Basic questions on setting up an access controlled intranet site - ASP .NET

Question

Please note:

I understand this is a somewhat vague question. Therefore your patience is very much appreciated.

Requesting:

An abstract high level idea of where to begin as I am totally clueless at this point.

Background:

I am setting up an intranet site (ASP .NET) where users from our local user group (who are also added in our user table) will have access to web applications they are given access to. Right now I am developing from my PC and using SQL Server 2005 Express as the database, but the final site will be hosted on an application server with IIS 6.0 and the database on an instance of SQL Server 2005. I am a .NET newbie and it's a daunting task, but the experience is worth a million dollars.

Details:

We are using Windows Athentication for our intranet site. Therefore I am not using ASP .NET's membership data sources. Rather all the user information will be stored in two tables tblEmployee (all employees in my company) and tblUser (all users of the intranet site).

tblEmployee has fields - EmployeeID, FirstName, LastName, CostCentre, Role, ManagerName, UserID

tblUser has fields - EmoployeeID, UserID, ApplicationID, AccessLevel, AddedBy, DateAdded

(I have set up these tables and I can change them any time).

What I need to accomplish - When an user goes to the intranet site, I can get his/her domain username. I need to check if this user exists in tblUser (domain username is same as UserID in tblUser). If user exists, we display all the applications he/she has access to, else display a "no access" page.

Specific questions:

1. What are some of the things I need to "learn"? (as I said before, I am a .NET newbie, but a fast learner too)

2. I need to use URLAuthorizationModule for validating a page request. How do I hide the username from the URL? I was thinking along the lines of using a session ID... but then how do I know who the user is? I am sure these is a way to encrypt the UserID, just can't find it.

Thanks for any feedback. Even the smallest tip will help me a lot.

Answer 1

You don't need any tables nor any single line of code. For an intranet site, the best option is to use HTTP Negotiate authentication and use the Active Directory group membership for authorization:

• Create a domain security group for the users that have access to the site
• Add the authorized users to this group
• On your IIS server, add the UrlAuthorizationModule to IIS (from add/remove program features)
• A new icon "Authorization Rules" will appear on your site enabling you to configure security for your site
• Modify the site security to allow only members of the group you created earlier to view your site
• Enjoy

This is a perfect setting when the site pages never care about the identity of the user connected, but the site overall has to be restricted to a set of trusted/authorized users. IIS will take care of authentication and authorization and you can configure the 403 page response for users not authorized. The whole authentication process happens at the HTTP level, there is no 'user' to 'encrypt' in URL or anything of that sort. The IIS will challenge the browser with an SPNEGO authentication challenge and all browsers know how to handle that, responding with a negotiation that authenticates the current logged in user on thew workstation that browses the site (aka. Integrated Authentication). See Configuring URL Authorization Rules in IIS 7 for details.

You can stop reading here if you don't need to be confused.

If you care to lear all the details, then note that this is not the same as the ASP.Net URL Authorization module that you'll find plenty of references all over, which you configure from the .config file(s). See Differences Between ASP.NET URL Authorization and IIS 7.0 URL Authorization.

If your code actually needs the identity of the caller (eg. for audit purposes) then you must add a managed module that passes the authentication information into your appdomain. This module is UrlAuthorization managed module. Note that, for a perfect 1-2 punch of confusion, the module is named UrlAuthorization but it's implemented in the managed module named UrlAuthorizationModule, which is not the same as the true IIS native UrlAuthorizationModule module...

If you need to impersonate the caller then things will get more complex, as you'll have to configure trusted delegation. For this you configure ASP.Net Impersonation and then you enable constrained delegation to be able to reach the SQL Server from your ASP.Net app pool, see How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 (IIS 7.0 is similar).

And finaly there is the issue wether you want to your application code to behave differently based on the identity of the caller (ie. show admin options) and for that probably the best option is to use a role membership provider integrated with Active Directory like WindowTokenRoleProvider.