Intranet and Integrated Windows Authentication

[Andrew]

Hey all,



I would like to preface my question by stating I am still learning ASP.net
and while I am confident in the basics and foundation, the more advanced
stuff is still a challenge. Ok. :)



We are looking at redoing our entire Intranet, starting over from scratch,
as a .Net website. Our current site has two separate sides, a public side
for all viewers, and a secure side for those granted permission can access
apps to update web info, databases, etc. In moving to .Net we would like to
use Integrated Windows Authentication with our pages. We will be putting
the Intranet server under a Domain Controller where the users and user info
will be pulled from.



We would like to have the pages similar to what you would see on eBay, or
Amazon, or any number of Blog sites. That is, you can surf and view and
bounce around all the pages, but unless you log in you cannot view your
personal information. However, if you do log in, the public pages take on
new buttons or links because those pages know who you are. In essence, the
public side and secure side merge into one, and page items turn on or off
depending on your logged in status.



I have Google'd on "integrated windows authentication" and, of course, have
found numerous websites. It is almost overwhelming. I found a few good
articles here:



Active Directory Authentication from ASP .NET

[url]http://msdn.microsoft.com/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp[/url]



Securing an ASP.Net application...

[url]http://www.dotnetjohn.com/articles.aspx?articleid=19[/url]



HOW TO: Authenticate against the Active Directory by Using Forms
Authentication and Visual Basic .NET

[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url]



Developing Secure Web Sites with ASP.NET and IIS

[url]http://www.c-sharpcorner.com/Code/2003/March/SecureSiteWithASPNET.asp[/url]



Windows Authentication in ASP.NET

[url]http://www.dotnetbips.com/displayarticle.aspx?id=10[/url]



(Joe Kaplan (MVP - ADSI), if you read this, I also saw your postings
recently on somewhat this subject in this newsgroup.)



I am still having trouble interpreting and understanding all this
information and now look to some of you to help possible translate it into
English. The last URL above provided an example that shows how to use
System.Security.Principal to determine the user name and authenticated
status (which I have tested successfully). But this just pulls from the
system when the user logged in after turning on the PC. The other URL's
state that in an Intranet environment, IAW is the thing to use - which is
where this is going. But I need to offer the ability for a user to log in
and log out, and when not logged in they are set as "anonymous" - not just
automatically pull system info. So this seems I need to use Forms
Authentication? Looking at examples of Forms Authentication, at my level of
experience, are quite long, involved, and a bit over my head in their
explanations. Do I use one over the other? Both together? Help?



So, I am asking for some help here in understanding the .Net techniques to
develop a website that uses Integrated Windows Authentication (using Active
Directory from a Domain Controller) to authenticate users, but requires
users to log in, and allows them to log out. I can control the visual
changes on the page(s), I just need help on the log-in/log-out, security,
authentication part of it.



Your comments, suggestions, tips, and other input are gladly accepted and
appreciated. Oh, and in VB.net if possible please, though I turn away
nothing. :)



-- Andrew

[Joe H]

how about turning on Integrated Windows Authentication. and then maintain a
user-list to the resources in the site that you require special access to?
this can be done on a page basis, or a function basis, or a "role" basis,
etc...

since this is an "intranet" the word "public" does not have the same
meaning, right? in other words, everybody on your network accessing your
intranet should be in active directory. and should therefore be accounted
for when they access ANY part of your intranet site.


"Andrew" <AndrewR2k1@hotmail.com> wrote in message
news:uEPoX6HWEHA.3024@TK2MSFTNGP09.phx.gbl...

> Hey all,
>
>
>
> I would like to preface my question by stating I am still learning ASP.net
> and while I am confident in the basics and foundation, the more advanced
> stuff is still a challenge. Ok. :)
>
>
>
> We are looking at redoing our entire Intranet, starting over from scratch,
> as a .Net website. Our current site has two separate sides, a public side
> for all viewers, and a secure side for those granted permission can access
> apps to update web info, databases, etc. In moving to .Net we would like

to

> use Integrated Windows Authentication with our pages. We will be putting
> the Intranet server under a Domain Controller where the users and user

info

> will be pulled from.
>
>
>
> We would like to have the pages similar to what you would see on eBay, or
> Amazon, or any number of Blog sites. That is, you can surf and view and
> bounce around all the pages, but unless you log in you cannot view your
> personal information. However, if you do log in, the public pages take on
> new buttons or links because those pages know who you are. In essence,

the

> public side and secure side merge into one, and page items turn on or off
> depending on your logged in status.
>
>
>
> I have Google'd on "integrated windows authentication" and, of course,

have

> found numerous websites. It is almost overwhelming. I found a few good
> articles here:
>
>
>
> Active Directory Authentication from ASP .NET
>
>

