static void

ASP Security

• In ASP MVC and WebAPI, use forms or windows authentication with the [Authorize] action filter.
  Add it as a global filter (App_Start/FilterConfig.cs) and put a [AllowAnonymous] on the forms login page
  Don't use web.config authorization/allow-deny, or location, as it doesn't mix with routing.
• See also: WS-Federation (.net 4.5/WIF)

ASP.Net Security

1. IIS authentication:
   • Anonymous access= IUSER_machinename (i.e. same as ASP).
   • Windows login- Basic (clear text), Digest (encrypted) and Windows (NTLM)
   • IIS 7+ Windows Authentication vs Chrome/FireFox:
     • Authentication-Windows Auth, click Advanced Settings. Turn Extended Protection "Off" (EPA is not supported by Chrome and Firefox)
     • Authentication-Windows Auth, click Providers. Select NTLM and "move up" to top of list. Chrome in particular may fail the kerberos, but does not failover to NTLM.
2. IIS passes to ISAPI filter- eg aspnet_wp.exe (or w3wp.exe on WServer2003).
3. If system.web/identity/@impersonate='false' (default)
   • No impersonation= run as ASPNET (or see machine.config's processModel)
   • Impersonation= run as IIS user (IUSER_machine or windows login) or system.web/identity/@userName
4. Use system.web/authentication/@mode (None, Windows, Forms, Passport).
   • If using Windows, set system.web/identity/@impersonate="true" otherwise it won't work.
   • If using forms
     • set system.web/authorization/deny/@users="?" otherwise it won't work
     • system.web/authentication/forms/@loginUrl
     • @timeout- default is 30mins, but it refreshes halfway- so 16mins inactivity may kill it...
     • @protection="All" (encrypted + validated) - in webfarms, set machine.config machineKey/@validationKey + @decryptionKey
     • In code if (FormsAuthentication.Authenticate(user, pass)) FormsAuthentication.RedirectFromLoginPage(user, isPermaCookie);
       (replace first method with database authentication)
       (if loginpage== default.aspx then redirect may be to login page... try .GetRedirectUrl instead)
       (asp.net 2.0 has new Membership class)
5. Page.User returns an IPrincipal, with IsInRole and Identity (which is an IIdentity, with AuthenticationType, Name- cast as WindowsIdentity for IsAnonymous etc).

Rights needed for ASPNET process (KB)

IIS	web.config mode	WindowsIdentity	Page.User
Anon	forms	no impersonate=IUSR_MACHINE impersonate= ASPNET	formId
Anon	windows		""
Windows	forms	no impersonate=ASPNET impersonate= domain/user	formId
Windows	windows		domain/user

NB: HttpContext.Current.User != WindowsIdentity.GetCurrent() (unless windows impersonating)
!= COM+ Security Role (ContextUtil.IsCallerInRole() is a different set of roles!

• Page.User
  • Empty string if IIS= anonymous + web.config = windows authentication.
  • Otherwise form ID (forms auth) or domain/user (win auth)
• WindowsIdentity.GetCurrent()
  • IUSR_MACHINE if impersonate + IIS anonymous only
  • ASPNET or NETWORK SERVICES if anon/impersonate=true OR windows/impersonate=false
  • domain/user if IIS basic/digest/integrated and impersonate=true