Web Development / ASP.NET

Windows Authentication

In this article we will cover Windows Authentication

  • Definitions of few keywords to understand Windows Authentication.
  • What is Windows Authentication.
  • Why Windows Authentication.
  • How Windows Authentication is implemented in ASP.NET Application.
  • Configuring impersonation in an application.

Authentication: Authentication is the process of determining the identity of a user based on the user’s credentials. The user’s credentials are usually in the form of user ID and password, which is checked against any credentials' store such as database. If the credentials provided by the user are valid, then the user is considered an authenticated user.

Authorization: After successful authentication, deciding which resources a user can access based on their identity and checking whether the authenticated user has sufficient rights to access the requested resource is authorization.

Impersonation: Impersonation is a process in which user accesses the resources(Ex:Files,DB…) by using the identity of another user.

Ex: If anonymous(not logged in/not Authenticated) access is enabled for a website in IIS, then IIS runs all the users' requests using the identity of the IUSR_machinename account, which is created by IIS. This is the default option in IIS.

WindowsIdentity: It represents the current Windows User.

Authentication Providers

In ASP.NET authentication is done by both IIS and ASP.NET. ASP.NET implements authentication through authentication providers that contains the code necessary to authenticate the requestor's credentials. There are three types of authentication providers built into ASP.NET. They are:

  1. Windows Authentication Provider.
  2. Forms Authentication Provider.
  3. Passport Authentication Provider.

Windows Authentication Provider: Provides information on how to use Windows authentication in conjunction with Microsoft Internet Information Services (IIS) authentication to secure ASP.NET applications.

Why Windows Authentication:

  1. Windows authentication is generally used if the users accessing the application belong to same organization.
  2. This authentication method uses Windows accounts for validating users' credentials. This type of authentication is very good for intranet Web sites where we know our users.

How Windows Authentication is Implemented in ASP.NET Application

With this type of authentication, initially IIS performs the authentication through one of its authentication options (e.g., basic, digest, Integrated Windows, or some combination of them). After successful authentication, IIS passes the credentials of the authenticated user to the ASP.NET thread. Selection of appropriate identity for the ASP.NET worker thread is performed by using the process defined under the ASP.NET Impersonation section. Based on the credentials supplied by IIS, windows identity is created by WindowsAuthenticationModule module in ASP.NET. This identity is set as current user identity (setting the security information for the current HTTP request)for the application. This is the default authentication mode in ASP.NET and it is set in web.config file of the application using below code:

  <authentication mode="Windows"/>

Although the Windows Authentication mode sets the value of the current User property to a WindowsIdentity based on the credentials supplied by IIS. The Windows identity supplied to the operating system used for permission checking, such as NTFS file permissions, or for connecting to a database using integrated security is the identity of the ASP.NET process. On Microsoft Windows 2000 and Windows XP Professional, this is the identity of the ASP.NET worker process, which is the local ASPNET account. On Windows Server 2003, this is the identity of the IIS Application Pool that the ASP.NET application is part of. Which is the NETWORK SERVICE account.

We can configure the Windows identity of our ASP.NET application as the Windows identity supplied by IIS by enabling impersonation. Here ASP.NET application impersonates the identity supplied by IIS for all tasks that the Windows operating system authenticates, including file and network access.

Configuring Impersonation in an Application

In machine.config file it is configured as below:

<processModel enable="true" username="machine"
password="AutoGenerate" ....... />

In the above line, "machine" is a special value that causes the ASP.NET worker process to run under the less-privileged account, ASPNET.

IIS always maps a user request to some Windows account; in case of anonymous access, this is IUSR_machinename account or any other account that has been defined to be used with anonymous access; in the case of Windows authentication, this is the account whose credentials are provided by the Web site user.

  • If impersonation is enabled and any specific Windows account has not been listed in the Web.config file for impersonation, then the ASP.NET worker thread runs under the client identity passed to it by IIS.
  • If impersonation is not enabled, then the ASP.NET worker thread runs under the identity of the ASP.NET worker process (which has been defined by using the <processModel> tag in the Web.config file)
  • If impersonation is enabled and a specific Windows account has been listed in the Web.config file for impersonation, then the ASP.NET worker thread runs under the identity generated using that account.

To enable impersonation for our Web application, in the application's Web.config file set the impersonate attribute of the identity element to true, as below:

  <authentication mode="Windows"/>
  <identity impersonate="true"/>

There are three ways of defining impersonation:

  • <identity impersonate="true"/> This means impersonation for the ASP.NET worker thread is enabled.
  • <identity impersonate="true" name="username" password="password"/> This means impersonation for the ASP.NET worker thread is enabled, but the worker thread will run under the identity that will be generated by using the credentials specified by username and password attributes.
  • <identity impersonate="false"/> This means impersonation for the ASP.NET worker thread is not enabled.

Windows Authentication Provider

The authentication and authorization processes in ASP.NET are pretty simple and can be implemented in the code. Any request in ASP.NET is first authenticated and then authorized by IIS.

Forms Authentication

This authentication mode is based on cookies where the user name and the password are stored either in a text file or the database. After a user is authenticated, the user’s credentials are stored in a cookie for use in that session. When the user has not logged in and requests for a page that is insecure, he or she is redirected to the login page of the application. Forms authentication supports both session and persistent cookies. Authentication modes can be specified in the application’s web.config file as shown below:

Listing 1

    <authentication mode="[Windows/Forms/Passport/None]">

The following needs to be specified in the application’s web.config file for using Forms Based Authentication in ASP.NET:

Listing 2

    <authentication mode="Forms"/>
    <forms name="login"loginUrl="login.aspx" />
        <deny users="?"/>

Note: The statement <deny users="?"> in the web.config file as stated in Listing 2 implies that all permissions are granted only to the authenticated users. The users who are not authenticated are not granted any permission. The symbol "?" indicates all Non Authenticated and Anonymous users.

Generally the user’s credentials are stored in the database and the entered credentials are verified using those that are stored in the database. Typically, the user enters the username and the password, clicks the login button and the form validates the values against values from the database. This is shown in the code snippet below:

Listing 3

if (Verify (txtUserName.Text, txtPassword.Text))
  FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, False);
  lblMessage.Text = "Invalid login name orpassword specified...";
private Verify(string userName, string password)
      //Usual Code to connect to the DB
      // and verify the user's credentials

The static method RedirectFromLoginPage creates an authentication ticket and is used to redirect an authenticated user back to the originally requested URL or the default URL. The authentication ticket creates a persistent cookie that becomes a part of the HttpResponse object. Later, when the user tries to access a page in a restricted folder, the ASP.NET framework uses the cookie to retrieve the ticket and determine whether the user has access to that particular resource. The first parameter to this method identifies the user while the second is used to specify whether the user’s authentication cookie needs to be persisted across multiple site visits.

The user’s credentials can be also be specified in the web.config file as shown below:

Listing 4

    <authentication mode="Forms">
    <forms loginUrl="login.aspx">
            <user name="Joydip"password="Joydip" />

There are four different kinds of Windows authentication options available that can be configured in IIS:

  • Anonymous Authentication: IIS runs all the users’ requests using the identity of the IUSR_machinename account which is created by IIS. This is an example of Impersonation wherein user accesses the resources by using the identity of the another user. IIS doesn't perform any authentication check. IIS allows any user to access the ASP .NET application.
  • Basic Authentication: For this kind of authentication, a Windows user name and password have to be provided to connect. However, this information is sent over the network in plain text and hence this is an insecure kind of authentication. Basic Authentication is mostly supported by older, non-IE browsers.
  • Digest Authentication: It is same as Basic Authentication but for the fact that the password is hashed before it is sent across the network. However, to be using Digest Authentication, we must use IE 5.0 or above.
  • Integrated Windows Authentication: In this kind of authentication technique, passwords are not sent across the network. The application here uses either the kerberos or challenge/response protocols to authenticate users. Kerberos, a network authentication protocol, is designed to provide strong authentication for client-server applications. It provides the tools of authentication and strong cryptography over the network to help to secure information in systems across entire enterprise.

Using impersonation, the ASP.NET engine will operate under the identity IIS passes to it. If anonymous access is allowed in IIS, ASP.NET will run under the IUSR_ComputerName account that IIS uses. If anonymous access is not allowed, ASP.NET will take on the identity of the authenticated user. Impersonation can also be configured so that a single, static user account is used for all requests

All the ASP.NET files such as .aspx, .asmx are mapped to aspnet_isapi.dll that means ASP.NET is an ISAPI server extension DLL.

Since aspnet_isapi.dll is a DLL file, it will be mapped into the address space of the process hosting this DLL which is an IIS process -- inetinfo.exe. inetinfo.exe process runs under the SYSTEM account, and since we have aspnet_isapi.dll running in the IIS address space, it means all the Web site users will be running their requests under this account!

Let me answer this question.

aspnet_isapi.dll runs under the SYSTEM account and It forwards the requests to the ASP.NET application worker process, aspnet_wp.exe. This worker process runs under a less-privileged account called ASPNET. This worker process performs the actual request processing and returns the results back to the aspnet_isapi.dll that returns it to the IIS.

Setting Up the Sample Applications

I have created a project in C# (CSWebservices) that contains some Web Services. This project will be used for the demonstration of different security schemes. There is also a C# Web site (CSWebsite) that has some Web pages for invoking methods on our Web Services.

To install the applications:

  • Extract all the code from attached ZIP file.
  • Create two virtual directories named CSWebservices and CSWebsite, and map the CSWebservices and CSWebsite virtual directories to the CSWebservices and CSWebsite physical directories on your hard drive.

Creating Windows User Accounts

To test Windows security, a valid Windows account is needed. Create a user account called Test on your computer. You can do so by running the Computer Management application from Control Panel -> Administrative Tools -> Computer Management. In the Computer Management application, right click on the Users node under the Local Users and Groups node, select New User... option from the context menu, enter "Test" in the User name text box, enter some password in Password and Confirm password text boxes, uncheck the User must change password at next logon check box, and check the User cannot change password check box. Your screen should look like the following:


Click the Create button. The Test user has been created successfully. Follow the same steps and create another user called Test2.

Security Concepts

So what really is an ASP.NET application? To find the answer to this question, start the Internet Services Manager, right click on the Default Web Site node, select Properties from the context menu, go to the Home Directory tab on the Web site properties dialog box, and click the Configuration... button. It will pop up the following dialog box.


As you can see in the above dialog box, the Web Services files, Web form files, and all of the other .NET file types are mapped to the aspnet_isapi.dll. This signifies that the ASP.NET is an ISAPI server extension DLL.

This is very important point. Since aspnet_isapi.dll is actually a DLL file, it will be mapped into the address space of the process hosting this DLL. This process is an IIS process -- inetinfo.exe!! A user must be thinking that inetinfo.exe runs under the SYSTEM account, and since we have aspnet_isapi.dll running in the IIS address space, it means all the Web site users will be running their requests under this account!

Let me answer this question. Yes, aspnet_isapi.dll runs under the SYSTEM account, but it does not do much in terms of processing Web requests, rather it forwards the requests to the ASP.NET application worker process, aspnet_wp.exe. This worker process performs the actual request processing and returns the results back to the aspnet_isapi.dll that returns it to the IIS.

ASP.NET Worker Process

Aspnet_isapi.dll forwards requests to the ASP.NET worker process. If you have .NET Framework Beta 2 installed on your machine, then the worker process will be running under the SYSTEM account, but since the Release to Manufacturer version (RTM) of .NET, worker process runs under a less-privileged account called ASPNET.

In order to avoid running the Beta 2 ASP.NET process under the SYSTEM account, change the username and password to some other valid Windows account. For example, the

  enable="true" username="MyDomain\Testuser"
  password="userpassword" ...... />

line will cause the ASP.NET worker process to run under the privileges assigned to the MyDomain\Testuser. It is always recommended to use a specific account that has fewer privileges (like the ASPNET account used by the RTM version of .NET) for the ASP.NET worker process. In this way, even if your server gets hacked, the intruder may not be able to harm your server due to the lesser privileges assigned to the account.

If you plan on using a custom Windows account for the worker process, then you must make sure that the account has proper rights on different directories because ASP.NET needs to read and write files to/from different directories. The custom Windows account should have at least:

  • Read rights on application directory
  • Read rights on %installroot% hierarchy to make it possible to access the system assemblies
  • Read/Write rights on the %installroot%\ASP.NET Temporary Files directory
  • Read/Write rights on the %temp% directory

ASP.NET Impersonation

We can secure a Web Service by using one of the following Windows authentication schemes:

  • Integrated Windows authentication
  • Basic and basic with SSL authentication
  • Digest authentication
  • Client Certificate authentication

Integrated Windows Authentication

Integrated Windows authentication is a secure way of passing a user's credentials on wire. It can use either NT LAN Manager (NTLM) or Kerberos authentication. This is the best scheme that can be used for intranet environments using Windows, but this scheme cannot be used for Internet because it works only with Windows clients.

In order to set up Integrated Windows authentication for our Web Services, we have to specifically tell IIS to use Integrated Windows authentication. We can do this by using the Internet Services Manager application. Run this application from Control Panel -> Administrative Tools -> Internet Services Manager; in the left-hand pane, select the CSWebservices node under the Default Web Site node; in the right-hand pane, right click on the IWAWebservice.asmx Web Service, select Properties from the context menu and go to the File Security tab. Following is the File Security tab:


Click Edit button in Anonymous access and authentication control group box and it will popup the following dialog box:


By default, Anonymous access is checked. This means IIS will not stop anyone from accessing our Web Service; in fact no authentication will be performed at all. The only entity that might stop a user from accessing this Web Service is the NT File System (NTFS) permissions. NTFS is a file system that has security capabilities built into it. NTFS always checks the security credentials of the identity that is trying to access the file. If NTFS permissions require some authentication, then IIS will challenge the user for credentials.

We don't want this. Therefore, uncheck the Anonymous access check box and leave the Integrated Windows authentication box checked.

Apart from that, change the <authentication> tag in the Web.config file and set the mode attribute to "Windows"; similarly set the impersonate attribute of the <identity> tag to "true". Following is the snippet from the updated Web.config file:

    <authentication mode="Windows"/>
    <identity impersonate="true"/>

This secures our Web Service with Integrated Windows authentication. In order to test whether our Web Service has been set up, browse the IWAWebservice.asmx file from a browser. You might need to browse the Web Service from a computer that is not part of your domain. Why? Because if you browse it from a computer on which someone has already logged into the domain, the browser will transparently pass your logged-in user's credentials in response to the server challenge, and no password dialog box will be shown.

Browsing the IWAWebservice.asmx file from a computer that is not connected to your domain causes the following dialog to pop up.


This shows that our Web Service will only be accessible if you provide valid Windows account credentials.

Similarly, if we don't pass valid credentials and try to access the Web Service in the btnTestIWA_Click handler in the testws.aspx page, then it will generate the following error.


