Authorization question, w/ "Windows" authentication mode

---

• From: matt@xxxxxxxxxxxxxx
• Date: 28 Jun 2006 14:35:21 -0700

---

hello,

im familar w/ *forms* based authentication, and i have coded several
public-facing web sites that authenticate w/ a forms-based login page;
then get back an array of user roles, and from global.asax.cs's
Application_AuthenticateRequest() assign the roles to the
Security.Principal user.

now i am working on a *windows* based authentication webapp for an
intranet. all users use the windows network to login, and then they
bring up my webapp.

ive set up IIS & web.config, so i have no trouble grabbing their
User.Identity.Name (their windows login). cool. and since i am able to
use global.asax.cs's Application_AuthenticateRequest() i can retrieve
their db-stored roles assign it to the Security.Principal user. cool.


the problem? "Application_AuthenticateRequest()" gets called on every
single page request, which means a hit to the database to get the
user's roles every single pageload. is this normal? (i cant remember if
thats how my prior forms-based webapps worked, too..) if it is normal,
what is the best practice -- deal w/ it? use the Session to cache the
user's roles?


here is my code:

protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (Request.IsAuthenticated)
{
System.Web.HttpContext context = System.Web.HttpContext.Current;

string userName = context.User.Identity.Name; //format:
DOMAIN\user.name

//populate my app-user (gets roles from database)
AppUser myUser = AppUser(userName);

//assign its roles to security model
context.User = new
System.Security.Principal.GenericPrincipal(User.Identity,
myUser.Roles);
}
}


thanks!
matt

.

---

• Follow-Ups:
  • Re: Authorization question, w/ "Windows" authentication mode
    • From: Joe Kaplan \(MVP - ADSI\)

• Prev by Date: Re: Windows authentication in code
• Next by Date: Re: The trust relationship between this workstation and the primary domain failed
• Previous by thread: Re: Windows authentication in code
• Next by thread: Re: Authorization question, w/ "Windows" authentication mode
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Windows Authentification against a list of users ... > One thing you might do would be to validate against a group in the domain ... > as your list of allowed users instead of your database though. ... > using Forms authentication instead of Windows authentication and creating ... That would allow you to combine Windows ... (microsoft.public.dotnet.security) Re: Sql Server Login ... firstly I was under the impression SQL authenticaiton will be better ... But now I know windows authentication is recommended. ... Now my application is ready and talking to this database in MSDE. ... (microsoft.public.sqlserver.msde) Re: Authenticating domain users ... Is it a Web Application or a Windows ... network authentication based upon the model used. ... and now I want to access the database. ... > password be set to the the user's domain username and password? ... (microsoft.public.dotnet.languages.csharp) Re: authentication ... Forms Authentication. ... My authentication is currently from my database. ... authentication options, for example, database, windows and ADSI. ... (microsoft.public.dotnet.framework.aspnet) Re: Change in ASP.Net authentication between Win2000 and Win2003 ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)