.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

How to implement Context based Authentication/Authorization?

Posted By:      Posted Date: October 05, 2010    Points: 0   Category :ASP.Net


We all aware of Role based security in ASP.NET. Above to that, I want to apply some business rules for authorization. These business rules are subjected to change dynamically.
Ex: Print option is available between 9am To 12pm, for Adminstrators.

I can control access to print option available for only for Administrators using Role-based authrozation. But here "9 am - 12pm" rule is my business context.

Need authorize the use action based on this context.
My target is to implement this without changing in Code - rebuild and deploy the DLLs.

I heard a copncept of XACML (eXtensible Access Control Markup Language). Seems this approch cann address my requirement.

I am using ASP.NET 4.0, SQL Server 2008, IIS 7, Windows 2008 Server.

Please provide the below information...
1. Is this approch supported by Microsoft?
2. Is there any open source implementaitons in .NET?
3. How Windows Identity Foundation relates to this?

Please share, if there is any work-around for Context based Authorization in .NET.
Thank you in Advance.


View Complete Post

More Related Resource Links

require guideline for 'Role-based authentication/authorization'



In my asp.net website in VS-2005 with SQL-Server 2005 as db, I need to implement role-based Authentication/Authorization.

I am familiar to the practises used in role-based authentication..as I have previously worked on projects that used this method. However, my project lead used to design the database. Now I have an existing website where authentication has been set to anonymous by setting 'allow users="?"' in the authentication tags in web.config.

If I use the createUserWizard control and use the Membership.creatUser(.....) method in code behind will the asp.net security tables, like users, roles, userinrole etc get created on its own? Can anyone please give the proper steps on how to acheive this?

Best way to implement authentication and authorization for a sharepoint 2010 website.

Hi I come across different authentication methods in Sharepoint 2010. The sharepoint website we are develpoing as of now is Intranet. Later we are planning to move it to Internet(Public) site. What will be the best way to implement authentication and authorization for our website. If windows authentication(Classic mode authentication) is default for a sharepoint website (2010) , I have a few questions ragarding windows authentication. 1) In case of windows authentication, where should we maintain  users? 2) In case of windows authentication, how are the users created? 3) In case of windows authentication, how can I perform authorization.   If we want to use FBA(Form based authentication) in sharepoint 2010, I have a few questions ragarding FBA in sharepoint 2010. 1) In case of FBA(using Claim based authentication) , if we want to use custom database(where we are storing user details and  roles) rather than bulitin SQL membership  provider, how can we achieve this? Can anyone provide some useful resources to implement authentication(Windows or FBA or dual) and authorization for a sharepoint 2010 website with sample code? Please reply ASAP. Thanks & Regards Mahendra Babu

ASP.net role based authorization using froms authentication fails


Hi Dot Net Gurus,

I am trying to implement a simple role based authorization using forms authentication in ASP.net. It works perfectly fine in my local system but fails when I deploy in production (shared hosting). Whenever I try to log in, rather than taking me to the default page in specified directory it throws me back to the login page. I suspect that there is some issues with the configuration but not sure where the problem is. The code is provided below:

Web.config (root):

<authentication mode="Forms">
	<forms name="userId" loginUrl="Login.aspx" defaultUrl="Default.aspx" path="/" timeout="240" requireSSL="false" />

Web.config (Member directory):

            <allow roles="Member" />
            <deny users="*" />


    protected void btnLogin_Click(object sender, ImageClickEventArgs e)
        String email = "";

Trying to implement Forms-based authentication



I have a web-application that is set to windows-authentication and is created as anonymous. This is at default zone. I want to change this to forms based authentication.

I tried extending web-application and creating new zone as Extranet but it is asking me to specify the url (within load-balanced url) that should not be same as the url of the default zone url. Dont' know why. Please suggest.

But for now, I had a question. If I modify the default zone to be forms based, will it cause any problems? I am assuming that this will be default for any type of user (internal, external etc) ? Please let me know.  

Also as far as web.config changes (considering changes to default zone ),  is it fine if I modify web.config of this site plus the central admin web.config? If there are another 5 web-applications (that are totally different but reside in same farm), do I need web.config of those web-application also?


Please suggest.


Our goal is that this website (even when accessed internally) will be through form-based authentication only. So 

Claims-Based Apps: Claims-Based Authorization with WIF


Over the past few years, federated security models and claims-based access control have become increasingly popular. Platform tools in this area have also come a long way. Windows Identity Foundation (WIF) is a rich identity model framework designed for building claims-based applications and services and for supporting active and passive federated security scenarios.

Michele Leroux Bustamante

MSDN Magazine November 2009

Service Station: Authorization In WCF-Based Services


Windows Communication Foundation (WCF) provides an easy role-based system and a more powerful and complex claims-based API for implementing authorization in services.

Dominick Baier and Christian Weyer

MSDN Magazine October 2008

Authorize It: Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager


Authorization Manager in Windows Server 2003 represents a significant improvement in the administration of role-based security, making it more scalable, flexible, and easier to implement. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory. Authorization Manager also includes an easy-to-use API for running access checks. The author discusses all of these topics and demonstrates them with a working sample.

Keith Brown

MSDN Magazine November 2003

Forms based users being prompted for windows authentication login for My Sites photos in user lists

Here's an issue I didn't see coming for our forms based authentication users. 

We have a web application extended to an external url to handle forms based authentication for users outside of our domain. Our setup looks like this...

Internal Users/Windows Authentication - moss.domain.com
External Users/Forms Based - mossext.domain.com
My Site for Internal Users - mysites.domain.com

When our forms based users are accessing user lists, or discussion pages that display user pictures, they are getting a windows authentication login for our internal users (mysites.domain.com) who have populated their my site with personal photo.

How do we fix this? 

Claims Tips: Learning About Claims-Based Authentication in SharePoint 2010

Use these five tips for guidance in solving problems related to using and configuring claims.

Sample: SharePoint Claims-Based Authentication

Explore the code as you learn how to create a custom security token service (STS) and set up a trust relationship between a SharePoint 2010 farm and the custom STS.

Using ONLY User Certificates for SharePoint 2010 Authentication/Authorization

  Hello, I am relatively new to SharePoint, and was wondering how I can accomplish using only user certificates to authenticate (and eventually authorize) access to the SharePoint 2010 Server (not just IIS). My Environment currently looks like this:  - SharePoint is SSL-enabled - User Browser Certificates (generated using OpenSSL) successfully authenticate to the IIS Server - SharePoint uses Basic Authentication (user/password based on AD credentials) I need to: - Authenticate the user to SharePoint using the User Certificate from my browser (in other words, no password authentication to access the SharePoint website, but use the certificate that was used by iis to be able to log into SharePoint) I am assuming I must use some sort of claims-based authentication.  Ideally, I would like to use ONLY the certification itself as a source of Authorized Repository for authentication. However, I am also open to having the user certificate be linked to Active Directory users as well.  I have done some research on this but am still lost as to how to approach this problem. Is there anyone that has done this or can assist me in getting this to work? Any help would be greatly appreciated. Thanks!  

WCF IP authentication / authorization

I need to secure my WCF web service.  I wish to only allow messages coming from a certain IP to make calls to my web services.  Is there a way to detect the client's IP address and permit or not permit the message call to be made from the web service level?  What would be the best way of doing this? I cannot use IIS to filter out IP's because my web service sits behind a reverse proxy so all traffic hitting the web server has the same IP address.  Thanks DW

AutoLogin for authenticated user via LiveID in Sharepoint 2010 (Claims Based Authentication)

Hi,     Im working in integrating LiveID authentication in my Sharepoint site. Live id gives back a token of the user with which i created a dummy profile using MembershipProvider.CreateUser. Now i have to auto login the user with the profile i created, i mean i have to force login to my sharepoint site using the created dummy user details without asking the user to give username n password.Any suggestion will be a great help for me to proceed.   Thanks Saravanan Michael

Should I use claims based authentication?

I'm about to setup a web application to host a public facing website. Internal staff will authenticate to the site via Active Directory and we may have a need to allow external users to access "authenticated" parts of the site. To authenticate them we plan to use Windows Live ID. With that in mind,: is it better to set the web application up to use claims based authentication from the start rather than having to change it later? is there anything available as of yet to setup SharePoint 2010 to authenticate against Windows Live ID using claims based authentication?

Migrate from Classic to Claims based authentication

So this is really an outside the normal question and I am hoping someone has some thoughts. I am going to be upgrading a MOSS 2007 farm to MSS2010. I have to move hardware so I will be using the content database attach method for upgrade. The site is current extended to a second IIS Application to support both window and Forms based authentication. Since this is an intranet, unique security is used at the site level (and occasionally at the doc lib level). I want to take advantage of Claims Based Authentication (and use one URL, plus other benefits). I am well aware that that claims based token is not the same as the windows token even though the NTLM user is really the same. Thus that is what presents the issue. I need to "migrate" all of my current NTLM-Classic users to claims based. My first thought is to read the users added to each site (actually role assignments), find all users that have the domain name at the beginning of the member name and add a new users (appending the i:0#.w| to the beginning of the loginname) to the site. This works beautifully and is succesful. The problem arises in the that the role assignments contains SharePoint groups (which we don't use much) and AD groups. the SharePoint groups are ok (yes, I have to migrate the users in them too, but no problem). The AD groups are added via SID when it is claims based. This presents the probl

UseExplicit property in infopath with form based context

Hi everyone, I have a problem with my infopath form. The context, user of the site mustn't have acces to lists that provision infopath form field. Administrator should have acces to these lists. When i test the useExplicit property of udc file for impersonate the connection to the list i have no problem ( all my account are local account) But when i try to integrate user from FBA, infopath form services don't take care of the UseExplicit property and try connect to the list with the credential of the connected user ( who don't have access to the list since only the user that i use to impersonate the connection have read acces). Here is my UseExplicit property :  <udc:Authentication>    <udc:UseExplicit CredentialType="NTLM">      <udc:UserId>dev\svc-reader</udc:UserId>      <udc:Password>password</udc:Password>    </udc:UseExplicit>  </udc:Authentication>    09/06/2010 15:06:50.46                w3wp.exe (0x09BC)                                      0x1A08 SharePoint Foundation                General                      

WCF Custom Authentication and Authorization

Hi, I'm porting a recently developed asmx service to a WCF service. We have used WSE3.0 UsernameToken authentication for the asmx service. The service authenticates the username and password against AD and then gets a list of things the account can do for authorization. I'm trying to do this with WCF. I've got the authentication working. The authorization is causing me problems. In the asmx service I read the username and password off the UsernameToken with this UsernameToken token = (UsernameToken)RequestSoapContext.Current.IdentityToken. I can get the username and password in the WCF service using a custom UserNamePasswordValidator which works great but how is best to do the authorization? I can't do it in the custom validator because that is common to all services for the project. So I have to do it at a later stage which means reading the username and password somehow (off the channel?) Any ideas?   Thanks
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend