For a general view on ASP.NET authentication and authorization, this is a really good one:
ASP.NET authentication and authorization[
^]
- In this scenario ip based security is not an option for several reasons.
- If all users are from an NT domain (ActiveDirectory), than you can simply assign AD users and security groups to IIS applications and folders. But this approach is merely good for some static access restriction, like "other than these can not get there at all".
- If you need some sort of dynamic right authentication and authorization in the application, and this is most likely the case in a company, the ASP.NET answer to it is MembershipProvider and RoleProvider. You can still use NTLM/Kerberos if all all domain users, but you can use form authentication as well. And that has a really good support by default. Read this article:
http://www.4guysfromrolla.com/articles/120705-1.aspx[
^]
- If you need more, you can make your own MembershipProvider and RoleProvider, that can go from
simple ones[
^] to really
complex ones[
^] depending on your need.