[url]http://msdn.microsoft.com/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp[/url]

>
>
>
> Securing an ASP.Net application...
>
> [url]http://www.dotnetjohn.com/articles.aspx?articleid=19[/url]
>
>
>
> HOW TO: Authenticate against the Active Directory by Using Forms
> Authentication and Visual Basic .NET
>
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url]
>
>
>
> Developing Secure Web Sites with ASP.NET and IIS
>
> [url]http://www.c-sharpcorner.com/Code/2003/March/SecureSiteWithASPNET.asp[/url]
>
>
>
> Windows Authentication in ASP.NET
>
> [url]http://www.dotnetbips.com/displayarticle.aspx?id=10[/url]
>
>
>
> (Joe Kaplan (MVP - ADSI), if you read this, I also saw your postings
> recently on somewhat this subject in this newsgroup.)
>
>
>
> I am still having trouble interpreting and understanding all this
> information and now look to some of you to help possible translate it into
> English. The last URL above provided an example that shows how to use
> System.Security.Principal to determine the user name and authenticated
> status (which I have tested successfully). But this just pulls from the
> system when the user logged in after turning on the PC. The other URL's
> state that in an Intranet environment, IAW is the thing to use - which is
> where this is going. But I need to offer the ability for a user to log in
> and log out, and when not logged in they are set as "anonymous" - not just
> automatically pull system info. So this seems I need to use Forms
> Authentication? Looking at examples of Forms Authentication, at my level

of

> experience, are quite long, involved, and a bit over my head in their
> explanations. Do I use one over the other? Both together? Help?
>
>
>
> So, I am asking for some help here in understanding the .Net techniques to
> develop a website that uses Integrated Windows Authentication (using

Active

> Directory from a Domain Controller) to authenticate users, but requires
> users to log in, and allows them to log out. I can control the visual
> changes on the page(s), I just need help on the log-in/log-out, security,
> authentication part of it.
>
>
>
> Your comments, suggestions, tips, and other input are gladly accepted and
> appreciated. Oh, and in VB.net if possible please, though I turn away
> nothing. :)
>
>
>
> -- Andrew
>
>

[Joe Kaplan \(MVP - ADSI\)]

I like this idea.

Another thing you could do if you absolutely need authenticated and
anonymous parts of the site AND want to use WIA is put the authenticated
parts of the site in a different vroot with anonymous access turned off.

If you absolutely must mix and match anonymous and authenticated, then you
might be able to do something like have two different copies of the site,
one if a vroot that allows anonymous and one in a vroot that requires
authentication. In your application, you use use the Context.User property
to determine whether the current user is authenticated or not and whether
they are in certain Windows groups and control the rendering of your pages
accordingly. It is very likely you could make both versions of the
application be identical which would make deployment much easier. The app
would simply decide what stuff to render dynamically at runtime.

Still, it seems like it would be much easier to simply make the whole site
be authenticated.

Joe K.

"Joe H" <jharri@hotmail.com> wrote in message
news:em5trvTWEHA.2844@TK2MSFTNGP11.phx.gbl...

> how about turning on Integrated Windows Authentication. and then maintain

a

> user-list to the resources in the site that you require special access to?
> this can be done on a page basis, or a function basis, or a "role" basis,
> etc...
>
> since this is an "intranet" the word "public" does not have the same
> meaning, right? in other words, everybody on your network accessing your
> intranet should be in active directory. and should therefore be accounted
> for when they access ANY part of your intranet site.
>
>
> "Andrew" <AndrewR2k1@hotmail.com> wrote in message
> news:uEPoX6HWEHA.3024@TK2MSFTNGP09.phx.gbl...

