Intranet

Hi

The description of your solution does not contain enough details to provide the exact security design of your application. I am going to give you the short overview, but please even if this completely helps you, BE SURE THAT YOU REALY UNDERSTAND WHAT YOU DO

• Assuming that your intranet application I written in ASP.Net or it is ASP Web Service, set the directory security IIS manager on windows authentication. Be sure that anonymous is not checked. This forces the IIS to retrieve an access denied on the first client’s request. The client must be able to authenticate by using NTLM. By using of NTFS you can set wanted permissions

• Then in the web.config of your application set following tags

<authentication mode="Windows" /><identity impersonate="true"/

• If your client is IE browser you do not have to do anything else to be sure that nobody out of specified windows group can access the site

• But, this is often not enough. Additionally you can provide much more granularity by using of CAS if required. The CAS allows you to define the role base security (not only). For example if your solution provides some Web Service you can protect your methods as shown bellow

[ WebMethod(Description="Retrieves the appointment data", EnableSession=false)
[PrincipalPermissionAttribute(SecurityAction.Demand ,
Role = "SomeRole")
public void GetServiceAppointment(string ServiceId

â€
Additionally you have to provide a mechanism, which maps the windows user (Windows Identity established by impersonation (see above)) to the specific role
This can be done in Global.Cs in the method Application_AcquireRequestState

String[] roles = somefunctionof(Thread.CurrentPrincipal.Identity.Na me
GenericIdentity MyIdentity = new GenericIdentity(Thread.CurrentPrincipal.Identity.N ame)
GenericPrincipal MyPrincipal = new GenericPrincipal(MyIdentity, roles)
Thread.CurrentPrincipal = MyPrincipal;

• If you do not use the browser at the client side there are generally two ways to provide credentials
If you can force the user to eneter the user name and password do following
System.Net.ICredentials icred = new System.Net.NetworkCredential(m_User,m_Pwd,m_Domain )

Much better way is to use the currently cached windows credentials
m_ System.Net.ICredentials icred = System.Net.CredentialCache.DefaultCredentials
Sorry if this is not enough, but the security is not something you cannot implement in few minutes. One good solution provides a good security concept. It is not only enough that your application just properly runs. It is also VERY IMPORTANT that your application runs secured. I propose you search for more information in MSDN following keywords

PrincipalPermissionAttribute, impersonation, web.config, NTLM, DefaultCredentials, Credentials â€