You have another way to set up your authentication and authorization rules. Rather than edit the
web.config file by hand, you can use the WAT from inside Visual Studio. The WAT guides you
the process, although you’ll find it’s still important to understand what changes are actually
to your web.config file. It’s also often quicker to enter a list of authorization rules by hand rather
use the WAT.
To use the WAT for this type of configuration, select Website ➤ASP.NET Configuration from
menu. Next, click the Security tab. You’ll see the window shown in Figure 19-2, which gives
you links to
set the authentication type, define authorization rules (using the Access Rules section), and
security. (Role-based security is an optional higher-level feature you can use with forms
A simple login page can put these methods to work with little code. To try it, begin by enabling
forms authentication and denying anonymous users in the web.config, as described earlier:
Now, users will be redirected to a login page named Login.aspx that you need to create
With Windows authentication, the web server takes care of the authentication process. ASP.NET
makes this identity available to your code for your security checks.
When you use Windows authentication, you force users to log into IIS before they’re allowed to
access secure content in your website. The user login information can be transmitted in several
(depending on the network environment, the requesting browser, and the way IIS is configured),
end result is that the user is authenticated using a local Windows account. Typically, this makes
Windows authentication best suited to intranet scenarios, in which a limited set of known users is
already registered on a network server.
To implement Windows-based security with known users, you need to follow three steps:
1. Set the authentication mode to Windows authentication in the web.config file.
(If you prefer a graphical tool, you can use the WAT during development or IIS Manager after deployment.)
2. Disable anonymous access for a directory by using an authorization rule.
3. Configure the Windows user accounts on your web server (if they aren’t