NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

ASP+ Data Flow

There are a number of different ways to design security into ASP+ applications, depending on the preferences of the designer. This section shows the security data flow for one of the more common scenarios.

Scenario 1 - Impersonation

In this scenario it is desired to have little or no security programming in the ASP+ application itself, but rather, rely on IIS authentication and Windows NT file access security. The data flow is shown in the following illustration:

As shown in this illustration, the sequence of events is as follows:

  1. A request for access comes in to IIS from a network client.
  2. IIS authenticates the client using Windows NT NTLM authentication.
  3. If the client is authenticated, IIS hands the authenticated request over to ASP+.
  4. The ASP+ application impersonates the requesting client (using the access token passed from IIS), and relies on NTFS file permissions for granting access. All that needs to be done for the ASP+ application is to verify that in the ASP+ configuration file, the "impersonation enabled" directive is set to true (the default); no ASP+ security code needs to be written.

    Notice that if impersonation is not enabled, the application runs with a "Local Machine" identity. Access at the Access Control List (ACL) level is normally allowed for ASP+ applications running with the Local Machine identity. If you want to restrict access, the ACLs must be tightened up or some other means of authorization, such as URL authorization, must be used.

    For more details on using impersonation in ASP+ applications, see the Impersonation section later in this document.

  5. If access is granted, the ASP+ application returns the requested page through IIS.