASP.NET (included with the .NET Framework) 1.0
This article was previously published under Q323176

IN THIS TASK

SUMMARY

This step-by-step article describes how to implement Windows authentication and authorization in an ASP.NET application.

To use the built in security of Windows and ASP.NET, implement Windows authentication and authorization on groups and users. To use Windows authentication, you must adjust settings in both Microsoft Internet Information Services (IIS) and the ASP.NET application Web.config file.

back to the top

Requirements

  • Microsoft Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server, or Windows XP Professional
  • Microsoft .NET Framework
  • Microsoft Internet Information Services (IIS)
  • Microsoft Visual Studio .NET
back to the top

Authentication and authorization

Windows authentication and Windows authorization are two terms that are frequently interchanged. However, they do not have the same meaning. Windows authentication permits the recipient to determine the user's identity. Windows authorization determines the resources to which a user may gain access.

back to the top

Configure Web application for Windows authentication

To configure your Web application for Windows authentication, follow these steps:
  1. Create an ASP.NET Web Application named ASPNETWinAuth. By default, theWebForm1.aspx file appears.
  2. In the HTML view of WebForm1.aspx, replace the existing code with the following sample code: 
    <%=User.Identity.Name%>
  3. Click Start, point to Programs, point to Administrative tools, and then click Internet Information Services.
  4. The Internet Information Services MMC appears. Expand Computer, and then expand a Web site that uses Windows authentication.
  5. Click the ASPNETWinAuth Web site application.
  6. On the Action menu, click Properties.
  7. In Properties, click the Directory Security tab.
  8. Under Anonymous access and authentication control, click Edit.
  9. In Authentication Methods, click to select Integrated Windows authentication. Click to clear all other check boxes.
  10. Click OK.
  11. In Properties, click OK. The ASPNETWinAuth Web application is now configured to accept valid user accounts.

back to the top

Configure the ASP.NET application

After you configure the IIS Web site for Integrated Windows Authentication, you must configure the ASP.NET application to recognize authenticated users. To do this, you must change the Web.config file. In the Web.config file, locate the <authentication> tag, and then set the mode attribute to Windows, as in the following example: 
<authentication mode="Windows" />

back to the top

Test authentication

To test your Windows authentication setting, follow these steps:
  1. In Microsoft Internet Explorer, view the WebForm1.aspx page. This page is located in the Http://Localhost folder. For example:

    http://Localhost/ASPNETWinAuth/WebForm1.aspx

    Because Integrated Windows Authentication uses the current Windows user information on the client computer for the authentication, it does not immediately prompt the user for a user name and password. However, if the authentication exchange cannot identify the user, a dialog box appears that prompts the user for a Windows user account user name and password.
  2. Type a valid user name and password. When the page loads, your user name appears in the following format:

    Domain Name\User Name

back to the top

Restrict access

In ASP.NET, you set authorization to the application by adding settings in the Web.config file. You can specify which users or groups are permitted to have access to what resources as follows:
  • To permit all users of an NT Group named Managers to have access to your resources, use the following code: 
    <configuration>
  <system.web>
    <authorization>
      <allow roles="domainname\Managers" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>
  • To permit only specific users to have access, use the following code: 
    <configuration>
  <system.web>
    <authorization>
      <allow users="domainname\user1,domainname\user2,domainname\user3" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>
    Note You can specify multiple roles or users by using a comma separated list. Verify that you use the correct case when you specify the configuration file element and the associated attribute values. This code is case sensitive.
back to the top

REFERENCES

For more information about an ASP.NET security and configuration overview, click the following article numbers to view the articles in the Microsoft Knowledge Base:

306590 ASP.NET security overview

307626 ASP.NET configuration overview

For more information about authentication and authorization elements, visit the following Microsoft Web sites:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfauthenticationsection.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfauthorizationsection.asp

http://msdn.microsoft.com/msdnmag/issues/02/04/ASPSec/default.aspx

back to the top
Modification Type:MajorLast Reviewed:10/7/2005
Keywords:kbWebForms kbConfig kbAuthentication kbHOWTOmaster kbSecurity KB323176 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.