HOW TO: Secure an ASP.NET Application by Using Windows Security

101578 Users read it.
by ramakrishna jillellamudi (December 2, 2003)
ASP.NET can be used together with Microsoft Internet Information Services (IIS) to authenticate Web users based on their Microsoft Windows 2000 or Windows Server 2003 user account credentials. The ASP.NET execution engine can also be configured to impersonate Web users, or to use its own Windows identity when it accesses resources such as databases or files.
User Rating (71 votes)
1 review available | Read the reviews »
Author(s):Ramakrishna
User Level:Advanced
Platform:Web
Product(s):.NET Web Matrix

Requirements

You need the following hardware, software, and network infrastructure to perform the procedures in this article:
  • Windows 2000 Server Service Pack 2
  • IIS 5.0
  • Windows Server 2003 with IIS 6.0
  • Microsoft Internet Explorer 6.0
  • Microsoft Visual Studio .NET
You also need experience with the following:
  • ASP.NET development with Visual Basic .NET
  • IIS administration
  • Windows 2000 user account administration

How to Develop the Web Site

In this procedure, you will create a simple ASP.NET Web application, which will be secured by using Windows authentication.
  1. Start Visual Studio .NET, and then create a new Visual Basic ASP.NET Web application named "WindowsSite."
  2. Drag a label control from the toolbox onto the WebForm1.aspx Web form, and then set its ID property to authUserPrincipalLabel.
  3. Drag a second label control from the toolbox onto the WebForm1.aspx Web form, and then set its ID property to aspPrincipalLabel.
  4. Double-click WebForm1.aspx to view the code window, and then add the following Imports statement above the class declaration: 
    Imports System.Security
    Add the following code to the Page_Load event procedure:
    Dim authUserName As String
Dim aspUserName As String
authUserName = User.Identity.Name
aspUserName = Principal.WindowsIdentity.GetCurrent.Name
authUserPrincipalLabel.Text = "You are: " & authUserName
aspPrincipalLabel.Text = "This page runs as: " & aspUserName
  5. View the project's Web.config file, and then locate the authentication element. Verify that the mode attribute has a value of Windows.
  6. Build and save the project.
  7. Run the project, and then confirm that the page is displayed with the following message:
    • In Windows 2000
      You are:
      This page runs as: DomainOrServer\ASPNET
    • In Windows Server 2003
      You are:
      This page runs as: DomainOrServer\NETWORK SERVICE
    Note Your user name is not displayed because you have not been authenticated by IIS; anonymous access is still enabled.
  8. Quit Internet Explorer to stop the project.

How to Disable Anonymous Access

In this procedure, you will configure IIS to require Windows-integrated authentication for the WindowsSite site.
  1. Minimize Visual Studio, and then start Internet Services Manager from the Administrative Tools program group.
  2. Expand your server and its default Web site, right-click the WindowsSite site, and then click Properties.
  3. On the Directory Security tab in the WindowsSite Properties dialog box, click the Edit button in the "Anonymous access and authentication control" section.
  4. Click to clear the Anonymous access check box, verify that the Integrated Windows authentication check box is selected, and then click OK.
  5. Click OK to close the WindowsSite Properties dialog box.
  6. Switch back to Visual Studio, and then run the project. Confirm that the page is displayed with the following message:
    • In Windows 2000
      You are: Your Windows user name
      This page runs as: DomainOrServer\ASPNET
    • In Windows Server 2003
      You are: Your Windows user name
      This page runs as: DomainOrServer\NETWORK SERVICE
    Note You have been authenticated through your Windows account. If you had not been logged on to Windows, you would have been prompted for a Windows user name and password.
  7. Quit Internet Explorer to stop the project.

Authorization

In ASP.NET, it is possible to allow authorization to the application when you make additional settings available within the Web.config file. You can allow certain users or certain groups access to these additional settings. The following examples describe this capability. To allow access to all users found in the Windows NT Group that is called "Managers," use the following code: 
<configuration>
     <system.web>
       <authorization>
         <allow roles="domainname\Managers" />
         <deny users="*" />
       </authorization>
     </system.web>
   </configuration>
To allow access to only certain users, use the following code: 
<configuration>
     <system.web>
       <authorization>
         <allow users="domainname\user1,domainname\user2,domainname\user3" />
         <deny users="*" />
       </authorization>
     </system.web>
   </configuration>
Note You can reference multiple roles or users when you use a comma-separated list.

