Web Forms Windows Authentication w/ Remote SQL Database

Question

I have a ASP.NET 4.0 web application that uses Windows Authentication against AD and a SQL Server for Role management.

Basically, I want all users who have an AD account to be able to access the application, but I want to further secure the app using roles in Sql Server. I do not want users to have to enter in their passwords for authentication.

Is it viable for me to check authentication in the Global Application_Start method, or should I be executing this code elsewhere?

Answer 1

After further research I found "Application_AuthenticateRequest" which I think will serve my purposes of using Windows Authentication and Sql Server role configuration.

    protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        if (Request.IsAuthenticated)
        {
            // just grab the username without domain info
            string[] arrTmp = HttpContext.Current.User.Identity.Name.Split('\\');
            string username = arrTmp[arrTmp.Length - 1];

            // Create an array of role names
            List<String> arrlstRoles = new List<String>();

            // work-around
            if (username == "fakename")
                arrlstRoles.Add("Admin");

            // Add the roles to the User Principal
            HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(User.Identity, arrlstRoles.ToArray<String>());
        }
    }

Answer 2

Application_Start is only fired once when the Application itself is initialized. HttpContext.Current.User will contain details of the user making the HTTP request that caused IIS to initialize the application.

Instead use Application_BeginRequest which is raised for every incoming request, however ideally you should check authorization (not authentication) when the web-application intends to perform an action, not preemptively on every request.