Windows Authentication in ASP. NET

Windows Authentication provides developers with a way to use the built-in security features of the Windows platform and NTFS file system. It also utilizes the security features built into IIS. By using Windows authentication, you can build a high-security Asp.net application with little or no code. However, Windows Authentication takes effect only when the client uses the Windows platform and has an account on the Web server or the Windows domain that the Web server belongs.

There are five types of Windows Authentication:

1. Basic Authentication );

2. Digest authentication (Digest authentication );

3. Integrated Windows authentication );

4. IIS client certificate mapping authentication );

5. Customer certificate ing verification in the Active Directory (Active Directory Client certificate mapping authentication ).

If more than one authentication type is enabled, for example, all of them are checked, IIS will first try certificate ate icate mapping and then integrate Windows authentication. If verification fails, digest authentication will be attempted. Finally, if all other verifications fail, basic authentication is used. In other words, the system first tries the most secure authentication option, and then gradually transitions to the low security level authentication option.

 

This tutorial explainsASP. Network 2.0IIS
Integrated Windows AuthenticationAnd ASP. NET Windows authentication mechanism. It also describes how NTLM and Kerberos authentication work. In addition, this tutorial explains how to construct windowsprincipal and windowsidentity objects in the windowsauthenticationmodule class, and then attach these objects to the current
ASP. NET Web requests represent authenticated users.

　　Overview

Identity Authentication is a process of verifying the client identity, usually using the specified third-party authorization method. The client may be an end user, computer, application, or service. The client identity is called the security principle. To use a server application for verification, the client provides some form of creden。 to allow the server to verify the identity of the client. After confirming the client identity, the application can grant the principle of performing operations and accessing resources.

If your application uses Active Directory user storage, use integrated Windows authentication. The best way to use integrated Windows authentication for ASP. NET applications is to use the Internet Information Service (IIS) authentication method that is attached to ASP. NET's Windows Authentication provider. This method automatically creates a windowsprincipal object (encapsulates a windowsidentity object) to represent authenticated users. You do not need to write any authentication-specific code.

ASP. NET also supports custom solutions for Windows authentication (avoiding IIS Authentication ). For example, you can write a custom ISAPI filter that checks user creden。 Based on Active Directory. To use this method, you must manually create a windowsprincipal object.

　　ASP. NET Authentication

IIS sends a token to ASP. NET representing an authenticated user or an anonymous user account. This token is maintained in an iidentity object contained in the iprincipal object, and the iprincipal object is appended to the current Web Request thread. You can access iprincipal and iidentity objects through the httpcontext. User attribute. These objects and attributes are set by the authentication module. These modules are implemented as the HTTP module and called as a standard part of the ASP. NET pipeline, as shown in 3.

Figure 3. ASP. NET Pipeline

The ASP. NET pipeline model contains an httpapplication object, multiple HTTP module objects, and an HTTP processing program object and its related factory objects. The httpruntime object is used to process the beginning of a sequence. The httpcontext object is used to transmit detailed information about requests and responses throughout the request lifecycle.

For more information about the ASP. NET Request lifecycle, see ASP. NET life cycle, which is http://msdn2.microsoft.com/library/ms227435 (En-US, vs.80). aspx.

　　Authentication Module

ASP. NET 2.0 defines a set of HTTP modules in the computer-level Web. config file. It includes a large number of authentication modules, as shown below:

The following is a reference clip: <Httpmodules> <Add name = "windowsauthentication" Type = "system. Web. Security. windowsauthenticationmodule"/> <Add name = "formsauthentication" Type = "system. Web. Security. formsauthenticationmodule"/> <Add name = "passportauthentication" Type = "system. Web. Security. passportauthenticationmodule"/> </Httpmodules>

Only one authentication module is loaded, depending on which authentication mode is specified in the authentication element of the configuration file. This authentication module creates an iprincipal object and stores it in the httpcontext. User attribute. This is critical because other authorization modules use this iprincipal object to make authorization decisions.

When anonymous access is enabled in IIS and the mode attribute of the authentication element is set to none, a special module adds the default anonymous principle to the httpcontext. User attribute. Therefore, httpcontext. user is not an empty reference (nothing in Visual Basic) after authentication ).

Windowsauthenticationmodule

If the Web. config file contains the following elements, the windowsauthenticationmodule class is activated.

The following is a reference clip: <Authentication mode = "Windows"/>

The windowsauthenticationmodule class is responsible for creating windowsprincipal and windowsidentity objects to represent Authenticated Users and attaching these objects to the current Web request.

　　For Windows authentication, follow these steps:

• Windowsauthenticationmodule creates a windowsprincipal object using the Windows Access Token passed from IIS to ASP. NET. This token is encapsulated in the workerrequest attribute of the httpcontext class. When an authenticaterequest event is triggered, windowsauthenticationmodule retrieves the token from the httpcontext class and creates a windowsprincipal object. Httpcontext. user uses the windowsprincipal
The security context of all authenticated modules and authenticated users on ASP. NET pages.

