Windows Authentication Provider

  • Article

The WindowsAuthenticationModule provider relies on Microsoft Internet Information Services (IIS) to provide authenticated users, using any of the mechanisms that IIS supports. If you want to implement site security with a minimum of ASP.NET coding, this is the provider configuration you should use. The provider module constructs a WindowsIdentity object. The default implementation constructs a WindowsPrincipal object and attaches it to the application context. The WindowsPrincipal object maps identities to Windows groups.

If you use IIS authentication, the provider module uses the authenticated identity passed in from IIS. IIS authenticates the identity using basic, digest, or Integrated Windows authentication, or some combination of them. You can use impersonation and NTFS ACL permissions to restrict or allow access to protected resources.

An important reason to use the WindowsAuthenticationModule provider is to implement an impersonation scheme that can use any of the authentication methods that might have already been performed by IIS before passing the request to the ASP.NET application. To do this, set the authentication mode to Windows, and confirm that the impersonate element is set to true, as shown in the following example:

<authentication mode="Windows"/>
<identity impersonate="true"/>

Please note that configuring an ASP.NET application has no effect on the IIS Directory Security settings. The systems are completely independent and are applied in sequence. In addition to selecting an authentication mode for an ASP.NET application, it is also important to configure IIS authentication appropriately.

Next, you must set the NTFS ACLs to allow access only to the proper identities. If you want to enable impersonation for only a short time during request processing, you can do it by using an impersonation context and WindowsIdentity.Impersonate.

First, set the impersonate element to false, and then set up a context using the WindowsIdentity.Impersonate method, as shown in the following example.

Dim context As WindowsImpersonationContext = _
WindowsIdentity.Impersonate(impersonateToken)
' Perform some action.
context.Undo()
[C#]
WindowsImpersonationContext context = WindowsIdentity.Impersonate(impersonateToken);
// Perform some action.
context.Undo();

Notice that you can use context.Undo for identity reversion.

As mentioned earlier, you can implement a custom Windows authorization scheme by using a WindowsAuthentication_OnAuthenticate event handler to create a WindowsPrincipal or a GenericPrincipal object from a WindowsIdentity object. You can then use one of the new objects to implement your own custom authentication scheme. The WindowsPrincipal object maps identities to Windows groups. The default implementation constructs a WindowsPrincipal object and attaches it to the application context.

See Also

ASP.NET Web Application Security | ASP.NET Authentication | WindowsIdentity | WindowsPrincipal | WindowsAuthenticationModule | GenericPrincipal