Windows Authentication will verify the user exists on the AD, if you want to verify they exist in your user table, you can use a CustomAttribute (I'm using the EntityFramework):
public class AuthorizeDB : AuthorizeAttribute
{
ProjectDB db = new ProjectDB();
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
return false;
var name = httpContext.User.Identity.Name;
return db.Users.FirstOrDefault(u => u.UserName == name) != null;
}
}
and decorate your classes with [AuthorizeDB]
or set it for the entire application. The User.Identity.Name
will come in as Domain\Username
If you're using custom Roles within your application, it should be about the same as any other type of authentication. Link a user with a role and then validate the roles they are in.