Windows authentication - Web.Config

[David Thielen]

3. Is this the correct & complete Web.Config for windows authentication. And
is there a way to set this so people enter username instead of
domain\username?

<roleManager enabled="false"/>
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
</authorization>

 

[Dominick Baier [DevelopMentor]]

well with Windows auth - IIS is doing the heavy lifting - in general your
users shouldn't even see a login dialog as IE sends the credentials automatically
(if configured correctly)

Why impersonate?

 

[Steven Cheng[MSFT]]

Hi Dave,

The configuration snippet you pasted means:

===========================
<roleManager enabled="false"/>
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
</authorization>
============================

Your ASP.NET application is using Windows Authentication, so it no longer
use Membership Service. And the role management service is still enabled
and it use the default Rolemanger provider(ASPNETSqlRoleProvider...). When
windows authentication is used, the HttpContext.CurrentUser.Identity will
become a WindowsIdentity if the IIS did forward an authenticated windows
account to the ASP.NET application. Also, if you're using Windows
Authentication, it'll be more appropriate to use WindowsTokenRoleProvider
as configured below:

==============
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
================

For detailed concept on role management and authorization in ASP.NET, you
can have a look at the following MSDN references:

#Understanding Role Management
http://msdn2.microsoft.com/en-us/library/5k850zwb.aspx

#Managing Authorization Using ASP.NET Roles (Visual Studio)
http://msdn2.microsoft.com/en-us/library/53s18z5c.aspx


In addition, when using Windows Authentication, the ASP.NET will also
perform FileAuthorization checking(based on the NTFS ACL on aspx page
files);

#ASP.NET Authorization
http://msdn2.microsoft.com/en-us/library/wce3kxhd.aspx

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

I like this approach for 2 reasons:

1) It's zero sign on.

2) I can impersonate the client user when accessing datasources they are
using so security for that also gets pushed down to their rights on the
domain.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

 

[David Thielen]

Thank you - just to make sure I have this correct - I should have:

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
<authentication mode="Windows"/>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
</authorization>

And you list <providers> but I have none. Should I have one?

 

[David Thielen]

When I changed:
<roleManager enabled="false"/>
to:
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>

Then
HttpContext.Current.User.IsInRole("Domain Users") no longer worked. Am I
missing something else?

 

[Steven Cheng[MSFT]]

Thanks for your response Dave,

Are you using "Windows" Authentication + AspNetWindowsTokenRoleProvider ?
If so, the authenticated use Identity should be of windowsIdentity and the
roles associated with that identity should be windows domain groups. Does
the "Domain Users" in your code mean the "Domain Users" group in your
windows domain? If so, you need to provide the domain name together with
the group name. e.g.
================
<system.web>
<authorization >

<allow roles="MyDomain\Domain Users"/>
<deny users="*"/>
</authorization>
=========================

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

That was it - thank you.

One last question on this. When I am using the SqlExpress role manager my
config is:
<location path="datasource.aspx">
<system.web>
<authorization>
<allow roles="Windward Create Datasource" />
<deny users="*"/>
</authorization>
</system.web>
</location>

while for Windows authentication it is:
<location path="datasource.aspx">
<system.web>
<authorization>
<allow roles="windward\Windward Create Datasource" />
<deny users="*"/>
</authorization>
</system.web>
</location>

Is there any way to:
1) Have the same roles= for both?
2) Or do something like .\ instead of windward\ so it uses the domain it is
running under?

 

[Dominick Baier [DevelopMentor]]

no you have to specify domain\groupname - or create a local group that includes
the domain group.

 

[Steven Cheng[MSFT]]

Thanks for the response Dave,

Not sure whether you must do this, however, I don't think it recommended
that we create the same roles in both SQL role db with our windows
roles(group). Because windows roles are actually windows groups which need
to be specified as "domainname\groupname" , so for your sql role name, you
also need to create the role name as the same which contains the backward
slash. I don't think this is a good idea.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

I agree.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com