2.0 auth questions

Discussion in 'ASP .Net Security' started by djc, Nov 1, 2006.

  1. djc

    djc Guest

    I have a couple questions about authentication and authorization in asp.net
    2.0.

    1) I see there are still the same authentication mode options as in 1.1
    (windows, forms, or passport). However in reading through some of the new
    documentation I see reference to 'membership' a lot. How does membership
    relate to all this? Is it simply enhanced classes used with 'forms' based
    authentication? does it also apply to windows authentication mode? etc..

    2) I though I understood this correctly:
    A) With forms based authentication
    - users and roles exist in a data store of your choice (usually a
    sql database)
    - you handle your own login page to check against your user store
    - authorization after authentication is performed by asp.net using
    settings in web.config
    B) With windows authentication mode
    - the users are actual windows accounts and the roles would be
    windows groups.
    - authorization after authentication is handled by NTFS permissions
    on the web server

    I was just toying around with the website administration tool in VS 2005 for
    a site that is in windows authentication mode and noticed:
    - I could enable and add 'roles', which didn't make sense to me since I
    thought the 'roles' in this case were actually windows groups, and I could
    add access rules which specified 'roles' or users that are not windows users
    or groups??

    confused, probably too confused for this post to even make sense, any input
    would be greatly appreciated
    djc, Nov 1, 2006
    #1
    1. Advertising

  2. You're mixing apples and oranges a little. Authentication is not necessarily
    membership. Yes, ASP.Net 2.0 does come with the same authentication options
    such as forms and windows. It's only the method used to gather the
    information and authenticate it simply. The membership system in ASP.Net 2.0
    adds the capabilities for creating/managing/authenticating users from a user
    store (typically a SQL Server database) based on the membership provider.
    ASP.Net 2.0 can create the membership store in a SQL Server with all the
    necessary tables and stored procedures. It can also implement role-based
    security. Roles are not Windows Groups so don't compare them. Windows Groups
    are actually an implementation of role-based security. The Membership system
    does come with an optional roles-based security provider so you can
    associate users with roles. It also comes with a personalization system so
    you can personalize the information associated with a user without having to
    muck around with creating custom user tables and such.


    "djc" <> wrote in message
    news:%23o3W9bd$...
    >I have a couple questions about authentication and authorization in asp.net
    >2.0.
    >
    > 1) I see there are still the same authentication mode options as in 1.1
    > (windows, forms, or passport). However in reading through some of the new
    > documentation I see reference to 'membership' a lot. How does membership
    > relate to all this? Is it simply enhanced classes used with 'forms' based
    > authentication? does it also apply to windows authentication mode? etc..
    >
    > 2) I though I understood this correctly:
    > A) With forms based authentication
    > - users and roles exist in a data store of your choice (usually a
    > sql database)
    > - you handle your own login page to check against your user store
    > - authorization after authentication is performed by asp.net using
    > settings in web.config
    > B) With windows authentication mode
    > - the users are actual windows accounts and the roles would be
    > windows groups.
    > - authorization after authentication is handled by NTFS permissions
    > on the web server
    >
    > I was just toying around with the website administration tool in VS 2005
    > for a site that is in windows authentication mode and noticed:
    > - I could enable and add 'roles', which didn't make sense to me since I
    > thought the 'roles' in this case were actually windows groups, and I could
    > add access rules which specified 'roles' or users that are not windows
    > users or groups??
    >
    > confused, probably too confused for this post to even make sense, any
    > input would be greatly appreciated
    >
    Mark Fitzpatrick, Nov 1, 2006
    #2
    1. Advertising

  3. djc

    djc Guest

    I think most of my number 2 question was cleared up by this:
    http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetauthorization.asp

    If I understand correctly now I need one last clarification that was not
    specfied in the article above:
    when users/roles for URLAuthorizationModule are specified in web.config they
    are automatically matched against windows accounts/groups when using windows
    authentication mode or against whatever user store you used (sql db most of
    the time) if using forms authentication. (Yes/No)?

    my confusion was that I didn't realize the URLAuthorizationModule (settings
    in <authorization></authorization> in web.config) could also be used when
    using windows authentication mode. Now I just want to verify where the
    users/roles specified in the <authorization></authorization> section are
    matched against.

    still not sure on my number 1 below though (about membership, which I think
    is new to 2.0?).

