authentication mode in Web.config confuses me....

[stm]

Hi,

I have a web site which will display some pricing information to public.
In DMZ, we've one IIS to host ASP.NET web pages, and another COM+ server, which host the COM+ component written in VB.NET for retrieving such pricing information. It access internal SQL server through odbc with suitable ports opend in the firewall.
ASP.NET make calls to the component through .NET remoting.

I've make a workable setting, but not sure if it is really ok. As I go through more about web.config, I get confused, may I list the config here, and can someone advise if it is okay or not?

Directory security of the application (VD) in IIS:
Checked "Anonymous access", an domain a/c (DAC1) is entered instead of using IUSR_XXX a/c.

Web.config for that application:
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<allow users="*" />
</authorization>

COM+:
roles are created and only DAC1 are added to the user list under this role


=======

What I want to do is that, any user can view this page. When retrieving price information, it will use the DAC1 as identity to call the COM+ component. In this way, my site are protected such that no one can call the component other than DAC1.

What confuese me:

1. Why there are two authentication (one in IIS and other in web.config)? I knew that one is to IIS and one is to ASP.NET application, but what actually it is for? In IIS, I've choose 'Anonymous', but in web.config, I use <authentication mode="Windows">, then I see a comment said "Anonymous access must be disabled in IIS.", I also tried to set mode to "None", but both settings let me access the page.

2. Is ASP.NET process identity (ASPNET / NETWORK SERVICE) a/c equals to the a/c I entered in IIS anonymouse box (i.e. DAC1)?? If so, is that when the ASP.NET application is running, it will use that identity a/c to, say access COM+ component?

3. There is a <identity impersonate="true" /> line in web.config. When I enable anonymouse access, if (2) is correct, then it impersonating as that identity a/c? So, I only need this line when I use Windows Integrated security in IIS and I want the asp.net application to use client's credential instead of asp.net identity a/c? Am I correct?

Thx a lot.

[stm]

Hi all,

After spending some times for testing, I got the following result:

1. In IIS, I set it to allow Anonymous access and enter a domain a/c DAC1.
2. In Web.config, I set <authentication mode="None" />, some web site claims that it will result in faster performance.
3. Since the COM+ component can only be accessed by DAC1, if I don't put <identity impersonate="true" /> to web.config, I can't make the call success.
4. <authorization><allow users="?" />.....

I still have some questions:

1. Is asp.net process identity (ASPNET/NETWORK SERVICE) = anonymous a/c (i.e. DAC1) when I enable anonymous access? If so, why I still need the impersonate="true"? IIS won't pass this ID to asp.net by default??
I've tried to display the value of WindowsIdentity.GetCurrent in aspx. If impersonate="true", this user will be DAC1, otherwise, this user will be "ASPNET"!!

2. In authorization section, <allow users="?" /> means allow anonymous user, is it different from <allow users="*" /> which means allow everyone?

Thx!!

[VBKNIGHT]

with window based authentication the ASP .NET web application relies on the windows operating system to authenticate the user.ASP.NET uses windows-based authentication in conjunction with IIS authentication.

with windows-based authentication, the user request a secure web page from the web application, and the request then goes through IIS.if the user's credentials do not match those of an authorized user IIS rejects the request.The user's then has to enter his/her name and password in the login form. The credentials are again verified by IIS.

there are 3 types of authentication methods
1. window based authentication
advantages:
a.uses existing windows infrastracture
b.controls access to sensitive information
disadvantages:
a.not appropriate for most internet applications

2. forms-based authentication
Advantages:
a. Good for internet applications
b. support all client types
disadvantages:
a. based on cookies

3. microsoft passport authentication
advantages:
a.single sign in for many internet sites
b.no need to maintain a database to store user information
c.allow developers to cuztomized the appearance of registration page.
disadvantages:
a.based on cookies
b.fees involved

IIS authentication mechanism

Mechanism:Anonymous
Security Level: None
Description: No authentication occurs

Mechanism: Basic
Security Level: Low(Medium with SSL)
Description: Client sends username and password as clear text, can be encrypted using SSL, Part of the HTTP specification and supported by most browsers

Mechanism: Digest
Security Level: Medium
Description: Send information as encoded hash requires internet explorer 5 or later requires active directory

Mechanism: Integrated Windows
Security Level: High
Description: Uses either NTLM or Kerberos,generally good for intranets not internet, does not work through most firewalls

how to enable windows-based authentication
1.configure IIS
2.setup authentication in web.config
3.setup authorization in web.config
4.IIS request logon information from users.

to indicate that only specific pages are secure.you must create a <location> section
with <system.web> and <authorization> sub sections for each secure page in your web application:

<location path="shoppingcart.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

the following sample denies all anonymous user access to the file.

note: it is not advisable to authorize user individually.In addition hard coding will limit flexibility approach of modifyng it programmtically.

any configuration setting contained in the <location> section will be directed to the file or directory that is indicated in the path attribute.there can be multiple sections.

<indentity> impersonation allows the server to execute code under the security context of a request entity or as an anonymous user.In ASP net, impersonation
is optional, and by default it is disabled.

<indentity impersonate="true|false"
username="username"
password="password" />

in the preceding code the username and password attributes specify the credentials to use if impersonate is set to true.

a special windows account named ASPNET is used if impersonate is set to false, which is the default value.

hope this information helps you.

[stm]

What is your advise on the <authorization> setting?
Since the information can be viewed by public, I think use <allow users="*"> should be okay?

[VBKNIGHT]

yes its ok to allow all user since it is public.