Microsoft Identity and Access Management Series

Developing Identity-Aware ASP.NET Applications

Chapter 1: Introduction to the Developing Identity-Aware ASP.NET Applications Paper

Published: May 11, 2004 | Updated: June 26, 2006

Executive Summary

Organizations today are looking for guidance on how to avoid introducing new directories and authentication schemes that increase complexity and undermine the goals of a successful identity and access management strategy.

This paper provides guidelines for developing applications that use the directory and security services of the Microsoft® Windows® platform. Specifically, the paper discusses identity considerations and guidelines when developing Microsoft ASP.NET multitier extranet and intranet Web applications. You can develop these applications using Microsoft Visual Studio® .NET and Microsoft Windows Server™ 2003 directory and security services.

This paper is part of the Microsoft Identity and Access Management Series.

The Business Challenge

Most organizations accumulate legacy applications that do not integrate well with each other or with enterprise directory services. The challenge for these organizations is to create an architectural model that will better integrate their applications. The goals of this model could include one or more of the following:

•	The ability to develop line-of-business (LOB) applications more rapidly.
•	Achieve greater security.
•	Capitalize on a consistent authorization policy model and data.
•	Effectively use existing provisioning mechanisms.
•	Provide secure access for different types of users.
•	Meet the authentication, authorization, and audit requirements of new industry and government regulations.

The Business Benefits

A strategy and architecture for developing identity-aware applications helps organizations achieve the following benefits:

•	Reduce application development costs for faster time to market.
•	Develop more robust applications.
•	Confront fewer vulnerabilities.
•	Reuse existing mechanisms and solutions.
•	Obtain more secure access control.
•	Comply with regulatory requirements.

Who Should Read This Paper

The intended audience for this paper includes architects, developers, technical decision makers, and consultants involved in identity and access management efforts.

Reader Prerequisites

This paper assumes the reader has a moderate knowledge of identity and access management concepts and technologies, as described in the “Fundamental Concepts” paper in this series.

Understanding and implementing the solutions in this paper requires a good familiarity with the “Intranet Access Management” and “Extranet Access Management” papers in this series — Microsoft strongly recommends reading both papers before continuing with this one.

Readers who wish to use the code samples provided with this paper should be familiar with developing ASP.NET applications in Visual Studio .NET.

Note This paper does not cover all of the details you should consider for writing secure code and ensuring application security. It only covers topics that are specifically concerned with the use of digital identities in ASP.NET applications within a Windows Server 2003 environment.
For more information about end-to-end application security and writing secure code, see the following resources:

•	“Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication” on MSDN®.
•	Writing Secure Code, Second Edition.

Feedback

Please direct questions and comments about this guide to secwish@microsoft.com.

Top of page

Paper Overview

This paper consists of the following seven chapters:

Chapter 1: Introduction to the Developing Identity-Aware ASP.NET Applications Paper

This chapter provides an executive summary, the recommended audience for the paper, and an overview of each chapter in the paper. The chapter also introduces the specific solution scenarios that will be discussed in chapters 3 – 7.

Chapter 2: Approaches to Developing Identity-Aware ASP.NET Applications

This chapter provides background information about several authentication approaches for clients using browsers in intranet and extranet applications for business-to-business (B2B), business-to-employee (B2E), and business-to-consumer (B2C) scenarios. It discusses authorization and the various ways that you can flow identity across application tiers, including the pros and cons of each method.

The chapter also discusses auditing, and how to ensure that the appropriate security events are logged for each of the techniques described.

Chapter 3: Issues and Requirements

This chapter introduces the business problems that Contoso Pharmaceuticals (the fictitious company used in this series) faces, and then outlines the business issues, technology issues, and security issues that Contoso has identified for each solution scenario. It then highlights the key requirements of each solution that Contoso will build.

Chapter 4: Designing the Solution

This chapter discusses the solution concept, architecture, necessary prerequisites, and how each of the scenario solutions work.

Chapter 5: Implementing the Solution

This chapter describes the tools and templates that are available for this paper, and provides the prescriptive steps required to implement the solutions that Contoso built for each scenario.

Chapter 6: Testing the Solution

This chapter describes how to validate the implemented solution scenarios and includes some troubleshooting steps and testing techniques to help you with common implementation challenges.

Chapter 7: Deployment Considerations

This chapter discusses several topics for consideration specific to deploying identity-aware ASP.NET solutions, such as using setup applications and custom installers.

Solution Scenarios

The scenarios in this paper are based on Contoso Pharmaceuticals, the fictitious company introduced in this series in the “Platform and Infrastructure” paper.

In addition to a general discussion of identity-aware development approaches, this paper also provides detailed prescriptive guidance for implementing intranet and extranet ASP.NET applications that are integrated with Active Directory.

The scenarios were compiled to illustrate the typical challenges organizations face, and include guidance on how you can use Microsoft technologies to address them. Chapters 3 through 7 focus entirely on the ASP.NET intranet and extranet solution scenarios.

ASP.NET Intranet Applications

This solution scenario discusses the solution template that Contoso Pharmaceuticals built to ensure that all of the company's intranet ASP.NET applications properly use Windows Server 2003 directory and security services.

This scenario discusses Contoso employees who need to access Contoso applications using a Web browser and Windows-integrated authentication. The sample code for this scenario shows two ways to pass identity information between tiers, how to implement different types of authorization, and how to access back-end resources. The Windows platform provides security event logging for auditing purposes.

ASP.NET Extranet Applications

This solution scenario discusses the solution template that Contoso Pharmaceuticals built to ensure that all of the company's extranet ASP.NET applications properly use Windows Server 2003 directory and security services.

This scenario discusses client authentication mechanisms for the following types of extranet access for users who must access the same application:

•	B2B. Partners access the extranet application using a Web-browser and Forms-based authentication.
•	B2E. Employees access the extranet application using Microsoft Internet Explorer and X.509 certificates.
•	B2C. Customers access the extranet application using a Web-browser and Microsoft Passport authentication.

Note See the “Identity Aggregation and Synchronization” paper in this series for more information about how Contoso provisions employee certificates.

The sample code for this scenario shows two ways to pass identity information between tiers, how to implement different types of authorization, and how to access back-end resources.

Security event logging for auditing purposes is provided by the Windows platform in the B2E and B2C scenarios for both authentication and authorization. The B2B scenario uses custom Forms-based authentication, and the application provides auditing for authentication. Authorization auditing is provided by the Windows platform.