static void

ASP Security

ASP.Net Security

  1. IIS authentication:
    • Anonymous access= IUSER_machinename (i.e. same as ASP).
    • Windows login- Basic (clear text), Digest (encrypted) and Windows (NTLM)
    • IIS 7+ Windows Authentication vs Chrome/FireFox:
      • Authentication-Windows Auth, click Advanced Settings. Turn Extended Protection "Off" (EPA is not supported by Chrome and Firefox)
      • Authentication-Windows Auth, click Providers. Select NTLM and "move up" to top of list. Chrome in particular may fail the kerberos, but does not failover to NTLM.
  2. IIS passes to ISAPI filter- eg aspnet_wp.exe (or w3wp.exe on WServer2003).
  3. If system.web/identity/@impersonate='false' (default)
    • No impersonation= run as ASPNET (or see machine.config's processModel)
    • Impersonation= run as IIS user (IUSER_machine or windows login) or system.web/identity/@userName
  4. Use system.web/authentication/@mode (None, Windows, Forms, Passport).
    • If using Windows, set system.web/identity/@impersonate="true" otherwise it won't work.
    • If using forms
      • set system.web/authorization/deny/@users="?" otherwise it won't work
      • system.web/authentication/forms/@loginUrl
      • @timeout- default is 30mins, but it refreshes halfway- so 16mins inactivity may kill it...
      • @protection="All" (encrypted + validated) - in webfarms, set machine.config machineKey/@validationKey + @decryptionKey
      • In code if (FormsAuthentication.Authenticate(user, pass)) FormsAuthentication.RedirectFromLoginPage(user, isPermaCookie);
        (replace first method with database authentication)
        (if loginpage== default.aspx then redirect may be to login page... try .GetRedirectUrl instead)
        ( 2.0 has new Membership class)
  5. Page.User returns an IPrincipal, with IsInRole and Identity (which is an IIdentity, with AuthenticationType, Name- cast as WindowsIdentity for IsAnonymous etc).

Rights needed for ASPNET process (KB)

IIS web.config mode WindowsIdentity Page.User
Anon forms no impersonate=IUSR_MACHINE
impersonate= ASPNET
Anon windows ""
Windows forms no impersonate=ASPNET
impersonate= domain/user
Windows windows domain/user

NB: HttpContext.Current.User != WindowsIdentity.GetCurrent() (unless windows impersonating)
!= COM+ Security Role (ContextUtil.IsCallerInRole() is a different set of roles!