Windows Authentication in ASP. NET 2.0

This tutorial explains how to integrate IIS with Windows Authentication and
ASP. NET Windows authentication mechanism. It also describes how NTLM and Kerberos authentication work. In addition, this tutorial also explains
How to construct windowsprincipal and windowsidentity in the windowsauthenticationmodule class
Object, and then attach these objects to the current ASP. NET Web request to represent authenticated users.

　　Overview

Identity Authentication is a process of verifying the client identity, usually using the specified third-party authorization method. The client may be an end user, computer, application, or service. The client ID is called security source
. To use a server application for verification, the client provides some form of creden。 to allow the server to verify the identity of the client. After confirming the client identity, the application can grant the execution operation and access resource
Source principle.

If your application uses Active Directory user storage, use integrated Windows authentication. For ASP. NET
When applications use integrated Windows authentication, the best way is to use the internet
Information Service (IIS) authentication method. This method will automatically create a windowsprincipal object (encapsulate
Windowsidentity object) to indicate authenticated users. You do not need to write any authentication-specific code.

ASP. NET also supports custom solutions for Windows authentication (avoiding IIS Authentication ). For example, you can write
The custom ISAPI filter for checking user creden。 in Active Directory. To use this method, you must manually create a windowsprincipal
Object.

　　ASP. NET Authentication

IIS sends a token to ASP. NET representing an authenticated user or an anonymous user account. This token is contained in an iprincipal object
Iidentity objects are maintained, and iprincipal objects are appended to the current Web Request thread. You can use httpcontext. User
Property to access iprincipal and iidentity objects. These objects and attributes are set by the authentication module. These modules are implemented as the HTTP module and
A standard part of the ASP. NET pipeline is called, as shown in 3.

Figure 3. ASP. NET Pipeline

The ASP. NET pipeline model contains an httpapplication object, multiple HTTP module objects, and an HTTP
Processing Program objects and related factory objects. The httpruntime object is used to process the beginning of a sequence. Httpcontext
Objects are used to pass detailed information about requests and responses.

For more information about the ASP. NET Request lifecycle, see ASP. NET life cycle, which is http://msdn2.microsoft.com/library/ms227435 (En-US, vs.80). aspx.

　　Authentication Module

ASP. NET 2.0 defines a set of HTTP modules in the computer-level Web. config file. It includes a large number of authentication modules, as shown below:

<Httpmodules>

<Add name = "windowsauthentication"
Type = "system. Web. Security. windowsauthenticationmodule"/>
<Add name = "formsauthentication"
Type = "system. Web. Security. formsauthenticationmodule"/>
<Add name = "passportauthentication"
Type = "system. Web. Security. passportauthenticationmodule"/>

</Httpmodules>

Only one authentication module is loaded, depending on which authentication mode is specified in the authentication element of the configuration file. This authentication module creates
Iprincipal object and store it in the httpcontext. User attribute. This is critical because other authorization modules use the iprincipal
The object makes the authorization decision.

When anonymous access is enabled in IIS and the mode attribute of the authentication element is set to none
A special module adds the default anonymous principle to the httpcontext. User attribute. Therefore, httpcontext. User
It is never an empty reference (it is nothing in Visual Basic ).

Windowsauthenticationmodule

If the Web. config file contains the following elements, the windowsauthenticationmodule class is activated.

<Authentication mode = "Windows"/>

The windowsauthenticationmodule class is responsible for creating windowsprincipal and windowsidentity objects to represent Authenticated Users and attaching these objects to the current Web request.

　　For Windows authentication, follow these steps:

• Windowsauthenticationmodule uses Windows
The access token creates a windowsprincipal object. This token is encapsulated in the workerrequest attribute of the httpcontext class. Cause
In the authenticaterequest event, windowsauthenticationmodule
Class to retrieve the token and create a windowsprincipal object. Httpcontext. user uses the windowsprincipal
The security context of all authenticated modules and authenticated users on ASP. NET pages.

• The windowsauthenticationmodule class uses P/invoke to call the Win32 function and obtain the list of Windows groups to which the user belongs. These groups are used to fill in the windowsprincipal role list.

• The windowsauthenticationmodule class stores windowsprincipal objects in the httpcontext. User attribute. Then, the authorization module uses it to authorize authenticated users.

Note: The defaultauthenticationmodule class (also part of the ASP. NET pipeline) will
The thread. currentprincipal attribute is set to the same value as the httpcontext. User attribute. It is processing
Perform this operation after the authenticaterequest event.