Intranet and Integrated Windows Authentication

[Andrew]

Hey all,



I would like to preface my question by stating I am still learning ASP.net
and while I am confident in the basics and foundation, the more advanced
stuff is still a challenge. Ok.



We are looking at redoing our entire Intranet, starting over from scratch,
as a .Net website. Our current site has two separate sides, a public side
for all viewers, and a secure side for those granted permission can access
apps to update web info, databases, etc. In moving to .Net we would like to
use Integrated Windows Authentication with our pages. We will be putting
the Intranet server under a Domain Controller where the users and user info
will be pulled from.



We would like to have the pages similar to what you would see on eBay, or
Amazon, or any number of Blog sites. That is, you can surf and view and
bounce around all the pages, but unless you log in you cannot view your
personal information. However, if you do log in, the public pages take on
new buttons or links because those pages know who you are. In essence, the
public side and secure side merge into one, and page items turn on or off
depending on your logged in status.



I have Google'd on "integrated windows authentication" and, of course, have
found numerous websites. It is almost overwhelming. I found a few good
articles here:



Active Directory Authentication from ASP .NET

http://msdn.microsoft.com/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp



Securing an ASP.Net application...

http://www.dotnetjohn.com/articles.aspx?articleid=19



HOW TO: Authenticate against the Active Directory by Using Forms
Authentication and Visual Basic .NET

http://support.microsoft.com/default.aspx?scid=kb;en-us;326340



Developing Secure Web Sites with ASP.NET and IIS

http://www.c-sharpcorner.com/Code/2003/March/SecureSiteWithASPNET.asp



Windows Authentication in ASP.NET

http://www.dotnetbips.com/displayarticle.aspx?id=10



(Joe Kaplan (MVP - ADSI), if you read this, I also saw your postings
recently on somewhat this subject in this newsgroup.)



I am still having trouble interpreting and understanding all this
information and now look to some of you to help possible translate it into
English. The last URL above provided an example that shows how to use
System.Security.Principal to determine the user name and authenticated
status (which I have tested successfully). But this just pulls from the
system when the user logged in after turning on the PC. The other URL's
state that in an Intranet environment, IAW is the thing to use - which is
where this is going. But I need to offer the ability for a user to log in
and log out, and when not logged in they are set as "anonymous" - not just
automatically pull system info. So this seems I need to use Forms
Authentication? Looking at examples of Forms Authentication, at my level of
experience, are quite long, involved, and a bit over my head in their
explanations. Do I use one over the other? Both together? Help?



So, I am asking for some help here in understanding the .Net techniques to
develop a website that uses Integrated Windows Authentication (using Active
Directory from a Domain Controller) to authenticate users, but requires
users to log in, and allows them to log out. I can control the visual
changes on the page(s), I just need help on the log-in/log-out, security,
authentication part of it.



Your comments, suggestions, tips, and other input are gladly accepted and
appreciated. Oh, and in VB.net if possible please, though I turn away
nothing.



-- Andrew

 

[clintonG]

My recommendation will not make the managers happy but the smartest
thing to do may be obtaining Visual Studio 2005 and start learning
ASP.NET 2.0 neither of which will be released into production for some
time but the next release of the framework is going to provide role based
membership and master pages, both of which is going to allow developers
to implement you expressed objective right out of the box so to speak.

--
<%= Clinton Gallagher
A/E/C Consulting, Web Design, e-Commerce Software Development
Wauwatosa, Milwaukee County, Wisconsin USA
NET csgallagher@ REMOVETHISTEXT metromilwaukee.com
URL http://www.metromilwaukee.com/clintongallagher/

 

[Raterus]

It's really trial and error to get it right, no one post can tell you everything about securing asp.net applications. We're good here at answering questions, not entire concepts. I'd start small, don't attempt to do what you have put out all at once, you'll burn yourself out.

You really have two different approaches you can work on. Using IIS authentication (integrated windows/basic authentication), or Forms Authentication.

If you really wanted to have fun, you could create forms authentication system, that authenticates against active directory, and whenever you needed to, you could impersonate the logged on user for things like database calls, if you needed them to run in the context of the logged on user.

