Quick Reference : ASP.NET and Windows Authentication

  • Article

Authentication is a process by which the system validates a user's logon or sign-in information. A user's name and password are verified and if found correct , access is granted . Windows Authentication is a very complex topic and this post will help you learn a quick overview of windows authentication with Asp.net .

Windows authentication (formerly named NTLM) is a secure form of authentication used in intranet environment to authenticate windows users against Microsoft Active Directory. Now  windows users(also called as NT users) are any user created by administrators such as mydomain/bob, euro/Alice for login into your machine.Think fo Active Directory is a place where all the users,passowords etc are stored and this is setup again by Administrators.

Say you are a developer of an application which should be used over intranet by all the people in your company .In this case ,  Windows authentication can be used to authenticate your company's internal users aka Domain users  to your  asp.net application .So the flow will be like

(1) Domain user(e.g. mydomain/username)  =>(2) ActiveDirectory (e.g. MyDomain)=>   (3)ASP.NET website

  1. any domain user or a local user e.g. mydomain/rohith ,machinename/Bob
  2. this step happens transparently without you doing any configuration or code as a developer
  3. Configure windows authentication in your asp.net/website.

To configure windows authentication, you can refer this article on windows authentication or this .Or with Asp.net specific refer this KB article

Windows authentication supports two authentication protocols, Kerberos and NTLM .But in Configuration you will see 3 setttings Negotiate, Kerberos, and NTLM .Negotiate, is a wrapper for Kerberos  and NTLM, allows the client application to fallback to NTLM if Kerberos is not supported. When you install and enable Windows authentication on IIS 7+ , the default setting is Negotiate.

Windows authentication(You can choose NTLM or Keberos in the IIS settings) can be used under following circumstances :

  • Client computers and Web servers are in the same domain.
    • There is no firewall or proxy in between and this is best case scenario where your users will  be able to authenticate using the same login they used to access their machines.
  • Users are required to access the application over internet
    • you can make windows authentication work over internet over NTLM but this is not recommended  .
    • Kerberos requires that the client have a direct connection to Active Directory, which is generally not the case in Internet scenarios

References :

https://technet.microsoft.com/en-us/library/cc732841(v=ws.11).aspx /en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/ https://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication?showTreeNavigation=true