Windows Authentication Provider

Windows Authentication treats the user identity supplied by Microsoft Internet Information Services (IIS) as the authenticated user in an ASP.NET application. IIS provides a number of authentication mechanisms to verify user identity, including anonymous authentication, Windows integrated (NTLM) authentication, Windows integrated (Kerberos) authentication, Basic (base64 encoded) authentication, Digest authentication, and authentication based on client certificates.

Windows Authentication is implemented in ASP.NET using the WindowsAuthenticationModule module. The module constructs a WindowsIdentity based on the credentials supplied by IIS and sets the identity as the current User property value for the application.

Windows Authentication is the default authentication mechanism for ASP.NET applications and is identified as the authentication mode for an application using the authentication configuration element, as shown in the following code example.

<system.web>
  <authentication mode="Windows"/>
</system.web>

Impersonating the Windows Identity

Although the Windows Authentication mode sets the value of the current User property to a WindowsIdentity based on the credentials supplied by IIS, it does not modify the Windows identity that is supplied to the operating system. The Windows identity supplied to the operating system is used for permission checking, such as NTFS file permissions, or for connecting to a database using integrated security. By default, this Windows identity is the identity of the ASP.NET process. On Microsoft Windows 2000 and Windows XP Professional, this is the identity of the ASP.NET worker process, which is the local ASPNET account. On Windows Server 2003, this is the identity of the IIS Application Pool that the ASP.NET application is part of. By default, this is the NETWORK SERVICE account.

You can configure the Windows identity of your ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. That is, you instruct your ASP.NET application to impersonate the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.

To enable impersonation for your Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as shown in the following code example.

<system.web>
  <authentication mode="Windows"/>
  <identity impersonate="true"/>
</system.web>

For more information on the ASP.NET process identity, see Configuring ASP.NET Process Identity. For more information on impersonation, see the Impersonate method.

Enabling Authorization using NTFS ACLs

You can improve the security of your ASP.NET application by securing the application's files using the NTFS file system and Access Control Lists (ACLs). ACLs enable you to specify which users and groups of users have access to your application's files. For a list of the minimum required NTFS file permissions that a Windows identity needs to run as the identity of an ASP.NET page, see ASP.NET Required Access Control Lists (ACLs).

NoteNote

You can also use ASP.NET roles to manage user authorization for pages and sections of your Web application. For more information, see Managing Authorization Using Roles.

See Also

Tasks

How to: Create a WindowsPrincipal Object
How to: Create GenericPrincipal and GenericIdentity Objects

Other Resources

ASP.NET Web Application Security
ASP.NET Authentication