 

[Andrew]

Raterus,

Ok, fair enough. If you will indulge me for a moment.....
From what I have read, if I use IWA, the page loads if the person has
logged in, or pops up a login dialog if they haven't. If the person is not
in the user list or clicks cancel, the page does not display. If I
implement Forms Authentication, a user can only view pages in the selected
area only and after they log in, otherwise they are blocked.
I want to allow full viewing of all the Intranet pages. But if they log
in, and are valid users, the pages display their normal stuff in addition to
Edit, Add, Delete, etc. buttons links. This is no different a concept than
most blogs you go to....you can read all you want, but if you want to post
or modify, you need to log in. You are not prohibited from viewing wihtout
logging in, you just can't do much or admin anything.

Perhaps I am looking at this from the wrong point of view, and thus my
previous question may be going down the wrong road for what I am trying to
do. It appears to me that Forms or IWA versions of authentication are meant
to keep people out. I simply want to add to a page(links, buttons, etc.) if
the viewer is on the authorized user list. I can handle adding the extras
to the page, I just need help with the user authentication part.

So, my question for now is this...How do I take a username and password
from a user, bounce that against the user list (either users on the box or
from Active Directory on a Domain Controller), and return a "valid" or
"in-valid" login? Or perhaps, if they area valid login, echo to the screen
their user information stored on the Domain? Do I do this using either
Forms or IWA, or by some other means?

Again, your help (Raterus and everyone else) is greatly appreciated.

-- Andrew


It's really trial and error to get it right, no one post can tell you
everything about securing asp.net applications. We're good here at
answering questions, not entire concepts. I'd start small, don't attempt to
do what you have put out all at once, you'll burn yourself out.

You really have two different approaches you can work on. Using IIS
authentication (integrated windows/basic authentication), or Forms
Authentication.

If you really wanted to have fun, you could create forms authentication
system, that authenticates against active directory, and whenever you needed
to, you could impersonate the logged on user for things like database calls,
if you needed them to run in the context of the logged on user.

 

[Marty U.]

Raterus,

Ok, fair enough. If you will indulge me for a moment.....
From what I have read, if I use IWA, the page loads if the person has
logged in, or pops up a login dialog if they haven't. If the person is not
in the user list or clicks cancel, the page does not display. If I
implement Forms Authentication, a user can only view pages in the selected
area only and after they log in, otherwise they are blocked.
I want to allow full viewing of all the Intranet pages. But if they log
in, and are valid users, the pages display their normal stuff in addition to
Edit, Add, Delete, etc. buttons links. This is no different a concept than
most blogs you go to....you can read all you want, but if you want to post
or modify, you need to log in. You are not prohibited from viewing wihtout
logging in, you just can't do much or admin anything.

Perhaps I am looking at this from the wrong point of view, and thus my
previous question may be going down the wrong road for what I am trying to
do. It appears to me that Forms or IWA versions of authentication are meant
to keep people out. I simply want to add to a page(links, buttons, etc.) if
the viewer is on the authorized user list. I can handle adding the extras
to the page, I just need help with the user authentication part.

So, my question for now is this...How do I take a username and password
from a user, bounce that against the user list (either users on the box or
from Active Directory on a Domain Controller), and return a "valid" or
"in-valid" login? Or perhaps, if they area valid login, echo to the screen
their user information stored on the Domain? Do I do this using either
Forms or IWA, or by some other means?

Again, your help (Raterus and everyone else) is greatly appreciated.

-- Andrew


It's really trial and error to get it right, no one post can tell you
everything about securing asp.net applications. We're good here at
answering questions, not entire concepts. I'd start small, don't attempt to
do what you have put out all at once, you'll burn yourself out.

You really have two different approaches you can work on. Using IIS
authentication (integrated windows/basic authentication), or Forms
Authentication.

If you really wanted to have fun, you could create forms authentication
system, that authenticates against active directory, and whenever you needed
to, you could impersonate the logged on user for things like database calls,
if you needed them to run in the context of the logged on user.

This is a very broad question with a very large answer. My answer will
be from the top of my head but should give you an idea of what process
you need to look at.

You can use integrated authentication and allow everyone to see
everything and then either use your web.config or ntfs permissions on
protected areas/folders. You will want to then use groups/roles to
determine access via .Net and system.security namespace. I would develop
a security namespace with several classes that checks if the user is
authenticated and/or in roles. User controls would then be used to
display specific areas of the site based upon the results of the
security objects you created. You may even find it beneficial to use
session state to help with protected items. However, I actually suggest
against this since session is not very secure.

This actually gets a lot more detailed then what I have described above
and there are actually several more paths/options. You can use your
web.config to secure your entire site. However, this sometimes can
require much overhead in configuring.

You may look at www.asp.net and look at the starter kits with the
project tracker I believe which uses a similar idea.

Marty U.