RE: Windows authentication - Web.Config

Thank you - just to make sure I have this correct - I should have:

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
<authentication mode="Windows"/>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
</authorization>

And you list <providers> but I have none. Should I have one?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



"Steven Cheng[MSFT]" wrote:

Hi Dave,

The configuration snippet you pasted means:

===========================
<roleManager enabled="false"/>
<authentication mode="Windows">
</authentication>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
</authorization>
============================

Your ASP.NET application is using Windows Authentication, so it no longer
use Membership Service. And the role management service is still enabled
and it use the default Rolemanger provider(ASPNETSqlRoleProvider...). When
windows authentication is used, the HttpContext.CurrentUser.Identity will
become a WindowsIdentity if the IIS did forward an authenticated windows
account to the ASP.NET application. Also, if you're using Windows
Authentication, it'll be more appropriate to use WindowsTokenRoleProvider
as configured below:

==============
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
================

For detailed concept on role management and authorization in ASP.NET, you
can have a look at the following MSDN references:

#Understanding Role Management
http://msdn2.microsoft.com/en-us/library/5k850zwb.aspx

#Managing Authorization Using ASP.NET Roles (Visual Studio)
http://msdn2.microsoft.com/en-us/library/53s18z5c.aspx


In addition, when using Windows Authentication, the ASP.NET will also
perform FileAuthorization checking(based on the NTFS ACL on aspx page
files);

#ASP.NET Authorization
http://msdn2.microsoft.com/en-us/library/wce3kxhd.aspx

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support


==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.



Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



.

Relevant Pages

  • RE: Windows authentication - Web.Config
    ... Your ASP.NET application is using Windows Authentication, ... For detailed concept on role management and authorization in ASP.NET, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Windows authentication - Web.Config
    ... Your ASP.NET application is using Windows Authentication, ... For detailed concept on role management and authorization in ASP.NET, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Authorization
    ... i want to implement authorization with windows authentication and don't ... windows authentication for this .NET application is already setup. ... should the username and role be declared in the session_start event ...
    (microsoft.public.dotnet.framework.aspnet)
  • Authentication/Authorization in WS-Security
    ... Windows Authentication and Role using a username token. ... I am using impersonation on my presentation web server. ... In my web method I want to use role management to control who is ... windows authentication and role management for authorization? ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • asp.net vulnerability
    ... From: Windows NTBugtraq Mailing List ... More details on ASP.NET vulnerability ... There has been some confusion with the ASP.NET forms authentication issue ... authorization issue, not an authentication issue. ...
    (microsoft.public.sharepoint.portalserver)
Quantcast