Authentication and Authorization in ASP.NET Framework

Authentication is the process of identifying user with his/her user id/password combination.

Authorization is the process of identifying is user has sufficient privileges to access requested resource.

There are several classes that we need to examine the context of Authentication and Authorization.

WindowsIdentity Class - System.Security.Principal.WindowsIdentity class takes care of Windows user accounts. Most widely used methods are:

  • GetAnonymous – returns object of type WondowsIdentity which is anonymous and without credentials
  • GetCurrent – returns object with credentials of currently logged in user
  • Impersonate – returns object that impersonates certain user in order to access this user rights to use the system.
WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent();

After we assign variable, we can examine properties of this variable which are:

AuthenticationType - usually "NTLM" for Windows Authentication.

IsAnonymous – true/false flag.

IsAuthenticated – true/false flag.

IsGuest – true flag if user is a 1guest.

IsSystem – true flag is your user is part of the system.

Name – displays domain and user name. If DB is used to hold users, it shows Database Machine name and username.

Token – integer that represent user’s authentication token.

In order to figure out current user information such as name, id and etc… we use three different classes. WindowsIdentity for getting current user, NTAccount to authenticate this user against ActiveDirectory and then SecurityIdentifier to get information for the current user…

WindowsPrincipal Class - System.Security.Principal.WindowsPrincipal class provides access to a group that user belongs to.

WindowsIdentity myIdentity = WindowsIdentity.GetCurrent();
WindowsPrincipal myPrincipal = new WindowsPrincipal(myIdentity);
// check for local user
if (myPrincipal.IsInRole(WindowsBuiltInRole.Administrator))
    Console.WriteLine(WindowsBuiltInRole.Administrator.ToString());
//check for domain user
if (myPrincipal.IsInRole(@"USER\Accounting"))
    Console.WriteLine("User");

PrincipalPermission Class - System.Security.Permissions.PrincipalPermission class used to check the active principal for declarative as well as imperative security actions. We make sure that user is in fact authenticated and belongs to a certain role. Three properties are important.

  • Authenticated -  true/false value, if true then user has to be authenticated.
  • Name - user name that must match Name string.
  • Role – principal role must match user role.
WindowsImpersonationContext is an onject that is create to take Imperosnation with the following method Undo() when we need to release impersonation. So we will do it this way if we want to create impersonation then execute our code under this impersonation account and then reclaim impersonation back.

WindowsIndentity impMyID = new WindowsIdentity("UserAccount")
WindowsImpersonationContext impCtx = impMyID.Imperosnate();
impCts.Undo();