Windows Authentication

[EricZa]

I have an asp app that will be used primarily within an intranet.
Windows Authentication seems to work well for this. On occassion a
user using the app may not be able to authenticate via WA so I would
like to give them the chance to enter a username/password which can be
validated another way. Is this possible? Any guidelines for this
type of implementation?

TIA

[Jeff Robinson]

I am interested in building a site with integrated windows authentication
using acl groups. Is it possible without having users and roles defined in
the database or is windows authentication, within asp.net, intended to
validate the user and pass the user to the defined joined users/roles in the
db thereby giving certain access to areas of the site?

Is there any good resources on window authentication and asp.net anyone can
recommend ?

Thanks,
Jeff

[Chris Jackson]

With ASP.NET, you face a more complicated identity matrix, which is
described here:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp[/url]

If you want to authenticate your application using windows authentication,
but have a single account access the database, you can configure IIS to use
anonymous authentication with a domain account, use windows authentication
for ASP.NET, and set impersonation to true. As a result, you will be using
local ACLs to control access to your site, but the domain account that IIS
is running under any time that you make a request to another server.

--
Chris Jackson
Software Engineer
Microsoft MVP - Windows XP
Windows XP Associate Expert
--
"Jeff Robinson" <jrobinson@tmrx.com> wrote in message
news:ORizSDuhDHA.2120@TK2MSFTNGP10.phx.gbl...

> I am interested in building a site with integrated windows authentication
> using acl groups. Is it possible without having users and roles defined in
> the database or is windows authentication, within asp.net, intended to
> validate the user and pass the user to the defined joined users/roles in

the

> db thereby giving certain access to areas of the site?
>
> Is there any good resources on window authentication and asp.net anyone

can

> recommend ?
>
> Thanks,
> Jeff
>
>

[Me2]

Additionally, look at this MSDN article:

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconTheWindowsAuthenticationProvider.asp[/url]

--
Ralph Page MBA, CMBA, MCDBA, MCSE, CCNA
-------------------------------------------------------------------------
"However beautiful the strategy, you should occasionally look at the
results."
-- Winston Churchill
-------------------------------------------------------------------------
"Jeff Robinson" <jrobinson@tmrx.com> wrote in message
news:ORizSDuhDHA.2120@TK2MSFTNGP10.phx.gbl...

> I am interested in building a site with integrated windows authentication
> using acl groups. Is it possible without having users and roles defined in
> the database or is windows authentication, within asp.net, intended to
> validate the user and pass the user to the defined joined users/roles in

the

> db thereby giving certain access to areas of the site?
>
> Is there any good resources on window authentication and asp.net anyone

can

> recommend ?
>
> Thanks,
> Jeff
>
>

[Michael Weier]

Hello all-

We've been having some issues with Visual Studio .Net
when using Windows authentication.

Essentially, we have done three steps.

1.) Set the ACLs on the folder containing the project
allowing members of an NT group full control of the
folder.
2.) Set the authentication mode in the web.config
file to be 'windows', and set impersonate equal to true.
3.) Removed anonymous access from the .Net virtual
directory, and set Windows authentication within IIS.

When I run my .Net application with this configuration
via one of the users in the group, I receive an error
message stating that I do not have access to the
requested resource. Adding ASPNET to the ACLs on the
folder enables the project to load and execute without
any problems.

I don't understand why this project is still running
under the ASPNET user. Shouldn't the impersonation
combined with the IIS settings cause this application to
run in the context of the calling user?

Thanks for your help. I appreciate it.

Michael Weier
Team Lead Menlo Worldwide I*Net application development

[Jacob Yang [MSFT]]

Hi Michael,

Based on my research and experience, I would like to share the following
information with you.

Enabling Integrated Windows authentication requires restarting of IIS. In
addition, the identity of the process that impersonates a specific user on
a thread must have the "Act as part of the operating system" privilege. By
default, the Aspnet_wp.exe process runs under a computer account named
ASPNET. On windows XP box, this step is no necessary.

INFO: Implementing impersonation in an ASP.NET
[url]http://support.microsoft.com/?id=306158[/url]

Best regards,

Jacob Yang
Microsoft Online Partner Support
Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided "as is" with no warranties and confers no rights.

