Suggested Videos
Part 84 - Application pools in IIS Security
Part 85 - Anonymous authentication
Part 86 - Anonymous authentication and asp.net impersonation
In Parts 85 and 86 of this video series, we discussed about anonymous authentication. Anonymous authentication is fine for web sites that contain public information, that every one can see. However, if the web site contains private information or performs tasks such as booking tickets, placing orders etc, then the users need to be authenticated and authorised.
In this session, we will discuss about authenticating users, using Windows authentication. Security for an asp.net web application can be configured at 2 places. In IIS and in the application itself.
Windows authentication, identifies and authorizes users based on the server’s user list. Access to resources on the server is then granted or denied based on the user account’s privileges.
Windows authentication is best suited for Intranet Web applications.
The advantage of Windows authentication is that, the Web application can use the exact same security scheme that applies to your corporate network. User names, passwords, and permissions are the same for network resources and Web applications.
We will be using the same project, that we worked with, in Part 86.
To enable windows authentication in IIS.
1. Open IIS (Type INETMGR in RUN window, and press enter)
2. Expand Root Server node > Sites > Default Web Site > WebApplication1
3. Double click "Authentication" icon, in the features window.
4. Notice that "Anonymous Authentication" is enabled by default.
5. Select "Windows Authentication" and click "Enable" link under "Actions" pane.
At this point, we have both anonymous and windows authentication enabled in IIS. We have not configured anything in the application yet. Run the application, and notice that, the user is still using anonymous authentication to access the webform.
So, if both, anonymous and windows authentication are enabled in IIS, and, if we don't have a deny entry for anonymous users, in the web.config file, then the resources on the web server are accessed using anonymous authentication.
Anonymous authentication can be disabled in IIS or in web.config file.
To disable anonymous authentication in web.config file, add the following entry
<authorization>
<deny users="?"/>
</authorization>
Run the application now. Notice that the user is authenticated using the windows account, that is used to log into the computer. Also, notice that, the application code is executed using the application pool identity.
If you want to have the application code executed using the logged in user identity, then enable impersonation. Impersonation can be enabled thru IIS or by adding the following element to web.config file.
<identity impersonate="true"/>
If impersonation is enabled, the application executes using the permissions found in your user account. So, if the logged in user has access, to a specific network resource, only then will he be able to access that resource thru the application.
Part 84 - Application pools in IIS Security
Part 85 - Anonymous authentication
Part 86 - Anonymous authentication and asp.net impersonation
In Parts 85 and 86 of this video series, we discussed about anonymous authentication. Anonymous authentication is fine for web sites that contain public information, that every one can see. However, if the web site contains private information or performs tasks such as booking tickets, placing orders etc, then the users need to be authenticated and authorised.
In this session, we will discuss about authenticating users, using Windows authentication. Security for an asp.net web application can be configured at 2 places. In IIS and in the application itself.
Windows authentication, identifies and authorizes users based on the server’s user list. Access to resources on the server is then granted or denied based on the user account’s privileges.
Windows authentication is best suited for Intranet Web applications.
The advantage of Windows authentication is that, the Web application can use the exact same security scheme that applies to your corporate network. User names, passwords, and permissions are the same for network resources and Web applications.
We will be using the same project, that we worked with, in Part 86.
To enable windows authentication in IIS.
1. Open IIS (Type INETMGR in RUN window, and press enter)
2. Expand Root Server node > Sites > Default Web Site > WebApplication1
3. Double click "Authentication" icon, in the features window.
4. Notice that "Anonymous Authentication" is enabled by default.
5. Select "Windows Authentication" and click "Enable" link under "Actions" pane.
At this point, we have both anonymous and windows authentication enabled in IIS. We have not configured anything in the application yet. Run the application, and notice that, the user is still using anonymous authentication to access the webform.
So, if both, anonymous and windows authentication are enabled in IIS, and, if we don't have a deny entry for anonymous users, in the web.config file, then the resources on the web server are accessed using anonymous authentication.
Anonymous authentication can be disabled in IIS or in web.config file.
To disable anonymous authentication in web.config file, add the following entry
<authorization>
<deny users="?"/>
</authorization>
Run the application now. Notice that the user is authenticated using the windows account, that is used to log into the computer. Also, notice that, the application code is executed using the application pool identity.
If you want to have the application code executed using the logged in user identity, then enable impersonation. Impersonation can be enabled thru IIS or by adding the following element to web.config file.
<identity impersonate="true"/>
If impersonation is enabled, the application executes using the permissions found in your user account. So, if the logged in user has access, to a specific network resource, only then will he be able to access that resource thru the application.
I am being encountered with "Authentication Required" popup. Should I change something else other than your video shown?
ReplyDelete