ASP.NET 2.0 Intranet - Forms Authentication to AD, Roles in AD
- J.D. Meier, Alex Mackman, and Prashant Bansode
- ASP.NET 2.0
- SQL Server 2000
- Windows Server 2003
In this scenario, an intranet ASP.NET application accesses a back-end SQL Server database. The application is used by corporate employees who have accounts within Active Directory.
- User accounts are in the corporate Active Directory.
- Active Directory groups are used by the application for role-based authorization.
- The application provides sensitive, per-user data.
- Only authenticated clients should access the application.
- The ASP.NET Web application is running on Windows Server 2003.
- The Web application uses a trusted subsystem model and executes calls to the database on behalf of the original callers.
- S4U extension enabled (for creating a Windows token authenticated by Forms authentication to check Windows groups for authorization). This is available by default on Windows 2003 servers
- If your application is running on Windows 2000, then you need to call LogonUser in order to create the Windows token. To call LogonUser, you Web application's process identity must be granted the "Act as part of the operating system" user right. This should be avoided where possible.
- A dedicated application pool is used and configured to run under a custom domain service account with access to the database.
- The application's virtual directory is configured in IIS for anonymous access.
- The application's virtual directory is configured for SSL
- ASP.NET is configured for Forms authentication <authentication mode="Forms"/>
- Connection string (an LDAP query string) configured to point to the user container in AD.
- ActiveDirectoryMembershipProvider is configured for use with membership feature for forms authentication. Make sure the credentials you supply on the connectionUsername and connectionPassword attributes have appropriate permissions to access Active Directory
- The ActiveDirectoryMembershipProvider interacts with Active Directory for validating the user credentials. This saves writing custom code for user management and user validation and it also automatically creates and manages the authentication ticket for you.
- Set the defaultProvider attribute for the membership element to the configured ActiveDirectoryMembershipProvider.
- If you have role segmentation in your application then you use URL authorization. e.g. You might have pages that only members of the "Sales" role should be able to access and others that only members of "HR" should be able to access.
- Encrypt the connection string section for protecting the connection string and user credentials.
- The Windows identity (containing a Windows token) created by using the S4U extension is assigned to the current httpContext on the OnAuthenticate event.
- Role-checks are performed by using Windows identity token, for checking Active Directory group membership.
- The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication.
- The database connection string is held in the <connectionString> section of the application's Web.config. This can be encrypted by using a protected configuration provider (DPAPI on a single machine, RSA if in a Web farm). Tradeoff here is added deployment complexity vs. keeping the database name and location a secret.
- SQL Server configured for Windows authentication
- A SQL Server login is created for the application's application pool identity.
Authorization The login is mapped to a database user for the Web application.
- The database user is placed in a database role for the Web application.
- Database permissions are granted to to the database role. Ideally, role only grants execute permissions on necessary stored procedures.
Browser to Web Server
- SSL is used between browser and Web server to protect sensitive data on the wire.
Web App to Database
- If you're not in a secure data center, then IPSec or SSL can be used between the Web server and database server to protect sensitive data on the wire. Choose IPSec to encrypt all traffic between servers or SSL to encrypt per application or service.
- Membership Provider
<connectionStrings> <add name="ADConnectionString" connectionString="LDAP://testdomain.test.com/CN=Users,DC=testdomain,DC=test,DC=com" /> </connectionStrings> <membership defaultProvider="MyADMembershipProvider"> <providers> <add name="MyADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=220.127.116.11, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" connectionUsername="testdomain\administrator" connectionPassword="password"/> </providers> </membership>
Make sure to set the defaultProvider attribute value to MyADMembershipProvider, because this needs to be overwritten. The machine-level default value points to SQLMembershipProvider type, using the local SqlExpress instance. If you do not overwrite this attribute, ASP.NET uses the default provider.
- Role Manager
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />