Windows Authentication Provider in ASP.NET

Applies To: Windows Server 2003 R2, Windows Server 2003 with SP1

The WindowsAuthenticationModule provider relies on Internet Information Services (IIS) to provide authenticated users, using any of the mechanisms that IIS supports. If you want to help protect site security with a minimum of ASP.NET coding, this is the provider configuration you should use. The provider module constructs a WindowsIdentity object. The default implementation constructs a WindowsPrincipal object and attaches it to the application context. The WindowsPrincipal object maps identities to Windows groups.

If you use IIS authentication, the provider module uses the authenticated identity passed in from IIS. IIS authenticates the identity using basic, digest, or Integrated Windows authentication, or some combination of them. You can use impersonation and NTFS ACL permissions to restrict or allow access to protected resources.

An important reason to use the WindowsAuthenticationModule provider is to implement an impersonation scheme that can use any of the authentication methods that might have already been performed by IIS before passing the request to the ASP.NET application. To do this, set the authentication mode to Windows, and confirm that the impersonate element is set to true, as shown in the following example:

<authentication mode="Windows"/>
<identity impersonate="true"/>

Note that configuring an ASP.NET application has no effect on the IIS Directory Security settings. The systems are completely independent and are applied in sequence. In addition to selecting an authentication mode for an ASP.NET application, it is also important to configure IIS authentication appropriately.

Next, you must set the NTFS ACLs to allow access only to the proper identities.

Related Information

• Overview of ASP.NET Security