Powered by Blogger.

Saturday, March 15, 2014

Windows Authentication with Impersonation and Windows Authentication without Impersonation



The below configuration elements show you how to enable Windows (IIS) authentication and impersonation in Web.config or Machine.config.

<authentication mode="Windows" />
<identity impersonate="true" />

When you use Windows authentication together with impersonation, the following authorization options are available to you:

Client Requested Resources
The ASP.NET FileAuthorizationModule performs access checks for requested file types that are mapped to the ASP.NET ISAPI.

Resources Accessed by Your Application
You can configure Windows ACLs on resources accessed by your application.

URL Authorization
 Configure URL authorization in Web.config. With Windows authentication, user names take the form DomainName\UserName and roles map one-to-one with Windows groups.

<authorization>
<deny user="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>

Explicit Role Checks
 You can perform role checking using the IPrincipal interface.

IPrincipal.IsInRole(@"DomainName\WindowsGroup");

Enterprise Services (COM+) Roles
You can perform role checking program- matically using the ContextUtil class.

ContextUtil.IsCallerInRole("Director")

When to Use
Use Windows authentication and impersonation when:
Your application’s users have Windows accounts that can be authenticated by the server.

You need to flow the original caller ’s security context to the middle tier and/or data tier of your Web application to support fine-grained (per-user) authoriza- tion.

The disadvantages of impersonation include:
Reduced application scalability due to the inability to effectively pool database connections.

Delegation requires Kerberos authentication and a suitably configured environ- ment.

Windows Authentication without Impersonation
The below configuration elements show how you enable Windows (IIS) authen- tication with no impersonation declaratively in Web.config.

When you use Windows authentication without impersonation, the following authorization options are available to you:

Client Requested Resources
The ASP.NET FileAuthorizationModule performs access checks for requested file types that are mapped to the ASP.NET ISAPI.

URL Authorization
 Configure URL Authorization in Web.config. With Windows authentication, user names take the form DomainName\UserName and roles map one-to-one with Windows groups.

<authorization>
<deny user="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>

Explicit Role Checks
You can perform role checking using the IPrincipal interface.

IPrincipal.IsInRole(@"DomainName\WindowsGroup");
When to Use
Use Windows authentication without impersonation when:
Your application’s users have Windows accounts that can be authenticated by the server.

You want to use a fixed identity to access downstream resources  in order to support connection pooling.



0 comments

Post a Comment