[Erik van Kruiselbergen]

I created a database driven web application in asp.net
(c#). Now I need to create queries on the database, based
on the groupmembership of the visiting user.
I can get the login ID of this user by using

String strUID = Request.ServerVariable["LOGON_USER"];

now in VBScript I would do something like this

FUNCTION ISMEMBER(sGroup)
Dim UserObj,GroupObj
if IsEmpty(GroupDict) then
Set GroupDict = CreateObject("Scripting.Dictionary")
GroupDict.CompareMode = vbTextCompare
Set UserObj = GetObject("WinNT://" & UserDomain & "/"
& UserLogonID)
for each GroupObj in UserObj.Groups
GroupDict.Add GroupObj.Name, "-"
next
set Userobj = Nothing
end if
IsMember = CBool(GroupDict.exists(sGroup))
end function

A call to the function would look like this.....

if IsMember("Internet_Users") then
<your code here>
end if

Is there a way to do this in ASp.Net using C#??
please help I need an answer urgently.

thanks in advance
Erik

[tlthompson@west.com]

Hi Erik,

protected void GetUserMembership(string group)
{
// get user information
principal = new WindowsPrincipal(identity);

if(! principal.IsInRole(group))
{
this.Response.Redirect("Denied.aspx");
}
}

HTH,

Todd Thompson

[tlthompson@west.com]

Sorry,

Forget to include the definition of the variable identity.

protected WindowsIdentity identity = WindowsIdentity.GetCurrent();

HTH,

Todd

[Mark]

When our staff are logged into a computer on our domain, they're still
prompted for their domain login and password to get into our ASP.NET
application in Internet Explorer when using Windows Authentication. Is it
possible to leverage the windows authentication from the pc on the domain??

Thanks in advance.
Mark

[Jim Cheshire [MSFT]]

Mark,

Does the URL they are using to get to the ASP.NET app contain any dots? If
it does, Internet Explorer will see it as an Internet Zone address and not
a Local Intranet Zone address. By default, Internet Explorer will not
automatically pass credentials on an Internet Zone address.

To resolve that, you will either need to add that domain to the Trusted
Sites, or change IE to automatically log on. The former is a better option.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]

This post is provided as-is with no warranties and confers no rights.

--------------------

>From: "Mark" <mfield@idonotlikespam.cce.umn.edu>
>Subject: Windows Authentication
>Date: Mon, 8 Dec 2003 12:37:05 -0600
>Lines: 9
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <#fDhIpbvDHA.3220@tk2msftngp13.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: x15-238.cce.umn.edu 134.84.15.238
>Path:

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!cpmsftng xa09.phx.gbl!TK2MSFTNGP08.
phx.gbl!tk2msftngp13.phx.gbl

>Xref: cpmsftngxa07.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 7805

>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>When our staff are logged into a computer on our domain, they're still
>prompted for their domain login and password to get into our ASP.NET
>application in Internet Explorer when using Windows Authentication. Is it
>possible to leverage the windows authentication from the pc on the domain??
>
>Thanks in advance.
>Mark
>
>
>

[Mark]

When our staff are logged into a computer on our domain, they're still
prompted for their domain login and password to get into our ASP.NET
application in Internet Explorer when using Windows Authentication. Is it
possible to leverage the windows authentication from a client pc that is
already on the domain and authenticated??

Thanks in advance.
Mark

[wh]

I'm having problems setting up a web application up to only allow access to
users in a specific Windows group:

<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow roles="GroupToAllow"/>
<deny users="*"/>
</authorization>

where "GroupToAllow" is the Windows 2000 group containing all users that are
able to access the application.

It appears that I need to specify a domain name as well though no domain
exists as it's on a standalone server. I've tried the following

<allow roles="MACHINENAME\GroupToAllow"/>

but still the same problem.

Is there a solution? If not then I think I can get away checking whether the
user belongs to a Windows 2000 group at runtime in the page_load event
handler though don't know whether this is possible in .NET. Any ideas where
I can start looking?

Wayne.

[John Soulis [MSFT]]

Hello Mark,
It doesn't sound like Windows Integrated Authentication is enabled on the
website. Please check that in IIS and let me know if this makes a
difference.

Thank you,
John Soulis
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
[url]http://www.microsoft.com/info/cpyright.htm[/url]

[Paul Glavich]

Try this :-

<authentication mode="Windows"/>
<authorization>
<allow roles="MACHINENAME\GroupToAllow"/>
<deny users="*"/>
</authorization>

- Paul Glavich

>-----Original Message-----
>I'm having problems setting up a web application up to

only allow access to

>users in a specific Windows group:
>
> <authentication mode="Windows"/>
> <authorization>
> <deny users="?"/>
> <allow roles="GroupToAllow"/>
> <deny users="*"/>
> </authorization>
>
>where "GroupToAllow" is the Windows 2000 group

containing all users that are

>able to access the application.
>
>It appears that I need to specify a domain name as well

though no domain

>exists as it's on a standalone server. I've tried the

following

>
> <allow roles="MACHINENAME\GroupToAllow"/>
>
>but still the same problem.
>
>Is there a solution? If not then I think I can get away

checking whether the

>user belongs to a Windows 2000 group at runtime in the

page_load event

>handler though don't know whether this is possible

in .NET. Any ideas where

>I can start looking?
>
>Wayne.
>
>
>.
>

[Harry Poulter]

I hada similar problem using "User.isInRole" until I used "BUILTIN" as the
domain for local groups, as in "BUILTIN\Group Name". Doesn't seem logical,
since these groups aren't "built in" but are local groups I created, but it
works. Using MACHINENAME did not.


