If your application is targeted for use inside an organization, and users accessing the application have existing user accounts within the local user database of the Web server or Active directory, you should authenticate users with Windows authentication.
You can configure Windows authentication in two ways: within IIS and within your ASP.NET application. To provide defense in depth, use both techniques to require authentication.
When a Web application requires Windows authentication, the application rejects any request that does not include a valid user name and password in the request header. The user’s browser then prompts the user for a user name and password. Because the browser prompts the user for credentials, you do not have to create a page to request the user’s user name and password. Some browsers, such as Microsoft Internet Explorer, automatically provide the user’s current user name and passwordwhen the server is located on the intranet. This seamlessly authenticates the user, relieving the need to retype the password for intranet site visits. Additionally, because users are authenticated against the server’s local user database or Active Directory domain, using Windows authentication saves you from creating a database to store user credentials. Leveraging the Windows authentication mechanism is, therefore, the simplest way to authenticate users. To configure IIS to require all users to authenticate on computers running Microsoft Windows Server 2003, follow these steps:
1.In the Administrative Tools program group, open the IIS Manager.
2.In the IIS Manager console, click to expand your server name, to expand Web Sites, and then to expand the Web site.
3.Right-click the site or folder name you are configuring authentication for and select Properties.
4.Click the Directory Security tab. In the Authentication And Access Control group, click the Edit button.
5.Clear the Enable Anonymous Access check box, which is selected by default.
6.Select the Integrated Windows Authentication check box, as shown below.
Optionally, select Digest Windows Authentication For Windows Domain Servers to enable authentication across proxy servers.
7. Click OK twice to return to the IIS Manager console. At this point, all Web requests to the virtual directory will require Windows authentication, even if ASP.NET is configured for anonymous access only. Even though configuring IIS is sufficient to require users to present Windows credentials, it is good practice to edit the application’s Web.config file to also require Windows authentication.
To configure an ASP.NET application for Windows Authentication, edit the <authen-tication> section of the Web.config file. This section, like most sections related to ASP.NET application configuration, must be defined within the <system.web> section. The <system.web> section, in turn, must exist within the <configuration> section. This example shows the <authentication> section of the Web.config file configured to use Windows authentication:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
To restrict access to only users in the specified group, you must explicitly deny access to users who are not specifically granted access, as the following code demonstrates:
<system.web>
<authorization>
<allow roles="BeyondWebLogs\IT" />
<deny users="*" />
</authorization>
</system.web>
Above code will only allow BeyondWebLogs\IT group users to access application, while denying all other users. Similarly, users can also be specifed to allow/deny access as shown below:
<system.web>
<authorization>
<allow users="BeyondWebLogs\waqas, BeyondWebLogs\muneeb" />
<deny users="*" />
</authorization>
</system.web>
![[Digg]](http://www.digg.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[Facebook]](http://www.facebook.com/favicon.ico)
Tags: iis, web.config