Really confused about authorization/authentication methods in ASP.Net

[STom]

I have been reading and reading the Microsoft best practices, articles on
and on but still I can't figure out which method to chose to get started.

Basically, we are using Active directory where all of the users should be
authorized against before accessing the web site. Here are some of my
questions:

1. If I set the virtual directory security property to Integrated Windows
Authentication and I am using active directory (the web server is in the
Active Directory domain) won't IIS/ASP.Net automatically authenticate
against active directory even if I set the web.config file authentication
mode to 'Windows'?

2. If it does automatically authenticate and then I want to get the user or
the user object so I can tell what groups the person belongs in, would I
code that within the page load of the first page?

3. Where do I store the user information so I don't have to authenticate
against active directory for each page?

4. I have seen many examples on MSDN regarding Forms authentication and
active directory. I have 'heard' that you should avoid Forms authentication
but I don't know why. Is there a reason to avoid this way of doing it?

Thanks for any pointers.

STom

 

[Michal A. Valasek]

Some answers:

| 3. Where do I store the user information so I don't have to authenticate
| against active directory for each page?

You don't. It's problem of IIS/ASP.NET, not yours.

| 4. I have seen many examples on MSDN regarding Forms authentication and
| active directory. I have 'heard' that you should avoid Forms
authentication
| but I don't know why. Is there a reason to avoid this way of doing it?

It depends on your environment. Problem with Forms Authentication is that
you must write authentication scripts and store authentication data
somewhere. If you already have the users in AD and your infrastructure
allows it, use Windows authentication, because integrates seamlessly with
AD. If you can't / don't want use AD, store users in SQL / XML / anywhere
and use FormsAuthentication.

Best of all: When changing Forms/Windows authentication, you must not
rewrite your application.

 

[Tom]

1. If I set the virtual directory security property to Integrated Windows

Authentication and I am using active directory (the web server is in the

Active Directory domain) won't IIS/ASP.Net automatically authenticate

against active directory even if I set the web.config file authentication

mode to 'Windows'?

It depends on web client used. When you use IE. 2.0 and higher you have
granted NTLM authentication in context of current user. For
negotiate/kerberos there is need of win 2000 on both sides and IE 6.0
client(you have to enable Intergrated authen. in options menu and set one
key in registry to make negotiate default one)

2. If it does automatically authenticate and then I want to get the user or

the user object so I can tell what groups the person belongs in, would I

code that within the page load of the first page?

You can do it where you want to, the information is easy to access.

3. Where do I store the user information so I don't have to authenticate

against active directory for each page?

Bad question, you will be not able to authenticate using IE 6.0 else than
using current logged user credentials for integrated authentication. So you
will never type any user and pwd using this authentication scenario,
browsing will be transparent. When you change authentication for basic one,
IIS will request user and pwd on first user access and will hold the opened
connection. This is the thing between client(in your case IE) and browser.

4. I have seen many examples on MSDN regarding Forms authentication and

active directory. I have 'heard' that you should avoid Forms authentication

but I don't know why. Is there a reason to avoid this way of doing it?

I think form authentication is the classical way where the user and password
are given via simple

web form and are send from client as clear text in request made as login.
It's the same problem like with basic authentication without SSL, pwd and
user name are easy to be sniffed.

Tom