Harry Poulter


"wh" <wayne@nospam.pyesmeadow.com> wrote in message
news:br9m10$57v$1@news.freedom2surf.net...

> I'm having problems setting up a web application up to only allow access

to

> users in a specific Windows group:
>
> <authentication mode="Windows"/>
> <authorization>
> <deny users="?"/>
> <allow roles="GroupToAllow"/>
> <deny users="*"/>
> </authorization>
>
> where "GroupToAllow" is the Windows 2000 group containing all users that

are

> able to access the application.
>
> It appears that I need to specify a domain name as well though no domain
> exists as it's on a standalone server. I've tried the following
>
> <allow roles="MACHINENAME\GroupToAllow"/>
>
> but still the same problem.
>
> Is there a solution? If not then I think I can get away checking whether

the

> user belongs to a Windows 2000 group at runtime in the page_load event
> handler though don't know whether this is possible in .NET. Any ideas

where

> I can start looking?
>
> Wayne.
>
>

[Paul]

Hi,

I am new in ASP.NET and would like to know how to do
Windows authentication.

I read somewhere in MSDN about windows authentication in
ASP.NET by doing the following:
1. In web.config, set <authentication mode="Windows">
2. In IIS directory security tab for my virtual
directory, I did check only integrated windows
authentication.
3. In the folder where my index.aspx is, I give
permission for certain folks.

What I'd like to do is whenever a user request
index.aspx, index.aspx will print "Hello, \\DOMAIN\USER"
if the user is a valid user in my domain or will
print "Sorry, \\DOMAIN\USER is not authorized to access
this page."

Please advice, thanks!
-Paul

[Joe Kaplan \(MVP - ADSI\)]

You should be able to do the "Hello Domain\User" thing by using
Context.User.Identity.Name. With Windows authentication, Context.User
contains a WindowsPrincipal object whose Identity member will have the Name
property in "Domain\User" format.

To do the deny access thing, if you ACL the file at the file system level,
you'll get a 401 error. Also, if you use the UrlAuthorizationModule (the
allow and deny tags in the config file), you'll get a 401 also. If you want
to do something custom, you probably want to do that in your page logic.
You could do that with some logic based on the Context.User property in your
Page Load event.

Joe K.

"Paul" <anonymous@discussions.microsoft.com> wrote in message
news:075001c3da39$149cd780$a101280a@phx.gbl...

> Hi,
>
> I am new in ASP.NET and would like to know how to do
> Windows authentication.
>
> I read somewhere in MSDN about windows authentication in
> ASP.NET by doing the following:
> 1. In web.config, set <authentication mode="Windows">
> 2. In IIS directory security tab for my virtual
> directory, I did check only integrated windows
> authentication.
> 3. In the folder where my index.aspx is, I give
> permission for certain folks.
>
> What I'd like to do is whenever a user request
> index.aspx, index.aspx will print "Hello, \\DOMAIN\USER"
> if the user is a valid user in my domain or will
> print "Sorry, \\DOMAIN\USER is not authorized to access
> this page."
>
> Please advice, thanks!
> -Paul
>

[Arvind P Rangan]

Hi all,
We have a root web site which has windows integrated authentication.

Now we have a new virtual directory which has a form authentication. But the
virtual directory does not have windows integrated authentiction it has just
anonymous access.

But even after giving that still its poping up the Windows Authentication.
After pressing cancel button we get the virtual folder.

We don't want the Windows Authentication window to popup.
Thanks
Arvind.

[Andrea D'Onofrio [MSFT]]

Check if your pages refer external files outside the virtual dir.

HtH,
Andrea

--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Arvind P Rangan" <arvind99@hotmail.com> wrote in message
news:elOrtnqAEHA.3016@TK2MSFTNGP09.phx.gbl...

> Hi all,
> We have a root web site which has windows integrated authentication.
>
> Now we have a new virtual directory which has a form authentication. But

the

> virtual directory does not have windows integrated authentiction it has

just

> anonymous access.
>
> But even after giving that still its poping up the Windows Authentication.
> After pressing cancel button we get the virtual folder.
>
> We don't want the Windows Authentication window to popup.
> Thanks
> Arvind.
>
>