Using Windows authentication in ASP.NET Web Pages

標籤：

Tuesday, 16 August 2011   10:53 AM

When I wrote about using simple membership in ASP.NET Web Pages a little while ago, commenter akshayms asked "How can I use Windows authentication"? Simple membership uses a login form and a membership database for managing a site‘s users. In contrast, Windows authentication just uses your existing Windows login credentials; no need to log in separately. Windows auth is useful for intranet sites, like on a corporate network.

When the question first came up, I asked around, because I hadn‘t played with it myself. The first answer was "Just like in ‘normal‘ ASP.NET!", which is to say, by setting the authentication mode in the application‘s Web.config file to "Windows." (Documentation.) Like this:

<authentication mode="Windows" />

It turned out, tho, that this didn‘t entirely work. Anyway, long story short, it looks like you do this:

• Disable simple membership.
• Require authentication. (Duh, right? Hold that thought.)

(Windows authentication also needs to be enabled, but that‘s the default in ASP.NET, so you don‘t actually need to explicitly switch that on.)

You can do these by creating a Web.config file in the Web Pages application and adding the following to it. (Highlights for the interesting bits.) 

<?xml version="1.0"?>
<configuration>
    <appSettings>
        <add key="EnableSimpleMembership" value="false" />
    </appSettings>
    <system.web>
        <compilation debug="false" targetFramework="4.0" />
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</configuration>

The line deny users="?" is the bit I mentioned earlier — this denies access to anonymous users, which is to say that it requires the user to be authenticated. As shown here, this would require authentication to access anything in the site. In an intranet site, that‘s probably fine, since none of your users are probably anonymous. 

Then in a page, you can do this:

@WebSecurity.CurrentUserName

... and/or do all the other membership stuff that‘s supported for Windows authentication in the base membership system. (Not just the features of simple membership.)

However, problem. If you‘re testing your site using IIS Express, which is the default testing server for WebMatrix, you get an "Access Denied" error. Oh, bother.

The fix to this issue is to make a change in the applicationhost.config file, which is (as you might remember) in the following folder:

C:\Users\[you]\Documents\IISExpress\config

In the config file, find the windowsAuthentication element and change its enabled attribute to true. Like this:

<windowsAuthentication enabled="true">

Restart WebMatrix if you happened to have it open whilst doing all this. 

This last fix — the change to applicationhost.config — is a machine-wide setting. If you want to configure Windows authentication for IIS Express for only specific folders/apps, you can use a <location> tag, which lets you apply configuration settings to specific files and folders in your site. (Info: location Element, HOW TO: Control Authorization Permissions in an ASP.NET Application.)

The <location> tag might look like this if you wanted to use Windows authentication in IIS Express for the application named WinauthTest:

<location path="WinAuthTest">
    <system.webServer>
        <security>
            <authentication>
                <windowsAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>

One final note. In Visual Studio, it‘s easier to configure IIS Express to use Windows authentication on a per-project basis. Open the project, and in Solution Explorer, select the project (parent) node, then press F4 to view properties. Then just setWindowsAuthentication to true:

Credit: This issue was actually investigated and solved by Erik Porter, who is the Program Manager for Web Pages stuff. I just wrote it up. :-)

Using Windows authentication in ASP.NET Web Pages