Quick Reference : ASP.NET and Windows Authentication
Authentication is a process by which the system validates a user's logon or sign-in information. A user's name and password are verified and if found correct , access is granted . Windows Authentication is a very complex topic and this post will help you learn a quick overview of windows authentication with Asp.net .
Windows authentication (formerly named NTLM) is a secure form of authentication used in intranet environment to authenticate windows users against Microsoft Active Directory. Now windows users(also called as NT users) are any user created by administrators such as mydomain/bob, euro/Alice for login into your machine.Think fo Active Directory is a place where all the users,passowords etc are stored and this is setup again by Administrators.
Say you are a developer of an application which should be used over intranet by all the people in your company .In this case , Windows authentication can be used to authenticate your company's internal users aka Domain users to your asp.net application .So the flow will be like
(1) Domain user(e.g. mydomain/username) =>(2) ActiveDirectory (e.g. MyDomain)=> (3)ASP.NET website
- any domain user or a local user e.g. mydomain/rohith ,machinename/Bob
- this step happens transparently without you doing any configuration or code as a developer
- Configure windows authentication in your asp.net/website.
Windows authentication supports two authentication protocols, Kerberos and NTLM .But in Configuration you will see 3 setttings Negotiate, Kerberos, and NTLM .Negotiate, is a wrapper for Kerberos and NTLM, allows the client application to fallback to NTLM if Kerberos is not supported. When you install and enable Windows authentication on IIS 7+ , the default setting is Negotiate.
Windows authentication(You can choose NTLM or Keberos in the IIS settings) can be used under following circumstances :
- Client computers and Web servers are in the same domain.
- There is no firewall or proxy in between and this is best case scenario where your users will be able to authenticate using the same login they used to access their machines.
- Users are required to access the application over internet
- you can make windows authentication work over internet over NTLM but this is not recommended .
- Kerberos requires that the client have a direct connection to Active Directory, which is generally not the case in Internet scenarios
https://technet.microsoft.com/en-us/library/cc732841(v=ws.11).aspx /en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/ https://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication?showTreeNavigation=true