Using IIS Authentication With ASP.NET Impersonation

In this scenario, you are setting up an application on an intranet Web site for posting employee information. However, some of the information is for managers only. The manager information can be posted to a subdirectory of the general employee information, so that access to it can be limited. The scenario also assumes that:

  • You are using a Microsoft Windows NT or Microsoft Windows 2000 server.
  • The hard disk is formatted for NTFS.
  • Microsoft Internet Information Services (IIS) 6.0 is the Web server.
  • All employees needing access are using Windows platforms.

You, as administrator:

  1. Create the files and directories shown in the following illustration.

    Files and directories

  2. Create a Windows group called Managers that contains all users who should have access to the ManagerInfo.aspx file.
  3. Set up Windows authentication using the IIS administration tool.
  4. Set the impersonate attribute in the <identity> element in the ASP.NET configuration file to true.
  5. Set the NTFS access control list (ACL) for the ManagerInformation directory to allow access to only those identities that are in the Windows Manager group. Note that the local system still needs access as well so that the ASP.NET process itself can read the files. Settings in this directory typically resemble the following:
    1. Remove access from the Everyone group, if it has access.
    2. Deny anonymous users.
    3. Add accounts that are to have access privileges.
    4. Give the system account access.

This provides the necessary security without the necessity of writing any code.

See Also

ASP.NET Web Application Security | Designing Secure ASP.NET Applications