In an increasing number of the web applications that I have had to design and work on, its ideal the best of both worlds when it comes to authentication. Ideally, they would like their intranet users to be able to seamlessly log onto the system (Windows integrated authentication) and make authorization decisions based on their domain roles or groups.
First lets see how easy is it to enable Windows Authentication:-
- When creating the virtual directory using the IIS MMC snap-in, ensure that 'Anonoynous Access' is disabled (not checked) and that 'Integrated Windows Authentication' is checked/enabled.By doing that Windows Authentication is enabled for that virtual directory.If you would like to make sure you are using windows authentication create a new asp.net page or in an existing page in that virtual directory and paste <%= User.identity.Name %> into your page.You should see the LOGON_USER on the page for example DOMAINNAME\UserName in a Domain environment.
-
We also need to ensure that the Web.Config file of our Windows authentication entry point application is set up correctly. Below is a sample of a Web.Config file. The important part is the 'authentication' element. It must have its 'mode' set to 'Windows'.
-
<system.web>
.....
<authentication mode="windows">
.....
</system.web>
-
The next thing we are going to look is how we are going to implement the Role based functionality so we need to get access to a Windows principal with roles, and we will need to use impersonation.Impersonation is disabled by default.If impersonation is enabled for a given application,ASP.NET always impersonates the access token that IIS provides to ISAPI extensions.
-
After going through both links above you should be able to understand how we can implement a Role based Windows Authentication using the IsInRole Method of the WindowsPrincipal class.
Here is a small code snippet on how to use the IsInRole Method:-
First we have to Import the System.Security.Principal to our application then in the page_load:-
Dim wp As New WindowsPrincipal(WindowsIdentity.GetCurrent())
If wp.IsInRole("Domain\Group1") Then
'Page Redirected
Response.Redirect("group1.aspx")
ElseIf wp.IsInRole("Domain\Group2") Then
'Page Redirected
Response.Redirect("Group2.aspx")
Else
Response.Redirect("NoGroup.aspx")
End If
End Sub
As you can see the code above uses the IsInRole method to loop through the Domain Groups so if a USER belongs to Domain\GROUP1 he is redirected to GROUP1.aspx page.
So its true if the current principal is a member of the specified DOMAIN group; otherwise, false.
One last thing you musn't forget is that in your WEB.CONFIG is to impersonate as i explained above by pasting
<identity impersonate="true"/>
in your web.config file unless when the USER logs in it won't redirect accordingly and will redirect to the NOGROUPS.aspx page and that means its returning false.
I recommend you read this article Authentication in ASP.NET: .NET Security Guidance for further info.
Enjoy!