    my first question below is still
    "djc" <> wrote in message
    news:%23o3W9bd$...
    >I have a couple questions about authentication and authorization in asp.net
    >2.0.
    >
    > 1) I see there are still the same authentication mode options as in 1.1
    > (windows, forms, or passport). However in reading through some of the new
    > documentation I see reference to 'membership' a lot. How does membership
    > relate to all this? Is it simply enhanced classes used with 'forms' based
    > authentication? does it also apply to windows authentication mode? etc..
    >
    > 2) I though I understood this correctly:
    > A) With forms based authentication
    > - users and roles exist in a data store of your choice (usually a
    > sql database)
    > - you handle your own login page to check against your user store
    > - authorization after authentication is performed by asp.net using
    > settings in web.config
    > B) With windows authentication mode
    > - the users are actual windows accounts and the roles would be
    > windows groups.
    > - authorization after authentication is handled by NTFS permissions
    > on the web server
    >
    > I was just toying around with the website administration tool in VS 2005
    > for a site that is in windows authentication mode and noticed:
    > - I could enable and add 'roles', which didn't make sense to me since I
    > thought the 'roles' in this case were actually windows groups, and I could
    > add access rules which specified 'roles' or users that are not windows
    > users or groups??
    >
    > confused, probably too confused for this post to even make sense, any
    > input would be greatly appreciated
    >
    djc, Nov 1, 2006
    #3
  4. djc

    djc Guest

    Thanks for the reply Mark.
    so if Im using windows authenticaton mode and add an authorization entry in
    web.config specifying <allow roles="GroupName" /> it would not match
    "GroupName" with a windows user group named "GroupName"?


    "Mark Fitzpatrick" <> wrote in message
    news:%231uzeLe$...
    > You're mixing apples and oranges a little. Authentication is not
    > necessarily membership. Yes, ASP.Net 2.0 does come with the same
    > authentication options such as forms and windows. It's only the method
    > used to gather the information and authenticate it simply. The membership
    > system in ASP.Net 2.0 adds the capabilities for
    > creating/managing/authenticating users from a user store (typically a SQL
    > Server database) based on the membership provider. ASP.Net 2.0 can create
    > the membership store in a SQL Server with all the necessary tables and
    > stored procedures. It can also implement role-based security. Roles are
    > not Windows Groups so don't compare them. Windows Groups are actually an
    > implementation of role-based security. The Membership system does come
    > with an optional roles-based security provider so you can associate users
    > with roles. It also comes with a personalization system so you can
    > personalize the information associated with a user without having to muck
    > around with creating custom user tables and such.
    >
    >
    > "djc" <> wrote in message
    > news:%23o3W9bd$...
    >>I have a couple questions about authentication and authorization in
    >>asp.net 2.0.
    >>
    >> 1) I see there are still the same authentication mode options as in 1.1
    >> (windows, forms, or passport). However in reading through some of the new
    >> documentation I see reference to 'membership' a lot. How does membership
    >> relate to all this? Is it simply enhanced classes used with 'forms' based
    >> authentication? does it also apply to windows authentication mode? etc..
    >>
    >> 2) I though I understood this correctly:
    >> A) With forms based authentication
    >> - users and roles exist in a data store of your choice (usually a
    >> sql database)
    >> - you handle your own login page to check against your user store
    >> - authorization after authentication is performed by asp.net using
    >> settings in web.config
    >> B) With windows authentication mode
    >> - the users are actual windows accounts and the roles would be
    >> windows groups.
    >> - authorization after authentication is handled by NTFS
    >> permissions on the web server
    >>
    >> I was just toying around with the website administration tool in VS 2005
    >> for a site that is in windows authentication mode and noticed:
    >> - I could enable and add 'roles', which didn't make sense to me since
    >> I thought the 'roles' in this case were actually windows groups, and I
    >> could add access rules which specified 'roles' or users that are not
    >> windows users or groups??
    >>
    >> confused, probably too confused for this post to even make sense, any
    >> input would be greatly appreciated
    >>

    >
    >
    djc, Nov 1, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    672
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    518
    Elton Wang
    Jan 8, 2005
  3. Mark Chai
    Replies:
    1
    Views:
    728
    Christophe Vanfleteren
    Oct 1, 2003
  4. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    382
    Chris Mohan
    Apr 29, 2004
  5. Forms Auth Info passed to Windows Auth?

    , Apr 28, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    193
    Hernan de Lahitte
    May 3, 2005
Loading...

Share This Page