5

This will probably turn out to be a doozie.

I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.

First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1

Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2

Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.

Thanks,

Jason

Improve this question
6
  • 3
    if Bob (at Jane's computer) is logged into the local machine and network as Jane, wouldn't the application see Bob as Jane if you are using Windows Authentication? Commented Jun 28, 2011 at 20:39
  • Yup, that's what I have to work around. Commented Jun 28, 2011 at 21:03
  • Upon opening the app, can you just try to log in through windows authentication and if that fails, require the user to enter a different set of credentials? Commented Jun 29, 2011 at 13:11
  • The downside of this is that anybody sitting at Bob's computer will have access to your application. Commented Jun 29, 2011 at 13:12
  • Even worse is that he'll get fired for not locking his computer. But then again, nobody likes Bob anyways :-) Commented Jun 29, 2011 at 17:28

3 Answers 3

Reset to default
4

You're looking for Windows Authentication and Authorization in ASP.NET

Part 2...you're right, that's tough. You'll need to roll your own custom security provider. You'll have a login page, then check that against Active Directory yourself. From MSDN

ASP.NET also supports custom solutions for using Windows authentication, which bypasses IIS authentication. For example, you can write a custom ISAPI filter that checks the user's credentials against Active Directory. With this approach you must manually create a WindowsPrincipal object.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You've got requirements around authentication and authorization here.

Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)

Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.

The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.

You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:

http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx

This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.

Improve this answer

Comments

0

Also found this -- a pretty good resource for anybody out there who's in the same boat:

Mixing Forms and Windows Security in ASP.NET

http://msdn.microsoft.com/en-us/library/ms972958.aspx

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.