RSS Forums RSS
Please support our ASP.NET advertiser: Lunarpages ASP Web Hosting

ASP.Net Security 101 Part 1

Join Date: Feb 2003
Location: Canada
Posts: 786
Reputation: Paladine has a spectacular aura about Paladine has a spectacular aura about Paladine has a spectacular aura about 
Rep Power: 9
Solved Threads: 25
Colleague
Paladine's Avatar
Paladine Paladine is offline Offline
Master Poster

Re: ASP.Net Security 101 Part 1

  #4  
Jul 25th, 2005
ON REQUEST:

Role Based Security
Windows operating system supports role-based security. A role is basically an defined identity. Usually a role has several identities associated with it. i.e. Your computer at work would more than likely have multiple logins / roles associated with it. An administrator, power-user (may be you), and guests.

In Windows these identities are known as users.

So to add identities you would do so in the Control Panel --> User Account Section.

Under IIS in Windows 2000 & XP --> Properties of the Web Server --> Directory Security --> The Anonymous Access & Authentication Control there is a means of editing your authentication method. The default anonymous access is the IUSR_MachineName username. One other important part to notice is the Check Box labeled Integrated Windows Authentication. With this set, you are able to implement Role based security.

http://www3.telus.net/public/tmlohnes/Image2.jpg


In the web.config file you will have to set the authentication mode to "windows". This signals IIS to look to windows for user accounts. 
<authentication mode="windows">
		
	</authentication>


IIS uses three different types of Windows Authentication: Basic, Digest, and NTLM. Basic is the simplest form. You will have probably see this already. You go to a website, and the browser pops up a window asking for a user name and a password. You can see in the above image how to check off Basic setting for your website, or more appropriately you specific application on that webserver (done at the application directory level, and NOT the website level). Once the credentials are entered then IIS will compare these values to the operating system's list of users, and will authenicate or deny the request based on the comparison result.

Digest is simlar, except the Username and password are encrypted before they are sent across the network. This encryption mechanism is known as hashing *Note: Both Digest and Windows Authenication require that your users are running Internet Explorer (ick!).

With NTLM authentication, the user never sees a prompt for credentials, but rather once the browser makes contact with the server, it sends the encrypted username ans password information that the user used to log on to the computer. This is all done invisible to the user.

This is basically role based / windows user based security.
Assistant Manager, Regional Pharmacy Information Systems
TLC Services Website (Under Construction)
Updated : ASP.Net Login Code
Reply With Quote  
Forums | Blogs | Tutorials | Code Snippets | Whitepapers | RSS Feeds | Advertising
All times are GMT -4. The time now is 11:43 pm.
Newsletter Archive - Sitemap - Privacy Statement - Acceptable Use Policy - Contact Us
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC