In this article we will understand the concepts of Windows Authentication in a neat and clear way.
· Definitions of few keywords to understand Windows Authentication.
· What is Windows Authentication.
· Why Windows Authentication.
· How Windows Authentication is implemented in ASP.NET Application.
· Configuring impersonation in an application.
Authentication: Authentication is the process of determining the identity of a user based on the user’s credentials. The user’s credentials are usually in the form of user ID and password, which is checked against any credentials' store such as database. If the credentials provided by the user are valid, then the user is considered an authenticated user.
Authorization: After successful authentication, deciding which resources a user can access based on their identity and checking whether the authenticated user has sufficient rights to access the requested resource is authorization.
Impersonation: Impersonation is a process in which user accesses the resources(Ex:Files,DB…) by using the identity of another user.
Ex: If anonymous(not logged in/not Authenticated) access is enabled for a website in IIS, then IIS runs all the users' requests using the identity of the IUSR_machinename account, which is created by IIS. This is the default option in IIS.
WindowsIdentity: It represents the current Windows User.
In ASP.NET authentication is done by both IIS and ASP.NET. ASP.NET implements authentication through authentication providers that contains the code necessary to authenticate the requestor's credentials. There are three types of authentication providers built into ASP.NET. They are:
1. Windows Authentication Provider.
2. Forms Authentication Provider.
3. Passport Authentication Provider.
Windows Authentication Provider: Provides information on how to use Windows authentication in conjunction with Microsoft Internet Information Services (IIS) authentication to secure ASP.NET applications.
Why Windows Authentication:
1. Windows authentication is generally used if the users accessing the application belong to same organization.
2. This authentication method uses Windows accounts for validating users' credentials. This type of authentication is very good for intranet Web sites where we know our users.
How Windows Authentication is implemented in ASP.NET Application.
With this type of authentication, initially IIS performs the authentication through one of its authentication options (e.g., basic, digest, Integrated Windows, or some combination of them). After successful authentication, IIS passes the credentials of the authenticated user to the ASP.NET thread. Selection of appropriate identity for the ASP.NET worker thread is performed by using the process defined under the ASP.NET Impersonation section. Based on the credentials supplied by IIS, windows identity is created by WindowsAuthenticationModule module in ASP.NET. This identity is set as current user identity (setting the security information for the current HTTP request)for the application. This is the default authentication mode in ASP.NET and it is set in web.config file of the application using below code:
Although the Windows Authentication mode sets the value of the current User property to a WindowsIdentity based on the credentials supplied by IIS. The Windows identity supplied to the operating system used for permission checking, such as NTFS file permissions, or for connecting to a database using integrated security is the identity of the ASP.NET process. On Microsoft Windows 2000 and Windows XP Professional, this is the identity of the ASP.NET worker process, which is the local ASPNET account. On Windows Server 2003, this is the identity of the IIS Application Pool that the ASP.NET application is part of. Which is the NETWORK SERVICE account.
We can configure the Windows identity of our ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. Here ASP.NET application impersonates the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.
Configuring impersonation in an application.
In machine.config file it is configured as below:
<processModel enable="true" username="machine"
password="AutoGenerate" ....... />
In the above line, "machine" is a special value that causes the ASP.NET worker process to run under the less-privileged account, ASPNET.
IIS always maps a user request to some Windows account; in case of anonymous access, this is IUSR_machinename account or any other account that has been defined to be used with anonymous access; in the case of Windows authentication, this is the account whose credentials are provided by the Web site user.
• If impersonation is enabled and any specific Windows account has not been listed in the Web.config file for impersonation, then the ASP.NET worker thread runs under the client identity passed to it by IIS.
• If impersonation is not enabled, then the ASP.NET worker thread runs under the identity of the ASP.NET worker process (which has been defined by using the <processModel> tag in the Web.config file)
• If impersonation is enabled and a specific Windows account has been listed in the Web.config file for impersonation, then the ASP.NET worker thread runs under the identity generated using that account.
To enable impersonation for our Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as below:
There are three ways of defining impersonation:
• <identity impersonate="true"/> This means impersonation for the ASP.NET worker thread is enabled.
• <identity impersonate="true" name="username" password="password"/> This means impersonation for the ASP.NET worker thread is enabled, but the worker thread will run under the identity that will be generated by using the credentials specified by username and password attributes.
• <identity impersonate="false"/> This means impersonation for the ASP.NET worker thread is not enabled.