Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / web / IIS
 

Authentication at the IIS Level

3.38/5 (7 votes)
6 Sep 2011CPOL2 min read 21.4K  
This post talks about the authentication procedure that can be done in IIS.

Introduction

This post basically explains how an authentication can happen at the IIS level.

Background

It all happened when I interviewed a guy with quite a good amount of experience, I then noted that many experienced guys lacked the so called basics. I remember asking him this question; “I would want to authenticate the user as a valid user even before the request hits the page, I don't want to use Forms or Windows authentication”. The answer I got back was terrible – the candidate replied saying the check can be done at either page_load or page_init.

Explanation

In my post http://bloggingbunk.com/2011/07/net-in-depth-understanding-request-life-cycle/, I discussed about 2 main elements:

  1. HttpModule
  2. HttpHandler

For any request, the IIS first calls the HttpModule then the HttpHandler then the Page and then the HttpModule.

In your project, while designing on the asp pages, create a class which will inherit iHttpModule. This class will implement all the methods of HttpModule. Now put your authentication code at BeginRequest. For e.g., say your project stores important data persisted in cookies; send the cookie information alongside of the request. The following figure depicts how your request will fetch the page. The pipe represents the HttpModule and the HttpHandler.

AuthenticationatIIS.jpg

Now, these checks that you see can be a call to the DB or to any authentication system or even to an Access Control Policy routine.

With the HttpModules being handy, we have the leverage to do anything before the request hits the page.

This goes on to say that while the page life cycle is complete-HttpModule can also help us in doing any operation under EndRequest; it can be a check for the response or anything.

You can have more security in place if you can leverage HttpModule’s: BeginRequest, AuthoriseRequest and EndRequest along with HttpHandler’s: ProcessRequest.

Conclusion

Basically to sum it up - this methodology gracefully carries our pipeline pattern. Hope you understood the Authentication at IIS. Please shoot your questions as comments and I will reply.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



Permalink

Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Article Copyright 2011 by s.jdm
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-10-20:1