Authenticate users based on Active Directory

[Buckus]

I am building an asp 2.0 .net internal-only website for a client. Some of the users will be administrators to the site, but most will not. Instead of having the administrators have yet another login/password, I would like to be able to authenticate them against their Active Directory login that they are already logged into their computer with. Again, they will only access the website from inside the network. If anyone has done this kind of thing before, would you mind sharing some pointers on how to do it?

Thanks!

 

[-Sean Casey]

Well I am guessing you can set the site in IIS to use Windows Integrated Authentication, disable anonymous access, and restrict IP access to the local LAN.

With anonymous access disabled it will require a username and password to connect to the site and if you use windows integrated then it should check the username and password agaist AD, and if you setup IP restrictions then you can make darn sure that only local LAN IP's are accessing the site.

Of course depending on the intended use for the site this might need to be changed a bit.

 

[PTNL]

Setup the IIS site as normal, with Anonymous unchecked and Integrated Authentication checked.

Set your Web.Config file to use the following lines:

<system.web>
	<authentication mode="Windows"></authentication>
	<authorization>
		<deny users="?"/>
	</authorization>
	<identity impersonate="true"/>

(...remainder of normal Web.Config)

In your application code, check the Page.User.Identity.Name property to get the current logged in user. If you need to check AD group assignments, then MSDN and Google are your friends on this as you'll want to customize what they have to fit your needs.

One thing I learned from a recent app I made for a similar siutation:
Make sure the web server is listed in AD in the "Computers" group.
I troubleshooted an AD auth problem for over a day, until the network admin gave me rights to see the AD controller and I saw that the one box they gave me for QA testing was not in the "Computers" AD group, nor was the QA box given delegation rights against the AD controller. I'm still giving crap to the guy that built the box and assigned its AD group to this very day

and if you setup IP restrictions then you can make darn sure that only local LAN IP's are accessing the site.

Isn't this out of scope for this app? Granted, it's good concepts to emphasize, but let AD, VPN/Dialin policy, and external devices (firewalls, etc.) manage the responsibility of who can access the local intranet. This includes proper internal and public DNS management.

HTH !!!

 

[Buckus]

Thanks for the advice, PTNL, that actually looks pretty good and all I'll need is the user's name and that will check against a database of employees. The database will also indicate whether a user is an admin or not.

From what you're describing, it looks like once the user hits the home page, I can pull their logon information and check if they're already in the employee database and add them automatically if not.