|
Authentication |
Authorization |
Microsoft IIS |
Web.config |
Behavior |
|
Database |
any |
any |
any |
It does not use HttpContext and so does not depend on settings. |
|
Active Directory |
any |
Windows authentication |
Windows authentication Impersonate = false |
Single sign in, requires password entry for non-intranet users when opening web site |
|
Active Directory |
any |
Anonymous enabled |
any |
To allow security to work valid account from Active Directory should be used as anonymous. No single sign in. Does not require password for non intranet users for non-secured pages, requires password for secured pages. |
|
Windows |
Database |
Windows authentication |
Windows authentication Impersonate = false |
Single sign in, requires password entry for non-intranet users to see even non-secured pages. No way to sign out because currently logged in user is always used in application as well. Password setting in user table is not used. UserID is needed to access roles. |
|
Windows |
Database |
Anonymous enabled |
any |
Non-secured pages are available for all users. Does not require signing in for Internet users. When secured page is opened, user is redirected to Sign In page to provide user name and password. Effectively the same behavior as Database Authentication / Database role management |
|
Windows |
None |
Windows authentication |
Windows authentication Impersonate = false |
Single sign in, requires password entry for non-intranet users to see even non secured pages. |
|
Windows |
None |
Anonymous enabled |
any |
Non-secured pages are available for all users. Does not require signing in for Internet users. Sucured pages are not available: User will be redirected to Sign In page but no user name and password will succeed. |
Configuring Microsoft IIS for Application Security
Active Directory Role Management
Microsoft Authorization Manager (AzMan) Role Management
Configuring Microsoft Authorization Manager (AzMan)
Handling SQL Injection Attacks