Sig n In Jo in

Home Get St art ed Downloads Web Forms MVC AJAX Communit y Wiki Forums Search

Ho me › ASP.NET MVC › ASP.NET MVC Tuto rials › Authe ntic ating Us e rs with Wind o ws Authe ntic atio n

Authenticating Users with Windows Authentication C# Tutorials

This is the C # tutorial (Switch to the Visual Basic tutorial) (Switch to Visual Basic tutorials)

Learn how to use Windows authentication in the context of an MVC application. You learn how to enable Windows
authentication within your application’s web configuration file and how to configure authentication with IIS. ASP.NET MVC Ove rvie w
Finally, you learn how to use the [Authoriz e] attribute to restrict access to controller actions to particular Windows Create a Movie Database Application in 15
users or groups. Minutes with ASP.NET MVC
ASP.NET MVC Overview
« Previous Tutorial | Next Tutorial »
Understanding the ASP.NET MVC Execution
The goal of this tutorial is to explain how you can take advantage of the security features built into Internet Information Process
Services to password protect the views in your MVC applications. You learn how to allow controller actions to be Understanding Models, Views, and Controllers
invoked only by particular Windows users or users who are members of particular Windows groups.
Creating a MVC 3 Application with Raz or and
Using Windows authentication makes sense when you are building an internal company website (an intranet site) and Unobtrusive JavaScript
you want your users to be able to use their standard Windows user names and passwords when accessing the website.
If you are building an outwards facing website (an Internet website) consider using Forms authentication instead. ASP.NET MVC Ro ut ing
ASP.NET MVC Routing Overview
Enabling Windows Authentication Creating Custom Routes
Creating a Route Constraint
When you create a new ASP.NET MVC application, Windows authentication is not enabled by default. Forms
Creating a Custom Route Constraint
authentication is the default authentication type enabled for MVC applications. You must enable Windows
authentication by modifying your MVC application’s web configuration (web.config) file. Find the <authentication>
section and modify it to use Windows instead of Forms authentication like this:
ASP.NET MVC Co nt ro lle rs
ASP.NET MVC Controller Overview

<authentication mode="Windows"> Creating a Controller

Creating an Action
</authentication>
ASP.NET MVC Vie ws
ASP.NET MVC Views Overview
When you enable Windows authentication, your web server becomes responsible for authenticating users. Typically, Creating Custom HTML Helpers
there are two different types of web servers that you use when creating and deploying an ASP.NET MVC application.
Displaying a Table of Database Data
First, while developing an MVC application, you use the ASP.NET Development Web Server included with Visual Studio. Using the TagBuilder Class to Build HTML
By default, the ASP.NET Development Web Server executes all pages in the context of the current Windows account Helpers
(whatever account you used to log into Windows).
ASP.NET MVC Mo de ls
The ASP.NET Development Web Server also supports NTLM authentication. You can enable NTLM authentication by
right- clicking the name of your project in the Solution Explorer window and selecting Properties. Next, select the Web Creating Model Classes with the Entity
tab and check the NTLM checkbox (see Figure 1). Framework
Creating Model Classes with LINQ to SQL
Fig ure 1 – Enab ling N T LM aut he nt icat io n f o r t he ASP.N ET D e ve lo p me nt We b Se rve r
ASP.NET MVC Validat io n

PDFmyURL.com
 ASP.NET MVC Validat io n
Performing Simple Validation
Validating with the IDataErrorInfo Interface
Validating with a Service Layer
Validation with the Data Annotation Validators

Mast e r Page s
Creating Page Layouts with View Master Pages
Passing Data to View Master Pages

Act io n Filt e rs and Mo de l Binde rs

Understanding Action Filters

Im pro ving Pe rf o rm ance wit h Caching

Improving Performance with Output Caching
Adding Dynamic Content to a Cached Page

Se curit y
Authenticating Users with Forms Authentication
Authenticating Users with Windows
Authentication
Preventing JavaScript Injection Attacks
Preventing Open Redirection Attacks

ASP.NET MVC Te st ing

Creating Unit Tests for ASP.NET MVC
For a production web application, on the hand, you use IIS as your web server. IIS supports several types of
Applications
authentication including:
Navigat io n
Basic Authentication – Defined as part of the HTTP 1.0 protocol. Sends user names and passwords in clear text
Providing Website Navigation with SiteMaps
(Base64 encoded) across the Internet.
Digest Authentication – Sends a hash of a password, instead of the password itself, across the internet.
De plo ying ASP.NET MVC Applicat io ns
Integrated Windows (NTLM) Authentication – The best type of authentication to use in intranet environments using
windows. Using ASP.NET MVC with Different Versions of IIS
Certificate Authentication – Enables authentication using a client- side certificate. The certificate maps to a
Windows user account.
Tut o rials f o r Co nt act Manage r
Iteration #1 – Create the Application
Iteration #2 – Make the application look nice
For a more detailed overview of these different types of authentication, see http://msdn.microsoft.com/en- Iteration #3 – Add form validation
us/library/aa292114(VS.71).aspx. Iteration #4 – Make the application loosely
coupled
Iteration #5 – Create unit tests
You can use Internet Information Services Manager to enable a particular type of authentication. Be aware that all types
of authentication are not available in the case of every operating system. Furthermore, if you are using IIS 7.0 with Iteration #6 – Use test- driven development
Windows Vista, you will need to enable the different types of Windows authentication before they appear in the Internet Iteration #7 – Add Ajax functionality
Information Services Manager. Open C o nt ro l Pane l, Pro g rams, Pro g rams and Fe at ure s, Turn Wind o ws f e at ure s
o n o r o f f , and expand the Internet Information Services node (see Figure 2). ASP.NET MVC Music St o re

