ASP.NET 2.0 Intranet - Windows Authentication, Roles in AD

From Guidance Share
Jump to navigationJump to search

- J.D. Meier, Alex Mackman, and Prashant Bansode

Applies To

  • ASP.NET 2.0
  • SQL Server 2000
  • Windows Server 2003


In this scenario, an intranet ASP.NET application accesses a back-end SQL Server database. The application is used by corporate employees who have accounts within Active Directory.

Key Characteristics

  • User accounts are in the corporate Active Directory.
  • Active Directory groups are used by the application for role-based authorization.
  • Clients have browsers that support Windows authentication.
  • The database trusts the Web application.
  • The Web app's application pool identity is used to access the database with Windows auth


The Web application uses a trusted subsystem model and executes calls to the database on behalf of the original callers.

Web Server


  • A dedicated application pool is used and configured to run under a custom domain service account with access to the database.
  • The application's virtual directory is configured in IIS for Windows authentication. Anonymous access is disabled.


Authentication ASP.NET is configured for Windows authentication <authentication mode="Windows"/>
Authorization If you want to use Role Manager APIs for role-based authorization against Windows groups then configure the application to use WindowsTokenRoleProvider
The solution can use the WindowsTokenRoleProvider configuration available in the machine level Web.config file. You just need to set the defaultProvider property to AspnetWindowsTokenRoleProvider
Role-checks (user's Windows group membership) are performed by using role manager APIs with the WindowsTokenRoleProvider
If you have role segmentation in your application then you use URL authorization. e.g. You might have pages that only members of the "Sales" role should be able to access and others that only members of "HR" should be able to access.
Configuration The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication.
The database connection string is held in the <connectionString> section of the application's Web.config. This can be encrypted by using a protected configuration provider (DPAPI on a single machine, RSA if in a Web farm). Tradeoff here is added deployment complexity vs. keeping the database name and location a secret

Database Server

Database Server

  • SQL Server is configured for Windows authentication
  • A SQL Server login is created for the application's application pool identity.
  • The login is mapped to a database user for the Web application.
  • The database user is placed in a database role.
  • Database permissions are granted to to the database role. Ideally, role only grants execute permissions on necessary stored procedures.

Secure Communication

  • SSL is used between browser and Web server to protect sensitive data on the wire.
  • If not in a secure data center, IPSec or SSL can be used between Web server and database server to protect sensitive data on the wire. Choose between IPSec to encrypt all traffic between servers or SSL to encrypt per application or service.


  • ASP.NET Authentication
<authentication mode="Windows" />
  • Role Manager
<roleManager enabled="true" 
            defaultProvider="AspNetWindowsTokenRoleProvider" />