How to Enable Impersonation

In this procedure, you will configure the WindowsSite application to impersonate the Windows user who is accessing it.
  1. In Visual Studio, view the Web.config file for the WindowsSite project.
  2. Add the following element after the authentication element:
    <identity impersonate = "true" />
  3. Save Web.config.
  4. Run the project. Confirm that the page is displayed with the following message (note that the ASP.NET execution engine will use your Windows credentials to access resources on your behalf):

    You are: Your Windows user name
    This page runs as: Your Windows user name

  5. Quit Internet Explorer to stop the project.

How to Assign a Custom Principal

In this procedure, you will configure the WindowsSite application to use a custom security principal:
  1. Start the Computer Management feature from the Administrative Tools program group. Create a new Windows 2000 user account named "WindowsSite," with a password of "password" (note whether your server is a domain controller, and then use the Active Directory Users and Computers tool).
  2. Click to clear the User must change password at next logon check box.Note The custom principal that you select must have the permissions that are outlined in the following Knowledge Base article:

    317012 INFO: Process and Request Identity in ASP.NET

  3. When the WindowsSite account has been created, close the administrative tool that you used to create it.
  4. In Visual Studio, view the Web.config file for the WindowsSite project.
  5. Edit the identity element to read as follows: 
    identity impersonate = "true"
       userName = "DomainOrServerName\WindowsSite"
       password = "password"/>
    where DomainOrServerName is either the name of your Windows 2000 or Windows Server 2003 domain (in a domain environment) or of your computer (in a workgroup environment).
  6. Save Web.config.
  7. Run the project. Confirm that the page is displayed with the following message:

    You are: Your Windows user name
    This page runs as: DomainOrServerName\WindowsSite

    Note Aspnet_wp.exe will use the Windows credentials that you specified to access resources on your behalf.
  8. Quit Internet Explorer to stop the project.
Note The identity of the process that impersonates a specific user on a thread must have the Act as part of the operating system privilege.
  • On Windows 2000, by default, the Aspnet_wp.exe process runs under a computer account that is named ASPNET.
  • On Windows Server 2003, by default, the Aspnet_wp.exe process runs under a computer account that is named NetworkService. However, this account does not have the correct privileges to impersonate a specific user. You receive an error message if you try to impersonate a specific user.
To work around this problem, use one of the following methods:
  • Grant the Act as part of the operating system privilege to the ASPNET account (the least privileged account).

    Note Although you can use this method to work around the problem, Microsoft does not recommend this method.
  • Change the account that the Aspnet_wp.exe process runs under to the System account in the <processModel> configuration section of the Machine.config file.
For more information about the ASPNET process, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/library/en-us/vsent7/html/vxconApplicationIdentity.asp?frame=true

Troubleshooting

Windows security in an ASP.NET Web site can be further enhanced (and complicated) by using NTFS file permissions. If your Windows account does not have permissions to read an ASP.NET Web page, IIS will prompt you for alternative Windows credentials. Similarly, if an ASP.NET page attempts to access a file that the security principal used by the ASP.NET execution engine does not have access to, you will be prompted for alternative credentials. NTFS permissions are an effective way to control access to subsections of a Web site.

ramakrishna jillellamudi

ramakrishna jillellamudibasically i am a computer graduate. working as software engg.

See All Postings From ramakrishna jillellamudi >>

Other Advanced Stuff

More Articles from ramakrishna jillellamudi

User Reviews

Total of 1 review
securing "act as part of operating system"
Written by Tomas B on September 21, 2005

better use aspnet_setreg utility http://support.microsoft.com/default.aspx?scid=329290 i've got such a question: what about deployment of asp.net application to windows 2000 sp4 domain controller where local ASPNET doesn't exist there are some ...

Live Support

Categories

Main Sponsor

Visit All Zones

The Dreamweaver ZoneThe Flash ZoneThe .NET ZoneThe Fireworks Zone

Premium Articles

Latest Articles

Most Read Articles

Our Sponsors

Featured E-Book

Design & Accessibility

Have you, as a web developer or designer ever been on sites where the site seems more of a puzzle then a tool to find the information you where looking for? Or are you looking to improve your web design skills? Then read on!

Design & Accessibility

This e-Book will teach you how to become a truly professional developer or designer. By taking usability and accessibility issues in account when designing your websites or applications you can make the difference and avoid a lot of (user) frustration.

Featured Article

Beyond Graphing

When a graph is drawn, the focus is kept on the actual underlying competing figures that constitute the graph. Sometimes it is difficult to make assumptions just by looking at these graphs. When looking at a geographical map of data you immediately see exactly where things are happening. This article presents a .NET geographical mapping solution that will illustrate a fairly simple way of implementing these maps.

Featured Book

Inside ASP.NET


Inside ASP.NET is a comprehensive guide to ASP.NET development using Microsoft's .NET development framework. This book presents information on the .NET framework that is of specific interest to Internet and intranet developers, and is split into the following sections: Introducing ASP.NET, Core ASP.NET, ASP.NET and Data Access, Advanced Technologies, Advanced Web Forms, and Putting It All Together

Each chapter tackles a specific area of ASP.NET development, first by giving a detailed overview, then presenting a series of code examples and walk-throughs that illustrate various applications of ASP.NET

Featured Component

3D Gal Slideshow Bndl

Get our best gallery and slideshow components in one bundle and save money! Our most popular components combined to form an amazing presentation team.

Follow us on twitter Subscribe to our RSS feed
Activate your free membership today | Login | Currency