> > Hey all,
> >
> >
> >
> > I would like to preface my question by stating I am still learning

ASP.net

> > and while I am confident in the basics and foundation, the more advanced
> > stuff is still a challenge. Ok. :)
> >
> >
> >
> > We are looking at redoing our entire Intranet, starting over from

scratch,

> > as a .Net website. Our current site has two separate sides, a public

side

> > for all viewers, and a secure side for those granted permission can

access

> > apps to update web info, databases, etc. In moving to .Net we would

like

> to

> > use Integrated Windows Authentication with our pages. We will be

putting

> > the Intranet server under a Domain Controller where the users and user

> info

> > will be pulled from.
> >
> >
> >
> > We would like to have the pages similar to what you would see on eBay,

or

> > Amazon, or any number of Blog sites. That is, you can surf and view and
> > bounce around all the pages, but unless you log in you cannot view your
> > personal information. However, if you do log in, the public pages take

on

> > new buttons or links because those pages know who you are. In essence,

> the

> > public side and secure side merge into one, and page items turn on or

off

> > depending on your logged in status.
> >
> >
> >
> > I have Google'd on "integrated windows authentication" and, of course,

> have

> > found numerous websites. It is almost overwhelming. I found a few good
> > articles here:
> >
> >
> >
> > Active Directory Authentication from ASP .NET
> >
> >

>

[url]http://msdn.microsoft.com/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp[/url]

> >
> >
> >
> > Securing an ASP.Net application...
> >
> > [url]http://www.dotnetjohn.com/articles.aspx?articleid=19[/url]
> >
> >
> >
> > HOW TO: Authenticate against the Active Directory by Using Forms
> > Authentication and Visual Basic .NET
> >
> > [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url]
> >
> >
> >
> > Developing Secure Web Sites with ASP.NET and IIS
> >
> > [url]http://www.c-sharpcorner.com/Code/2003/March/SecureSiteWithASPNET.asp[/url]
> >
> >
> >
> > Windows Authentication in ASP.NET
> >
> > [url]http://www.dotnetbips.com/displayarticle.aspx?id=10[/url]
> >
> >
> >
> > (Joe Kaplan (MVP - ADSI), if you read this, I also saw your postings
> > recently on somewhat this subject in this newsgroup.)
> >
> >
> >
> > I am still having trouble interpreting and understanding all this
> > information and now look to some of you to help possible translate it

into

> > English. The last URL above provided an example that shows how to use
> > System.Security.Principal to determine the user name and authenticated
> > status (which I have tested successfully). But this just pulls from the
> > system when the user logged in after turning on the PC. The other URL's
> > state that in an Intranet environment, IAW is the thing to use - which

is

> > where this is going. But I need to offer the ability for a user to log

in

> > and log out, and when not logged in they are set as "anonymous" - not

just

> > automatically pull system info. So this seems I need to use Forms
> > Authentication? Looking at examples of Forms Authentication, at my

level

> of

> > experience, are quite long, involved, and a bit over my head in their
> > explanations. Do I use one over the other? Both together? Help?
> >
> >
> >
> > So, I am asking for some help here in understanding the .Net techniques

to

> > develop a website that uses Integrated Windows Authentication (using

> Active

> > Directory from a Domain Controller) to authenticate users, but requires
> > users to log in, and allows them to log out. I can control the visual
> > changes on the page(s), I just need help on the log-in/log-out,

security,

> > authentication part of it.
> >
> >
> >
> > Your comments, suggestions, tips, and other input are gladly accepted

and

> > appreciated. Oh, and in VB.net if possible please, though I turn away
> > nothing. :)
> >
> >
> >
> > -- Andrew
> >
> >

>
>

[Andrew]

Joe,

I have gotten a little further on this project....but ran into a problem.
If you could check out my most recent post in this newsgroup titled "Problem
querying LDAP and/or Active Directory" I sure would be grateful. You seem
to have a good grip on this subject, and your input may go a long way.

-- Andrew

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:u0cDCHUWEHA.2816@TK2MSFTNGP11.phx.gbl...

> I like this idea.
>
> Another thing you could do if you absolutely need authenticated and
> anonymous parts of the site AND want to use WIA is put the authenticated
> parts of the site in a different vroot with anonymous access turned off.
>
> If you absolutely must mix and match anonymous and authenticated, then you
> might be able to do something like have two different copies of the site,
> one if a vroot that allows anonymous and one in a vroot that requires
> authentication. In your application, you use use the Context.User

property

> to determine whether the current user is authenticated or not and whether
> they are in certain Windows groups and control the rendering of your pages
> accordingly. It is very likely you could make both versions of the
> application be identical which would make deployment much easier. The app
> would simply decide what stuff to render dynamically at runtime.
>
> Still, it seems like it would be much easier to simply make the whole site
> be authenticated.
>
> Joe K.
>
> "Joe H" <jharri@hotmail.com> wrote in message
> news:em5trvTWEHA.2844@TK2MSFTNGP11.phx.gbl...

> > how about turning on Integrated Windows Authentication. and then

maintain

> a

> > user-list to the resources in the site that you require special access

to?

> > this can be done on a page basis, or a function basis, or a "role"

basis,

> > etc...
> >
> > since this is an "intranet" the word "public" does not have the same
> > meaning, right? in other words, everybody on your network accessing

your

> > intranet should be in active directory. and should therefore be

accounted

> > for when they access ANY part of your intranet site.
> >
> >
> > "Andrew" <AndrewR2k1@hotmail.com> wrote in message
> > news:uEPoX6HWEHA.3024@TK2MSFTNGP09.phx.gbl...

> > > Hey all,
> > >
> > >
> > >
> > > I would like to preface my question by stating I am still learning

> ASP.net

> > > and while I am confident in the basics and foundation, the more

advanced

> > > stuff is still a challenge. Ok. :)
> > >
> > >
> > >
> > > We are looking at redoing our entire Intranet, starting over from

> scratch,

> > > as a .Net website. Our current site has two separate sides, a public

> side

> > > for all viewers, and a secure side for those granted permission can

> access

> > > apps to update web info, databases, etc. In moving to .Net we would

> like

> > to

> > > use Integrated Windows Authentication with our pages. We will be

> putting

> > > the Intranet server under a Domain Controller where the users and user

> > info

> > > will be pulled from.
> > >
> > >
> > >
> > > We would like to have the pages similar to what you would see on eBay,

> or

> > > Amazon, or any number of Blog sites. That is, you can surf and view

and

> > > bounce around all the pages, but unless you log in you cannot view

your

> > > personal information. However, if you do log in, the public pages

take

> on

> > > new buttons or links because those pages know who you are. In

essence,

> > the

> > > public side and secure side merge into one, and page items turn on or

> off

> > > depending on your logged in status.
> > >
> > >
> > >
> > > I have Google'd on "integrated windows authentication" and, of course,

> > have

> > > found numerous websites. It is almost overwhelming. I found a few

good

> > > articles here:
> > >
> > >
> > >
> > > Active Directory Authentication from ASP .NET
> > >
> > >

> >

>

[url]http://msdn.microsoft.com/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp[/url]

> > >
> > >
> > >
> > > Securing an ASP.Net application...
> > >
> > > [url]http://www.dotnetjohn.com/articles.aspx?articleid=19[/url]
> > >
> > >
> > >
> > > HOW TO: Authenticate against the Active Directory by Using Forms
> > > Authentication and Visual Basic .NET
> > >
> > > [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;326340[/url]
> > >
> > >
> > >
> > > Developing Secure Web Sites with ASP.NET and IIS
> > >
> > > [url]http://www.c-sharpcorner.com/Code/2003/March/SecureSiteWithASPNET.asp[/url]
> > >
> > >
> > >
> > > Windows Authentication in ASP.NET
> > >
> > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=10[/url]
> > >
> > >
> > >
> > > (Joe Kaplan (MVP - ADSI), if you read this, I also saw your postings
> > > recently on somewhat this subject in this newsgroup.)
> > >
> > >
> > >
> > > I am still having trouble interpreting and understanding all this
> > > information and now look to some of you to help possible translate it

> into

> > > English. The last URL above provided an example that shows how to use
> > > System.Security.Principal to determine the user name and authenticated
> > > status (which I have tested successfully). But this just pulls from

the

> > > system when the user logged in after turning on the PC. The other

URL's

> > > state that in an Intranet environment, IAW is the thing to use - which

> is

> > > where this is going. But I need to offer the ability for a user to

log

> in

> > > and log out, and when not logged in they are set as "anonymous" - not

> just

> > > automatically pull system info. So this seems I need to use Forms
> > > Authentication? Looking at examples of Forms Authentication, at my

> level

> > of

> > > experience, are quite long, involved, and a bit over my head in their
> > > explanations. Do I use one over the other? Both together? Help?
> > >
> > >
> > >
> > > So, I am asking for some help here in understanding the .Net

techniques

> to

> > > develop a website that uses Integrated Windows Authentication (using

> > Active

> > > Directory from a Domain Controller) to authenticate users, but

requires

> > > users to log in, and allows them to log out. I can control the visual
> > > changes on the page(s), I just need help on the log-in/log-out,

> security,

> > > authentication part of it.
> > >
> > >
> > >
> > > Your comments, suggestions, tips, and other input are gladly accepted

> and

> > > appreciated. Oh, and in VB.net if possible please, though I turn away
> > > nothing. :)
> > >
> > >
> > >
> > > -- Andrew
> > >
> > >

> >
> >

>
>