Following is the code that generates the error because we are not passing credentials with our method invocation request:

  objws = 
  CSWebservices.IWAWebservice() ;
  objIdentity ;
  = objws.GetMyIdentity() ;

In order to access a Web Service that has been protected by some authentication mechanism, we use the NetworkCredential object to pass those credentials. Following is the complete code from the testws.aspx page, which accesses the IWAWebservice.asmx Web Service by passing the valid credentials of the test user that we created for testing purposes:

private void btnTestIWA_Click(object sender, System.EventArgs e)
	// Create Web Service object.
CSWebservices.IWAWebservice objws = 
new CSWebservices.IWAWebservice() ;

	// Create credentials object.	
NetworkCredential objCredential = 
new NetworkCredential("Test", "test", "yourdomain") ;

// Let Web Service know about your credentials.
objws.Credentials = objCredential ;
	// Call method on Web Service.
CSWebservices.MyIdentity objIdentity ;
	objIdentity = objws.GetMyIdentity() ;

So after updating the code in btnTestIWA_Click handler, if we browse to testws.aspx page and click on the Test Integrated Windows Authentication button, we should see a page similar to the following.


Basic and Basic with SSL Authentication

The problem with Integrated Windows authentication is it uses the NTLM/Kerberos protocol for authentication purposes. For users to have one of these protocols, they must be Windows clients. (For example, Unix clients do not understand NTLM.) Some of our Web Service clients may not be aware of this protocol and will not be able to access our Web Service! We are limiting our clients. One way to circumvent this problem is to use basic authentication.

The basic authentication mechanism is different from Integrated Windows authentication because it does not require clients to compute hash for the authentication purposes.

Basically during the Integrated Windows authentication process, the client machine computes a hash value by encrypting the user's credentials and sends it to the server. Instead, in basic authentication, the user is prompted for a username and password. This information is then transmitted to the server, but first it is encoded using base64 encoding. Most of the browsers, proxy servers, and Web servers support this method, but it is not secure. Anyone who knows how to decode a base64 string can decode users' credentials.

Basic authentication itself is not secure, but if we use it with the secure hypertext transfer protocol (HTTPS), which encrypts all communication between the client and server, it becomes quite useful. The beauty of this option is we can easily use it on the Internet without facing any problem from proxy servers, Web servers, etc. We can enable basic authentication by using the Authentication Methods dialog box. Now we will enable basic authentication for the BAWebservice.asmx Web Service. Open the Authentication Methods dialog box for the BAWebservice.asmx Web Service, uncheck the Anonymous access and Integrated Windows authentication check boxes, and check the Basic authentication (password is sent in clear text) check box. The dialog should look like the following.


Click OK. We had already enabled Windows authentication in the Web.config file, therefore we don't have to do anything more. We have successfully enabled basic authentication for our Web Service.

Now if we try to access the BAWebservice.asmx file from a browser, the following dialog box will be displayed.


We are not using Integrated Windows authentication, therefore this dialog box will be shown even on a machine logged into the domain.

Code for accessing the BAWebservice.asmx Web Service is the same as the code used for IWAWebservice.asmx. The following page will be displayed after clicking the Test Basic Authentication button on the testws.aspx page:


Digest Authentication

Digest authentication is a new type of authentication that is available on Windows 2000 domains, and only IE5 or later clients can use it. In this type of authentication, user's credentials are not sent on the wire in the form of text, rather credentials are encrypted using a hashing mechanism called Message Digest 5 (MD5). This is a good option for Internet Web Services, but the client and server requirements limit its adoptability. On the server side, you will need the Windows 2000 domain to have all the user accounts stored in the Active Directory; on the client side, you have to have either the .NET platform or IE 5.0 or later.

  • Forms Authentication: With forms authentication, custom logic can be built into an ASP.NET application. The following happens when forms authentication is used in an ASP.NET application:
    • When a user requests a page for the application, ASP.NET checks for the presence of a special session cookie.
    • If the cookie is present, ASP.NET assumes the user is authenticated and processes the request.
    • If the cookie isn’t present, ASP.NET redirects the user to a web form where the custom logic has been built into the code. The authentication checks can be incorporated into the web form, and when the user is authenticated ASP.NET needs to be informed of the same by setting a property. Once this is done, ASP.NET creates the special cookie to handle any subsequent requests.

