Understanding ASP.NET Impersonation
Impersonation
is a security method by which an IIS Web request is processed using the
security information provided by a specific user account or the user
who is accessing the site. When ASP.NET impersonation
is disabled (the default setting), the security context for processing
requests is based on the account used by the Web application. When you
enable impersonation, you can specify a user account for determining
the security context. (See Figure 3.) To provide the username and password information, click the Set button.
Another
option is to configure ASP.NET impersonation to the Authenticated User
option. This setting specifies that the security permissions of a user
who has been authenticated (using one of the other authentication
options) will be used to provide access to content. This setting is
useful when you want to use file system permissions that use specific
users and groups to decide which content should be protected. When used
in this way, it is most appropriate for environments that support
relatively small numbers of users, such as department-level intranet
Web servers.
Understanding Client Certificate Authentication
In
addition to the other available types of authentication options, IIS
provides support for using client certificates for validating the
identity of a Web user. This method requires users to have security
certificates installed on their computers. When a request is made for
protected content, IIS automatically validates the identity of the
client by querying the certificate information. There are three main
modes by which client certificates can be used:
One-To-One mappings
In this configuration, the Web server must contain a copy of the client
certificate used by every computer that will access restricted content.
The server compares its copy of the certificate with the one that is
presented by the client to validate requests.
Many-To-One mappings
It is often impractical to manage certificates for all possible Web
users on the server. Although this method is slightly less secure,
many-to-one mappings are based on the Web server performing
authentication by using certain information found in the client
certificate. A common example is validating the organization
information in the certificate to ensure that the user is coming from a
trusted company.
Active Directory mappings
Active Directory Certificate Services can simplify the creation and
management of client certificates. To enable this method, organizations
must first set up their own certificate-based infrastructure.
Because of the certificate requirements for client certificate authentication,
this method is most often used in environments in which systems
administrators have control over end users’ computers. It is
impractical to require certificates for publicly accessible Internet
Web sites and applications.
Understanding Authentication Requirements
Handlers
and modules manage IIS authentication. The specific authentication
options available for a Web server are based on the Web Server (IIS)
role services that are installed. The list of available role services
includes:
To
add or remove a security-related role service, open Server Manager,
expand the Roles section, right-click Web Server (IIS), and then select
either Add Role Services or Remove Role Services. (See Figure 4)
Because role services will affect the available authentication options
for the entire Web server, determine the requirements of all the Web
applications and Web content on your server.
In addition to role service settings, each of the authentication methods has specific module requirements, as shown in Table 1. For more information about managing modules, see the “Managing Request Handlers” section discussed earlier in this article.
Table 1. IIS Authentication Methods and Their Requirements
Authentication Methods | Required Module(s) |
---|
Anonymous | AnonymousAuthModule |
ASP.NET Impersonation | ManagedEngine |
Basic | BasicAuthModule |
| TokenCacheModule |
Client Certificates | iisClientCertificateMappingModule |
Client Certificates (Active Directory Mapping) | CertificateMappingAuthenticationModule |
Digest | DigestAuthModule |
Forms | FormsAuthenticationModule |
Windows | WindowsAuthenticationModule |