• The windowsauthenticationmodule class uses P/invoke to call the Win32 function and obtain the list of Windows groups to which the user belongs. These groups are used to fill in the windowsprincipal role list.

• The windowsauthenticationmodule class stores windowsprincipal objects in the httpcontext. User attribute. Then, the authorization module uses it to authorize authenticated users.

Note: The defaultauthenticationmodule class (also part of the ASP. NET pipeline) sets the thread. currentprincipal attribute to the same value as the httpcontext. User attribute. It performs this operation after processing the authenticaterequest event.

 

Authorization Module

WindowsauthenticationmoduleClass, if the request is not rejected, the authorization module is called. The authorization module is also in the computer-level Web. config fileHttpmodulesElements are defined as follows:

Urlauthorizationmodule
CallUrlauthorizationmoduleClass, it is found in the computer level or application-specific Web. config fileAuthorizationElement. If this element existsUrlauthorizationmoduleClass slaveHttpcontext. UserAttribute search
IprincipalObject, and then use the specified verb (get, post, etc.) to determine whether to authorize the user to access the requested resource.
Fileauthorizationmodule
Next, callFileauthorizationmoduleClass. It checksHttpcontext. User. IdentityAttributeIidentityWhether the object isWindowsidentityClass. If
IidentityObject is notWindowsidentityClass
FileauthorizationmoduleClass to stop processing.
If yesWindowsidentityClassFileauthorizationmoduleClass callAccesscheckWin32 function (through P/invoke) to determine whether to authorize an authenticated client to access the requested file. If the Random Access Control List (DACL) of the security descriptor of the file contains at least oneReadThe request is allowed to continue. Otherwise,Fileauthorizationmodule
Class callHttpapplication. completerequestMethod and return Status Code 401 to the client.
Security Context
. NET Framework uses the following two interfaces to encapsulate windows tokens and logon sessions:


 

 
  
 
   
 
    
•
 
    
System. Security. Principal. iprincipal
 
   
 
   
 
    
•
 
    
System. Security. Principal. iidentity(It is publicIprincipalAn attribute in the API .)
 
   
 
  

 
Httpcontext. User
In ASP. NET, useWindowsprincipalAndWindowsidentityClass indicates the security context of the user who uses Windows authentication for authentication. ASP. NET applications that use Windows authentication can passHttpcontext. UserAttribute accessWindowsprincipalClass.
To retrieve the security context of the Windows authenticated user who initiated the current request, use the following code:
using System.Security.Principal;...// Obtain the authenticated user's IdentityWindowsPrincipal winPrincipal = (WindowsPrincipal)HttpContext.Current.User;
Windowsidentity. getcurrent
Windowsidentity. getcurrentThe method can be used to identify the security context of the currently running Win32 thread. If no simulation is used, the thread inherits the security context of the Process on IIS 6.0 (NetworkService account by default.
This security context is used to access local resources. By using the security context of an authenticated initial user or using a fixed identity, you can use a simulated override of this security context.
To retrieve the security context of the application, use the following code:
using System.Security.Principal;...// Obtain the authenticated user's identity.WindowsIdentity winId = WindowsIdentity.GetCurrent();WindowsPrincipal winPrincipal = new WindowsPrincipal(winId);
Thread. currentprincipal
Each thread in an ASP. NET application exposes oneCurrentprincipalObject that stores the security context of the authenticated initial user. This security context can be used for role-based authorization.
To retrieve the current thread principle, use the following code:
using System.Security.Principal;...// Obtain the authenticated user's identityWindowsPrincipal winPrincipal = (WindowsPrincipal) Thread.CurrentPrincipal();
Table 1 shows the result identifiers obtained from various identity properties. When your application uses Windows identity authentication and IIS is configured to use integrated windows identity authentication, it can be obtained from ASP.. NET applications use these identity attributes.


 

 
  
 
   
 
    
Table 1: currentprincipal object exposed by the thread
 
   
 
   
 
    
Web. config settings
 
    
Variable location
 
    
Result ID
 
   
 
  
 
  
 
   
 
    
<Identity impersonate = "true"/>
<Authentication mode = "Windows"/>
 
    
Httpcontext
Windowsidentity
Thread
 
    
Domain \ Username
Domain \ Username
Domain \ Username
 
   
 
   
 
    
<Identity impersonate = "false"/>
<Authentication mode = "Windows"/>
 
    
Httpcontext
Windowsidentity
Thread
 
    
Domain \ Username
Nt authority \ Network Service
Domain \ Username
 
   
 
   
 
    
<Identity impersonate = "true"/>
<Authentication mode = "forms"/>
 
    
Httpcontext
Windowsidentity
Thread
 
    
User Name
Domain \ Username
User Name
 
   
 
   
 
    
<Identity impersonate = "false"/>
<Authentication mode = "forms"/>
 
    
Httpcontext
Windowsidentity
Thread
 
   
 
  

 
Http://dev.yesky.com/msdn/39/7595039.shtml