PDFmyURL.com
Fig ure 2 – Enab ling Wind o ws IIS f e at ure s Part 1: Overview and File- >New Project
Part 2: Controllers
Part 3: Views and ViewModels
Part 4: Models and Data Access
Part 5: Edit Forms and Templating
Part 6: Using Data Annotations for Model
Validation
Part 7: Membership and Authoriz ation
Part 8: Shopping Cart with Ajax Updates
Part 9: Registration and Checkout
Part 10: Final Updates to Navigation and Site
Design, Conclusion

Ne rdDinne r Tut o rials

Introducing the NerdDinner Tutorial
Create a New ASP.NET MVC Project
Create a Database
Build a Model with Business Rule Validations
Use Controllers and Views to Implement a
Listing/Details UI
Provide CRUD (Create, Read, Update, Delete)
Data Form Entry Support
Using Internet Information Services, you can enable or disable different types of authentication. For example, Figure 3 Use ViewData and Implement ViewModel
illustrates disabling anonymous authentication and enabling Integrated Windows (NTLM) authentication when using IIS Classes
7.0. Re- use UI Using Master Pages and Partials
Fig ure 3 – Enab ling Int e g rat e d Wind o ws Aut he nt icat io n Implement Efficient Data Paging
Secure Applications Using Authentication and

PDFmyURL.com
 Secure Applications Using Authentication and
Authoriz ation
Use AJAX to Deliver Dynamic Updates
Use AJAX to Implement Mapping Scenarios
Enable Automated Unit Testing
NerdDinner Wrap Up

Ge t t ing St art e d wit h MVC

Intro to ASP.NET MVC
Adding a Controller
Adding a View
Creating a Database
Accessing your Model's Data from a Controller
Adding a Create Method and Create View
Adding Validation to the Model
Adding a Column to the Model

Authorizing Windows Users and Groups Featured Ad

After you enable Windows authentication, you can use the [Authoriz e] attribute to control access to controllers or
controller actions. This attribute can be applied to an entire MVC controller or a particular controller action.

For example, the Home controller in Listing 1 exposes three actions named Index(), CompanySecrets(), and
StephenSecrets(). Anyone can invoke the Index() action. However, only members of the Windows local Managers group
can invoke the CompanySecrets() action. Finally, only the Windows domain user named Stephen (in the Redmond
domain) can invoke the StephenSecrets() action.

List ing 1 – C o nt ro lle rs\Ho me C o nt ro lle r.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Web.Mvc.Ajax;

namespace MvcApplication1.Controllers
{
[HandleError]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}

[Authorize(Roles = "Managers")]
public ActionResult CompanySecrets()
{

PDFmyURL.com
 {
return View();
}

[Authorize(Users="redmond\\swalther")]
public ActionResult StephenSecrets()
{
return View();
}

}
}

Because of Windows User Account Control (UAC), when working with Windows Vista or Windows Server 2008, the
local Administrators group will behave differently than other groups. The [Authoriz e] attribute won’t correctly
recogniz e a member of the local Administrators group unless you modify your computer’s UAC settings.

Exactly what happens when you attempt to invoke a controller action without being the right permissions depends on
the type of authentication enabled. By default, when using the ASP.NET Development Server, you simply get a blank
page. The page is served with a 4 01 N o t Aut ho riz e d HTTP Response Status.

If, on the other hand, you are using IIS with Anonymous authentication disabled and Basic authentication enabled, then
you keep getting a login dialog prompt each time you request the protected page (see Figure 4).

Fig ure 4 – B asic aut he nt icat io n lo g in d ialo g

PDFmyURL.com
Summary

This tutorial explained how you can use Windows authentication in the context of an ASP.NET MVC application. You
learned how to enable Windows authentication within your application’s web configuration file and how to configure
authentication with IIS. Finally, you learned how to use the [Authoriz e] attribute to restrict access to controller actions to
particular Windows users or groups.

« Previous Tutorial | Next Tutorial »

Comments (5)

Sho w all 5 co mme nt s

You must be logged in to leave a comment. Click here to log in.

PDFmyURL.com
Co ntac t | Ad ve rtis e | Po we re d b y Umb rac o
Te rms o f Us e | Trad e marks | Privac y State me nt
© 20 10 Mic ro s o ft Co rp o ratio n. All Rig hts Re s e rve d .

PDFmyURL.com