Click here to Skip to main content
13,143,185 members (59,488 online)
Click here to Skip to main content
Add your own
alternative version


11 bookmarked
Posted 6 Sep 2011

Authentication at the IIS Level

, 6 Sep 2011
Rate this:
Please Sign up or sign in to vote.
This post talks about the authentication procedure that can be done in IIS.


This post basically explains how an authentication can happen at the IIS level.


It all happened when I interviewed a guy with quite a good amount of experience, I then noted that many experienced guys lacked the so called basics. I remember asking him this question; “I would want to authenticate the user as a valid user even before the request hits the page, I don't want to use Forms or Windows authentication”. The answer I got back was terrible – the candidate replied saying the check can be done at either page_load or page_init.


In my post, I discussed about 2 main elements:

  1. HttpModule
  2. HttpHandler

For any request, the IIS first calls the HttpModule then the HttpHandler then the Page and then the HttpModule.

In your project, while designing on the asp pages, create a class which will inherit iHttpModule. This class will implement all the methods of HttpModule. Now put your authentication code at BeginRequest. For e.g., say your project stores important data persisted in cookies; send the cookie information alongside of the request. The following figure depicts how your request will fetch the page. The pipe represents the HttpModule and the HttpHandler.


Now, these checks that you see can be a call to the DB or to any authentication system or even to an Access Control Policy routine.

With the HttpModules being handy, we have the leverage to do anything before the request hits the page.

This goes on to say that while the page life cycle is complete-HttpModule can also help us in doing any operation under EndRequest; it can be a check for the response or anything.

You can have more security in place if you can leverage HttpModule’s: BeginRequest, AuthoriseRequest and EndRequest along with HttpHandler’s: ProcessRequest.


Basically to sum it up - this methodology gracefully carries our pipeline pattern. Hope you understood the Authentication at IIS. Please shoot your questions as comments and I will reply.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Architect Tesco
United Kingdom United Kingdom
No Biography provided

You may also be interested in...


Comments and Discussions

QuestionPlease give an example and some code Pin
Dan Mordechay8-Sep-11 1:00
memberDan Mordechay8-Sep-11 1:00 
AnswerRe: Please give an example and some code Pin
Sanjay JDM8-Sep-11 1:31
memberSanjay JDM8-Sep-11 1:31 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.170915.1 | Last Updated 6 Sep 2011
Article Copyright 2011 by s.jdm
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid